diff --git a/providers/src/okta/v00.00.00000/provider.yaml b/providers/src/okta/v00.00.00000/provider.yaml index be34604a..efb63731 100644 --- a/providers/src/okta/v00.00.00000/provider.yaml +++ b/providers/src/okta/v00.00.00000/provider.yaml @@ -1,226 +1,504 @@ id: okta name: okta version: v00.00.00000 -description: Identity Provider Services for org, user and app lifecycles providerServices: - application: - description: Okta application management api. - id: application:v1 - name: application - preferred: true - service: - $ref: okta/v00.00.00000/services/Application.yaml - title: Application API - version: v1 - authenticator: - description: Okta authenticator management. - id: authenticator:v1 - name: authenticator - preferred: true - service: - $ref: okta/v00.00.00000/services/Authenticator.yaml - title: Authenticator API - version: v1 - authorizationserver: - description: Okta authorization server management. - id: authorizationserver:v1 - name: authorizationserver - preferred: true - service: - $ref: okta/v00.00.00000/services/AuthorizationServer.yaml - title: Authorization Server API - version: v1 - domain: - description: Okta domain management. - id: domain:v1 - name: domain - preferred: true - service: - $ref: okta/v00.00.00000/services/Domain.yaml - title: Domain API - version: v1 - eventhook: - description: Okta event hook management. - id: eventhook:v1 - name: eventhook - preferred: true - service: - $ref: okta/v00.00.00000/services/EventHook.yaml - title: Event Hook API - version: v1 - feature: - description: Okta feature management. - id: feature:v1 - name: feature - preferred: true - service: - $ref: okta/v00.00.00000/services/Feature.yaml - title: Feature API - version: v1 - group: - description: Okta group management. - id: group:v1 - name: group - preferred: true - service: - $ref: okta/v00.00.00000/services/Group.yaml - title: Group API - version: v1 - groupschema: - description: Okta group schema management. - id: groupschema:v1 - name: groupschema - preferred: true - service: - $ref: okta/v00.00.00000/services/GroupSchema.yaml - title: Group Schema API - version: v1 - identityprovider: - description: Okta user management. - id: identityprovider:v1 - name: identityprovider - preferred: true - service: - $ref: okta/v00.00.00000/services/IdentityProvider.yaml - title: IDP API - version: v1 - inlinehook: - description: Okta inline hook management. - id: inlinehook:v1 - name: inlinehook - preferred: true - service: - $ref: okta/v00.00.00000/services/InlineHook.yaml - title: Inline Hook API - version: v1 - linkedobject: - description: Okta linked object management. - id: linkedobject:v1 - name: linkedobject - preferred: true - service: - $ref: okta/v00.00.00000/services/LinkedObject.yaml - title: Linked Object API - version: v1 - log: - description: Okta log management. - id: log:v1 - name: log - preferred: true - service: - $ref: okta/v00.00.00000/services/Log.yaml - title: Log API - version: v1 - networkzone: - description: Okta network zone management. - id: networkzone:v1 - name: networkzone - preferred: true - service: - $ref: okta/v00.00.00000/services/NetworkZone.yaml - title: Network Zone API - version: v1 + agentpools: + id: agentpools:v00.00.00000 + name: agentpools + preferred: true + service: + $ref: okta/v00.00.00000/services/agentpools.yaml + title: agentpools API + version: v00.00.00000 + description: okta agentpools API + api_tokens: + id: api_tokens:v00.00.00000 + name: api_tokens + preferred: true + service: + $ref: okta/v00.00.00000/services/api_tokens.yaml + title: api_tokens API + version: v00.00.00000 + description: okta api_tokens API + apps: + id: apps:v00.00.00000 + name: apps + preferred: true + service: + $ref: okta/v00.00.00000/services/apps.yaml + title: apps API + version: v00.00.00000 + description: okta apps API + attack_protection: + id: attack_protection:v00.00.00000 + name: attack_protection + preferred: true + service: + $ref: okta/v00.00.00000/services/attack_protection.yaml + title: attack_protection API + version: v00.00.00000 + description: okta attack_protection API + authenticators: + id: authenticators:v00.00.00000 + name: authenticators + preferred: true + service: + $ref: okta/v00.00.00000/services/authenticators.yaml + title: authenticators API + version: v00.00.00000 + description: okta authenticators API + authorizationservers: + id: authorizationservers:v00.00.00000 + name: authorizationservers + preferred: true + service: + $ref: okta/v00.00.00000/services/authorizationservers.yaml + title: authorizationservers API + version: v00.00.00000 + description: okta authorizationservers API + behaviors: + id: behaviors:v00.00.00000 + name: behaviors + preferred: true + service: + $ref: okta/v00.00.00000/services/behaviors.yaml + title: behaviors API + version: v00.00.00000 + description: okta behaviors API + brands: + id: brands:v00.00.00000 + name: brands + preferred: true + service: + $ref: okta/v00.00.00000/services/brands.yaml + title: brands API + version: v00.00.00000 + description: okta brands API + captchas: + id: captchas:v00.00.00000 + name: captchas + preferred: true + service: + $ref: okta/v00.00.00000/services/captchas.yaml + title: captchas API + version: v00.00.00000 + description: okta captchas API + device_access: + id: device_access:v00.00.00000 + name: device_access + preferred: true + service: + $ref: okta/v00.00.00000/services/device_access.yaml + title: device_access API + version: v00.00.00000 + description: okta device_access API + device_assurances: + id: device_assurances:v00.00.00000 + name: device_assurances + preferred: true + service: + $ref: okta/v00.00.00000/services/device_assurances.yaml + title: device_assurances API + version: v00.00.00000 + description: okta device_assurances API + device_integrations: + id: device_integrations:v00.00.00000 + name: device_integrations + preferred: true + service: + $ref: okta/v00.00.00000/services/device_integrations.yaml + title: device_integrations API + version: v00.00.00000 + description: okta device_integrations API + device_posture_checks: + id: device_posture_checks:v00.00.00000 + name: device_posture_checks + preferred: true + service: + $ref: okta/v00.00.00000/services/device_posture_checks.yaml + title: device_posture_checks API + version: v00.00.00000 + description: okta device_posture_checks API + devices: + id: devices:v00.00.00000 + name: devices + preferred: true + service: + $ref: okta/v00.00.00000/services/devices.yaml + title: devices API + version: v00.00.00000 + description: okta devices API + directories: + id: directories:v00.00.00000 + name: directories + preferred: true + service: + $ref: okta/v00.00.00000/services/directories.yaml + title: directories API + version: v00.00.00000 + description: okta directories API + domains: + id: domains:v00.00.00000 + name: domains + preferred: true + service: + $ref: okta/v00.00.00000/services/domains.yaml + title: domains API + version: v00.00.00000 + description: okta domains API + email_domains: + id: email_domains:v00.00.00000 + name: email_domains + preferred: true + service: + $ref: okta/v00.00.00000/services/email_domains.yaml + title: email_domains API + version: v00.00.00000 + description: okta email_domains API + email_servers: + id: email_servers:v00.00.00000 + name: email_servers + preferred: true + service: + $ref: okta/v00.00.00000/services/email_servers.yaml + title: email_servers API + version: v00.00.00000 + description: okta email_servers API + eventhooks: + id: eventhooks:v00.00.00000 + name: eventhooks + preferred: true + service: + $ref: okta/v00.00.00000/services/eventhooks.yaml + title: eventhooks API + version: v00.00.00000 + description: okta eventhooks API + features: + id: features:v00.00.00000 + name: features + preferred: true + service: + $ref: okta/v00.00.00000/services/features.yaml + title: features API + version: v00.00.00000 + description: okta features API + first_party_app_settings: + id: first_party_app_settings:v00.00.00000 + name: first_party_app_settings + preferred: true + service: + $ref: okta/v00.00.00000/services/first_party_app_settings.yaml + title: first_party_app_settings API + version: v00.00.00000 + description: okta first_party_app_settings API + groups: + id: groups:v00.00.00000 + name: groups + preferred: true + service: + $ref: okta/v00.00.00000/services/groups.yaml + title: groups API + version: v00.00.00000 + description: okta groups API + hook_keys: + id: hook_keys:v00.00.00000 + name: hook_keys + preferred: true + service: + $ref: okta/v00.00.00000/services/hook_keys.yaml + title: hook_keys API + version: v00.00.00000 + description: okta hook_keys API + iam: + id: iam:v00.00.00000 + name: iam + preferred: true + service: + $ref: okta/v00.00.00000/services/iam.yaml + title: iam API + version: v00.00.00000 + description: okta iam API + identity_sources: + id: identity_sources:v00.00.00000 + name: identity_sources + preferred: true + service: + $ref: okta/v00.00.00000/services/identity_sources.yaml + title: identity_sources API + version: v00.00.00000 + description: okta identity_sources API + idps: + id: idps:v00.00.00000 + name: idps + preferred: true + service: + $ref: okta/v00.00.00000/services/idps.yaml + title: idps API + version: v00.00.00000 + description: okta idps API + inlinehooks: + id: inlinehooks:v00.00.00000 + name: inlinehooks + preferred: true + service: + $ref: okta/v00.00.00000/services/inlinehooks.yaml + title: inlinehooks API + version: v00.00.00000 + description: okta inlinehooks API + integrations: + id: integrations:v00.00.00000 + name: integrations + preferred: true + service: + $ref: okta/v00.00.00000/services/integrations.yaml + title: integrations API + version: v00.00.00000 + description: okta integrations API + logs: + id: logs:v00.00.00000 + name: logs + preferred: true + service: + $ref: okta/v00.00.00000/services/logs.yaml + title: logs API + version: v00.00.00000 + description: okta logs API + logstreams: + id: logstreams:v00.00.00000 + name: logstreams + preferred: true + service: + $ref: okta/v00.00.00000/services/logstreams.yaml + title: logstreams API + version: v00.00.00000 + description: okta logstreams API + mappings: + id: mappings:v00.00.00000 + name: mappings + preferred: true + service: + $ref: okta/v00.00.00000/services/mappings.yaml + title: mappings API + version: v00.00.00000 + description: okta mappings API + meta: + id: meta:v00.00.00000 + name: meta + preferred: true + service: + $ref: okta/v00.00.00000/services/meta.yaml + title: meta API + version: v00.00.00000 + description: okta meta API + oauth2: + id: oauth2:v00.00.00000 + name: oauth2 + preferred: true + service: + $ref: okta/v00.00.00000/services/oauth2.yaml + title: oauth2 API + version: v00.00.00000 + description: okta oauth2 API + okta_personal_settings: + id: okta_personal_settings:v00.00.00000 + name: okta_personal_settings + preferred: true + service: + $ref: okta/v00.00.00000/services/okta_personal_settings.yaml + title: okta_personal_settings API + version: v00.00.00000 + description: okta okta_personal_settings API org: - description: Okta org management. - id: org:v1 + id: org:v00.00.00000 name: org preferred: true service: - $ref: okta/v00.00.00000/services/Org.yaml - title: Org API - version: v1 - policy: - description: Okta policy management. - id: policy:v1 - name: policy - preferred: true - service: - $ref: okta/v00.00.00000/services/Policy.yaml - title: Policy API - version: v1 - profilemapping: - description: Okta profile mapping management. - id: profilemapping:v1 - name: profilemapping - preferred: true - service: - $ref: okta/v00.00.00000/services/ProfileMapping.yaml - title: Profile Mapping API - version: v1 - session: - description: Okta session management. - id: session:v1 - name: session - preferred: true - service: - $ref: okta/v00.00.00000/services/Session.yaml - title: Session API - version: v1 - template: - description: Okta template management. - id: template:v1 - name: template - preferred: true - service: - $ref: okta/v00.00.00000/services/Template.yaml - title: Template API - version: v1 - threatinsight: - description: Okta threat insight management. - id: threatinsight:v1 - name: threatinsight - preferred: true - service: - $ref: okta/v00.00.00000/services/ThreatInsight.yaml - title: Threat Insight API - version: v1 - trustedorigin: - description: Okta threat insight management. - id: trustedorigin:v1 - name: trustedorigin - preferred: true - service: - $ref: okta/v00.00.00000/services/TrustedOrigin.yaml - title: Trusted Origin API - version: v1 - user: - description: Okta user management. - id: user:v1 - name: user - preferred: true - service: - $ref: okta/v00.00.00000/services/User.yaml - title: User API - version: v1 - userfactor: - description: Okta user factor management. - id: userfactor:v1 - name: userfactor - preferred: true - service: - $ref: okta/v00.00.00000/services/UserFactor.yaml - title: User Factor API - version: v1 - userschema: - description: Okta user schema management. - id: userschema:v1 - name: userschema - preferred: true - service: - $ref: okta/v00.00.00000/services/UserSchema.yaml - title: User Schema API - version: v1 - usertype: - description: Okta user type management. - id: usertype:v1 - name: usertype - preferred: true - service: - $ref: okta/v00.00.00000/services/UserType.yaml - title: User Type API - version: v1 + $ref: okta/v00.00.00000/services/org.yaml + title: org API + version: v00.00.00000 + description: okta org API + orgs: + id: orgs:v00.00.00000 + name: orgs + preferred: true + service: + $ref: okta/v00.00.00000/services/orgs.yaml + title: orgs API + version: v00.00.00000 + description: okta orgs API + policies: + id: policies:v00.00.00000 + name: policies + preferred: true + service: + $ref: okta/v00.00.00000/services/policies.yaml + title: policies API + version: v00.00.00000 + description: okta policies API + principal_rate_limits: + id: principal_rate_limits:v00.00.00000 + name: principal_rate_limits + preferred: true + service: + $ref: okta/v00.00.00000/services/principal_rate_limits.yaml + title: principal_rate_limits API + version: v00.00.00000 + description: okta principal_rate_limits API + privileged_access: + id: privileged_access:v00.00.00000 + name: privileged_access + preferred: true + service: + $ref: okta/v00.00.00000/services/privileged_access.yaml + title: privileged_access API + version: v00.00.00000 + description: okta privileged_access API + push_providers: + id: push_providers:v00.00.00000 + name: push_providers + preferred: true + service: + $ref: okta/v00.00.00000/services/push_providers.yaml + title: push_providers API + version: v00.00.00000 + description: okta push_providers API + rate_limit_settings: + id: rate_limit_settings:v00.00.00000 + name: rate_limit_settings + preferred: true + service: + $ref: okta/v00.00.00000/services/rate_limit_settings.yaml + title: rate_limit_settings API + version: v00.00.00000 + description: okta rate_limit_settings API + realm_assignments: + id: realm_assignments:v00.00.00000 + name: realm_assignments + preferred: true + service: + $ref: okta/v00.00.00000/services/realm_assignments.yaml + title: realm_assignments API + version: v00.00.00000 + description: okta realm_assignments API + realms: + id: realms:v00.00.00000 + name: realms + preferred: true + service: + $ref: okta/v00.00.00000/services/realms.yaml + title: realms API + version: v00.00.00000 + description: okta realms API + risk: + id: risk:v00.00.00000 + name: risk + preferred: true + service: + $ref: okta/v00.00.00000/services/risk.yaml + title: risk API + version: v00.00.00000 + description: okta risk API + roles: + id: roles:v00.00.00000 + name: roles + preferred: true + service: + $ref: okta/v00.00.00000/services/roles.yaml + title: roles API + version: v00.00.00000 + description: okta roles API + security: + id: security:v00.00.00000 + name: security + preferred: true + service: + $ref: okta/v00.00.00000/services/security.yaml + title: security API + version: v00.00.00000 + description: okta security API + security_events_providers: + id: security_events_providers:v00.00.00000 + name: security_events_providers + preferred: true + service: + $ref: okta/v00.00.00000/services/security_events_providers.yaml + title: security_events_providers API + version: v00.00.00000 + description: okta security_events_providers API + sessions: + id: sessions:v00.00.00000 + name: sessions + preferred: true + service: + $ref: okta/v00.00.00000/services/sessions.yaml + title: sessions API + version: v00.00.00000 + description: okta sessions API + ssf: + id: ssf:v00.00.00000 + name: ssf + preferred: true + service: + $ref: okta/v00.00.00000/services/ssf.yaml + title: ssf API + version: v00.00.00000 + description: okta ssf API + templates: + id: templates:v00.00.00000 + name: templates + preferred: true + service: + $ref: okta/v00.00.00000/services/templates.yaml + title: templates API + version: v00.00.00000 + description: okta templates API + threats: + id: threats:v00.00.00000 + name: threats + preferred: true + service: + $ref: okta/v00.00.00000/services/threats.yaml + title: threats API + version: v00.00.00000 + description: okta threats API + trustedorigins: + id: trustedorigins:v00.00.00000 + name: trustedorigins + preferred: true + service: + $ref: okta/v00.00.00000/services/trustedorigins.yaml + title: trustedorigins API + version: v00.00.00000 + description: okta trustedorigins API + users: + id: users:v00.00.00000 + name: users + preferred: true + service: + $ref: okta/v00.00.00000/services/users.yaml + title: users API + version: v00.00.00000 + description: okta users API + webauthn_registration: + id: webauthn_registration:v00.00.00000 + name: webauthn_registration + preferred: true + service: + $ref: okta/v00.00.00000/services/webauthn_registration.yaml + title: webauthn_registration API + version: v00.00.00000 + description: okta webauthn_registration API + zones: + id: zones:v00.00.00000 + name: zones + preferred: true + service: + $ref: okta/v00.00.00000/services/zones.yaml + title: zones API + version: v00.00.00000 + description: okta zones API config: auth: - credentialsenvvar: "OKTA_API_TOKEN" - type: "api_key" - valuePrefix: "SSWS " + credentialsenvvar: OKTA_API_TOKEN + type: api_key + valuePrefix: 'SSWS ' diff --git a/providers/src/okta/v00.00.00000/services/Application.yaml b/providers/src/okta/v00.00.00000/services/Application.yaml deleted file mode 100644 index c227b59d..00000000 --- a/providers/src/okta/v00.00.00000/services/Application.yaml +++ /dev/null @@ -1,2869 +0,0 @@ -components: - schemas: - AcsEndpoint: - properties: - index: - type: integer - url: - type: string - type: object - x-okta-tags: - - Application - AppUser: - properties: - _embedded: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - created: - format: date-time - readOnly: true - type: string - credentials: - $ref: '#/components/schemas/AppUserCredentials' - externalId: - readOnly: true - type: string - id: - type: string - lastSync: - format: date-time - readOnly: true - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - passwordChanged: - format: date-time - readOnly: true - type: string - profile: - additionalProperties: - properties: {} - type: object - type: object - scope: - type: string - status: - readOnly: true - type: string - statusChanged: - format: date-time - readOnly: true - type: string - syncState: - readOnly: true - type: string - type: object - x-okta-crud: - - alias: update - arguments: - - dest: appId - parentSrc: appId - - dest: userId - src: id - - dest: appUser - self: true - operationId: updateApplicationUser - - alias: delete - arguments: - - dest: appId - parentSrc: appId - - dest: userId - src: id - operationId: deleteApplicationUser - x-okta-tags: - - Application - AppUserCredentials: - properties: - password: - $ref: '#/components/schemas/AppUserPasswordCredential' - userName: - type: string - type: object - x-okta-tags: - - Application - AppUserPasswordCredential: - properties: - value: - format: password - type: string - type: object - x-okta-tags: - - Application - Application: - properties: - _embedded: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - accessibility: - $ref: '#/components/schemas/ApplicationAccessibility' - created: - format: date-time - readOnly: true - type: string - credentials: - $ref: '#/components/schemas/ApplicationCredentials' - features: - items: - type: string - type: array - id: - readOnly: true - type: string - label: - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - licensing: - $ref: '#/components/schemas/ApplicationLicensing' - name: - type: string - profile: - additionalProperties: - properties: {} - type: object - type: object - settings: - $ref: '#/components/schemas/ApplicationSettings' - signOnMode: - $ref: '#/components/schemas/ApplicationSignOnMode' - status: - enum: - - ACTIVE - - INACTIVE - - DELETED - readOnly: true - type: string - visibility: - $ref: '#/components/schemas/ApplicationVisibility' - type: object - x-okta-crud: - - alias: read - arguments: - - dest: appId - src: id - operationId: getApplication - - alias: update - arguments: - - dest: appId - src: id - - dest: application - self: true - operationId: updateApplication - - alias: delete - arguments: - - dest: appId - src: id - operationId: deleteApplication - x-okta-operations: - - alias: activate - arguments: - - dest: appId - src: id - operationId: activateApplication - - alias: deactivate - arguments: - - dest: appId - src: id - operationId: deactivateApplication - - alias: listApplicationUsers - arguments: - - dest: appId - src: id - operationId: listApplicationUsers - - alias: assignUserToApplication - arguments: - - dest: appId - src: id - operationId: assignUserToApplication - - alias: getApplicationUser - arguments: - - dest: appId - src: id - operationId: getApplicationUser - - alias: createApplicationGroupAssignment - arguments: - - dest: appId - src: id - operationId: createApplicationGroupAssignment - - alias: getApplicationGroupAssignment - arguments: - - dest: appId - src: id - operationId: getApplicationGroupAssignment - - alias: cloneApplicationKey - arguments: - - dest: appId - src: id - operationId: cloneApplicationKey - - alias: getApplicationKey - arguments: - - dest: appId - src: id - operationId: getApplicationKey - - alias: listGroupAssignments - arguments: - - dest: appId - src: id - operationId: listApplicationGroupAssignments - - alias: listKeys - arguments: - - dest: appId - src: id - operationId: listApplicationKeys - - alias: generateKey - arguments: - - dest: appId - src: id - operationId: generateApplicationKey - - alias: generateCsr - arguments: - - dest: appId - src: id - operationId: generateCsrForApplication - - alias: getCsr - arguments: - - dest: appId - src: id - operationId: getCsrForApplication - - alias: revokeCsr - arguments: - - dest: appId - src: id - operationId: revokeCsrFromApplication - - alias: listCsrs - arguments: - - dest: appId - src: id - operationId: listCsrsForApplication - - alias: publishCerCert - arguments: - - dest: appId - src: id - operationId: publishCerCert - - alias: publishBinaryCerCert - arguments: - - dest: appId - src: id - operationId: publishBinaryCerCert - - alias: publishDerCert - arguments: - - dest: appId - src: id - operationId: publishDerCert - - alias: publishBinaryDerCert - arguments: - - dest: appId - src: id - operationId: publishBinaryDerCert - - alias: publishBinaryPemCert - arguments: - - dest: appId - src: id - operationId: publishBinaryPemCert - - alias: listOAuth2Tokens - arguments: - - dest: appId - src: id - operationId: listOAuth2TokensForApplication - - alias: revokeOAuth2TokenForApplication - arguments: - - dest: appId - src: id - operationId: revokeOAuth2TokenForApplication - - alias: getOAuth2Token - arguments: - - dest: appId - src: id - operationId: getOAuth2TokenForApplication - - alias: revokeOAuth2Tokens - arguments: - - dest: appId - src: id - operationId: revokeOAuth2TokensForApplication - - alias: listScopeConsentGrants - arguments: - - dest: appId - src: id - operationId: listScopeConsentGrants - - alias: grantConsentToScope - arguments: - - dest: appId - src: id - operationId: grantConsentToScope - - alias: revokeScopeConsentGrant - arguments: - - dest: appId - src: id - operationId: revokeScopeConsentGrant - - alias: getScopeConsentGrant - arguments: - - dest: appId - src: id - operationId: getScopeConsentGrant - x-okta-tags: - - Application - x-openapi-v3-discriminator: - mapping: - AUTO_LOGIN: '#/components/schemas/AutoLoginApplication' - BASIC_AUTH: '#/components/schemas/BasicAuthApplication' - BOOKMARK: '#/components/schemas/BookmarkApplication' - BROWSER_PLUGIN: '#/components/schemas/BrowserPluginApplication' - OPENID_CONNECT: '#/components/schemas/OpenIdConnectApplication' - SAML_1_1: '#/components/schemas/SamlApplication' - SAML_2_0: '#/components/schemas/SamlApplication' - SECURE_PASSWORD_STORE: '#/components/schemas/SecurePasswordStoreApplication' - WS_FEDERATION: '#/components/schemas/WsFederationApplication' - propertyName: signOnMode - ApplicationAccessibility: - properties: - errorRedirectUrl: - type: string - loginRedirectUrl: - type: string - selfService: - type: boolean - type: object - x-okta-tags: - - Application - ApplicationCredentials: - properties: - signing: - $ref: '#/components/schemas/ApplicationCredentialsSigning' - userNameTemplate: - $ref: '#/components/schemas/ApplicationCredentialsUsernameTemplate' - type: object - x-okta-tags: - - Application - ApplicationCredentialsOAuthClient: - properties: - autoKeyRotation: - type: boolean - client_id: - type: string - client_secret: - type: string - token_endpoint_auth_method: - $ref: '#/components/schemas/OAuthEndpointAuthenticationMethod' - type: object - x-okta-tags: - - Application - ApplicationCredentialsScheme: - enum: - - SHARED_USERNAME_AND_PASSWORD - - EXTERNAL_PASSWORD_SYNC - - EDIT_USERNAME_AND_PASSWORD - - EDIT_PASSWORD_ONLY - - ADMIN_SETS_CREDENTIALS - type: string - x-okta-tags: - - Application - ApplicationCredentialsSigning: - properties: - kid: - type: string - lastRotated: - format: date-time - readOnly: true - type: string - nextRotation: - format: date-time - readOnly: true - type: string - rotationMode: - type: string - use: - $ref: '#/components/schemas/ApplicationCredentialsSigningUse' - type: object - x-okta-tags: - - Application - ApplicationCredentialsSigningUse: - enum: - - sig - type: string - x-okta-tags: - - AuthorizationServer - ApplicationCredentialsUsernameTemplate: - properties: - suffix: - type: string - template: - type: string - type: - type: string - type: object - x-okta-tags: - - Application - ApplicationGroupAssignment: - properties: - _embedded: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - id: - readOnly: true - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - priority: - type: integer - profile: - additionalProperties: - properties: {} - type: object - type: object - type: object - x-okta-crud: - - alias: delete - arguments: - - dest: appId - parentSrc: appId - - dest: groupId - src: id - operationId: deleteApplicationGroupAssignment - x-okta-tags: - - Application - ApplicationLicensing: - properties: - seatCount: - type: integer - type: object - x-okta-tags: - - Application - ApplicationSettings: - properties: - app: - $ref: '#/components/schemas/ApplicationSettingsApplication' - implicitAssignment: - type: boolean - inlineHookId: - type: string - notes: - $ref: '#/components/schemas/ApplicationSettingsNotes' - notifications: - $ref: '#/components/schemas/ApplicationSettingsNotifications' - type: object - x-okta-tags: - - Application - ApplicationSettingsApplication: - type: object - x-okta-tags: - - Application - ApplicationSettingsNotes: - properties: - admin: - type: string - enduser: - type: string - type: object - x-okta-tags: - - Application - ApplicationSettingsNotifications: - properties: - vpn: - $ref: '#/components/schemas/ApplicationSettingsNotificationsVpn' - type: object - x-okta-tags: - - Application - ApplicationSettingsNotificationsVpn: - properties: - helpUrl: - type: string - message: - type: string - network: - $ref: '#/components/schemas/ApplicationSettingsNotificationsVpnNetwork' - type: object - x-okta-tags: - - Application - ApplicationSettingsNotificationsVpnNetwork: - properties: - connection: - type: string - exclude: - items: - type: string - type: array - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Application - ApplicationSignOnMode: - enum: - - BOOKMARK - - BASIC_AUTH - - BROWSER_PLUGIN - - SECURE_PASSWORD_STORE - - AUTO_LOGIN - - WS_FEDERATION - - SAML_2_0 - - OPENID_CONNECT - - SAML_1_1 - type: string - x-okta-tags: - - Application - ApplicationVisibility: - properties: - appLinks: - additionalProperties: - type: boolean - type: object - autoLaunch: - type: boolean - autoSubmitToolbar: - type: boolean - hide: - $ref: '#/components/schemas/ApplicationVisibilityHide' - type: object - x-okta-tags: - - Application - ApplicationVisibilityHide: - properties: - iOS: - type: boolean - web: - type: boolean - type: object - x-okta-tags: - - Application - AuthorizationServerCredentials: - properties: - signing: - $ref: '#/components/schemas/AuthorizationServerCredentialsSigningConfig' - type: object - x-okta-tags: - - Application - AuthorizationServerCredentialsRotationMode: - enum: - - AUTO - - MANUAL - type: string - x-okta-tags: - - AuthorizationServer - AuthorizationServerCredentialsSigningConfig: - properties: - kid: - type: string - lastRotated: - format: date-time - readOnly: true - type: string - nextRotation: - format: date-time - readOnly: true - type: string - rotationMode: - $ref: '#/components/schemas/AuthorizationServerCredentialsRotationMode' - use: - $ref: '#/components/schemas/AuthorizationServerCredentialsUse' - type: object - x-okta-tags: - - AuthorizationServer - AuthorizationServerCredentialsUse: - enum: - - sig - type: string - x-okta-tags: - - AuthorizationServer - AutoLoginApplication: - properties: - credentials: - $ref: '#/components/schemas/SchemeApplicationCredentials' - settings: - $ref: '#/components/schemas/AutoLoginApplicationSettings' - type: object - x-okta-parent: '#/components/schemas/Application' - x-okta-tags: - - Application - AutoLoginApplicationSettings: - properties: - signOn: - $ref: '#/components/schemas/AutoLoginApplicationSettingsSignOn' - type: object - x-okta-parent: '#/components/schemas/ApplicationSettings' - x-okta-tags: - - Application - AutoLoginApplicationSettingsSignOn: - properties: - loginUrl: - type: string - redirectUrl: - type: string - type: object - x-okta-tags: - - Application - BasicApplicationSettings: - properties: - app: - $ref: '#/components/schemas/BasicApplicationSettingsApplication' - type: object - x-okta-parent: '#/components/schemas/ApplicationSettings' - x-okta-tags: - - Application - BasicApplicationSettingsApplication: - properties: - authURL: - type: string - url: - type: string - type: object - x-okta-parent: '#/components/schemas/ApplicationSettingsApplication' - x-okta-tags: - - Application - BasicAuthApplication: - properties: - credentials: - $ref: '#/components/schemas/SchemeApplicationCredentials' - name: - type: object - settings: - $ref: '#/components/schemas/BasicApplicationSettings' - type: object - x-okta-defined-as: - name: template_basic_auth - x-okta-parent: '#/components/schemas/Application' - x-okta-tags: - - Application - BookmarkApplication: - properties: - name: - type: object - settings: - $ref: '#/components/schemas/BookmarkApplicationSettings' - type: object - x-okta-defined-as: - name: bookmark - x-okta-parent: '#/components/schemas/Application' - x-okta-tags: - - Application - BookmarkApplicationSettings: - properties: - app: - $ref: '#/components/schemas/BookmarkApplicationSettingsApplication' - type: object - x-okta-parent: '#/components/schemas/ApplicationSettings' - x-okta-tags: - - Application - BookmarkApplicationSettingsApplication: - properties: - requestIntegration: - type: boolean - url: - type: string - type: object - x-okta-parent: '#/components/schemas/ApplicationSettingsApplication' - x-okta-tags: - - Application - BrowserPluginApplication: - properties: - credentials: - $ref: '#/components/schemas/SchemeApplicationCredentials' - type: object - x-okta-parent: '#/components/schemas/Application' - x-okta-tags: - - Application - x-openapi-v3-discriminator: - mapping: - template_swa: '#/components/schemas/SwaApplication' - template_swa3field: '#/components/schemas/SwaThreeFieldApplication' - propertyName: name - Csr: - properties: - created: - format: date-time - readOnly: true - type: string - csr: - readOnly: true - type: string - id: - readOnly: true - type: string - kty: - readOnly: true - type: string - type: object - x-okta-tags: - - Application - CsrMetadata: - properties: - subject: - $ref: '#/components/schemas/CsrMetadataSubject' - subjectAltNames: - $ref: '#/components/schemas/CsrMetadataSubjectAltNames' - type: object - x-okta-tags: - - Application - CsrMetadataSubject: - properties: - commonName: - type: string - countryName: - type: string - localityName: - type: string - organizationName: - type: string - organizationalUnitName: - type: string - stateOrProvinceName: - type: string - type: object - x-okta-tags: - - Application - CsrMetadataSubjectAltNames: - properties: - dnsNames: - items: - type: string - type: array - type: object - x-okta-tags: - - Application - JsonWebKey: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - alg: - type: string - created: - format: date-time - type: string - e: - type: string - expiresAt: - format: date-time - type: string - key_ops: - items: - type: string - type: array - kid: - type: string - kty: - type: string - lastUpdated: - format: date-time - type: string - n: - type: string - status: - type: string - use: - type: string - x5c: - items: - type: string - type: array - x5t: - type: string - x5t#S256: - type: string - x5u: - type: string - type: object - x-okta-tags: - - Application - JwkUse: - properties: - use: - enum: - - sig - type: string - type: object - x-okta-tags: - - Application - OAuth2Actor: - properties: - id: - readOnly: true - type: string - type: - type: string - type: object - x-okta-tags: - - Application - OAuth2Claim: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - alwaysIncludeInToken: - type: boolean - claimType: - enum: - - IDENTITY - - RESOURCE - type: string - conditions: - $ref: '#/components/schemas/OAuth2ClaimConditions' - group_filter_type: - enum: - - STARTS_WITH - - EQUALS - - CONTAINS - - REGEX - type: string - id: - readOnly: true - type: string - name: - type: string - status: - enum: - - ACTIVE - - INACTIVE - type: string - system: - type: boolean - value: - type: string - valueType: - enum: - - EXPRESSION - - GROUPS - - SYSTEM - type: string - type: object - x-okta-tags: - - Application - OAuth2ClaimConditions: - properties: - scopes: - items: - type: string - type: array - type: object - x-okta-tags: - - Application - OAuth2Client: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - client_id: - readOnly: true - type: string - client_name: - readOnly: true - type: string - client_uri: - readOnly: true - type: string - logo_uri: - readOnly: true - type: string - type: object - x-okta-tags: - - Application - OAuth2RefreshToken: - properties: - _embedded: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - clientId: - type: string - created: - format: date-time - readOnly: true - type: string - createdBy: - $ref: '#/components/schemas/OAuth2Actor' - expiresAt: - format: date-time - readOnly: true - type: string - id: - readOnly: true - type: string - issuer: - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - scopes: - items: - type: string - type: array - status: - enum: - - ACTIVE - - REVOKED - type: string - userId: - type: string - type: object - x-okta-tags: - - Application - OAuth2Scope: - properties: - consent: - enum: - - REQUIRED - - IMPLICIT - - ADMIN - type: string - default: - type: boolean - description: - type: string - displayName: - type: string - id: - readOnly: true - type: string - metadataPublish: - enum: - - ALL_CLIENTS - - NO_CLIENTS - type: string - name: - type: string - system: - type: boolean - type: object - x-okta-tags: - - Application - OAuth2ScopeConsentGrant: - properties: - _embedded: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - clientId: - type: string - created: - format: date-time - readOnly: true - type: string - createdBy: - $ref: '#/components/schemas/OAuth2Actor' - id: - readOnly: true - type: string - issuer: - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - scopeId: - type: string - source: - $ref: '#/components/schemas/OAuth2ScopeConsentGrantSource' - status: - $ref: '#/components/schemas/OAuth2ScopeConsentGrantStatus' - userId: - type: string - type: object - x-okta-tags: - - Application - OAuth2ScopeConsentGrantSource: - enum: - - END_USER - - ADMIN - type: string - x-okta-tags: - - Application - OAuth2ScopeConsentGrantStatus: - enum: - - ACTIVE - - REVOKED - type: string - x-okta-tags: - - Application - OAuth2ScopesMediationPolicyRuleCondition: - properties: - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Application - OAuth2Token: - properties: - _embedded: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - clientId: - type: string - created: - format: date-time - readOnly: true - type: string - expiresAt: - format: date-time - readOnly: true - type: string - id: - readOnly: true - type: string - issuer: - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - scopes: - items: - type: string - type: array - status: - enum: - - ACTIVE - - REVOKED - type: string - userId: - type: string - type: object - x-okta-tags: - - Application - OAuthApplicationCredentials: - properties: - oauthClient: - $ref: '#/components/schemas/ApplicationCredentialsOAuthClient' - type: object - x-okta-parent: '#/components/schemas/ApplicationCredentials' - x-okta-tags: - - Application - OAuthEndpointAuthenticationMethod: - enum: - - none - - client_secret_post - - client_secret_basic - - client_secret_jwt - - private_key_jwt - type: string - x-okta-tags: - - Application - OAuthGrantType: - enum: - - authorization_code - - implicit - - password - - refresh_token - - client_credentials - type: string - x-okta-tags: - - Application - OAuthResponseType: - enum: - - code - - token - - id_token - type: string - x-okta-tags: - - Application - OpenIdConnectApplication: - properties: - credentials: - $ref: '#/components/schemas/OAuthApplicationCredentials' - name: - type: object - settings: - $ref: '#/components/schemas/OpenIdConnectApplicationSettings' - type: object - x-okta-defined-as: - name: oidc_client - x-okta-parent: '#/components/schemas/Application' - x-okta-tags: - - Application - OpenIdConnectApplicationConsentMethod: - enum: - - REQUIRED - - TRUSTED - type: string - x-okta-tags: - - Application - OpenIdConnectApplicationIdpInitiatedLogin: - properties: - default_scope: - items: - type: string - type: array - mode: - type: string - type: object - x-okta-tags: - - Application - OpenIdConnectApplicationIssuerMode: - enum: - - CUSTOM_URL - - ORG_URL - type: string - x-okta-tags: - - Application - OpenIdConnectApplicationSettings: - properties: - oauthClient: - $ref: '#/components/schemas/OpenIdConnectApplicationSettingsClient' - type: object - x-okta-parent: '#/components/schemas/ApplicationSettings' - x-okta-tags: - - Application - OpenIdConnectApplicationSettingsClient: - properties: - application_type: - $ref: '#/components/schemas/OpenIdConnectApplicationType' - client_uri: - type: string - consent_method: - $ref: '#/components/schemas/OpenIdConnectApplicationConsentMethod' - grant_types: - items: - $ref: '#/components/schemas/OAuthGrantType' - type: array - idp_initiated_login: - $ref: '#/components/schemas/OpenIdConnectApplicationIdpInitiatedLogin' - initiate_login_uri: - type: string - issuer_mode: - $ref: '#/components/schemas/OpenIdConnectApplicationIssuerMode' - jwks: - $ref: '#/components/schemas/OpenIdConnectApplicationSettingsClientKeys' - logo_uri: - type: string - policy_uri: - type: string - post_logout_redirect_uris: - items: - type: string - type: array - redirect_uris: - items: - type: string - type: array - refresh_token: - $ref: '#/components/schemas/OpenIdConnectApplicationSettingsRefreshToken' - response_types: - items: - $ref: '#/components/schemas/OAuthResponseType' - type: array - tos_uri: - type: string - wildcard_redirect: - type: string - type: object - x-okta-tags: - - Application - OpenIdConnectApplicationSettingsClientKeys: - properties: - keys: - items: - $ref: '#/components/schemas/JsonWebKey' - type: array - type: object - x-okta-tags: - - Application - OpenIdConnectApplicationSettingsRefreshToken: - properties: - leeway: - type: integer - rotation_type: - $ref: '#/components/schemas/OpenIdConnectRefreshTokenRotationType' - type: object - x-okta-tags: - - Application - OpenIdConnectApplicationType: - enum: - - web - - native - - browser - - service - type: string - x-okta-tags: - - Application - OpenIdConnectRefreshTokenRotationType: - enum: - - rotate - - static - type: string - x-okta-tags: - - Application - PasswordCredential: - properties: - hash: - $ref: '#/components/schemas/PasswordCredentialHash' - hook: - $ref: '#/components/schemas/PasswordCredentialHook' - value: - format: password - type: string - type: object - x-okta-tags: - - User - PasswordCredentialHash: - properties: - algorithm: - $ref: '#/components/schemas/PasswordCredentialHashAlgorithm' - salt: - type: string - saltOrder: - type: string - value: - type: string - workFactor: - type: integer - type: object - x-okta-tags: - - User - PasswordCredentialHashAlgorithm: - enum: - - BCRYPT - - SHA-512 - - SHA-256 - - SHA-1 - - MD5 - type: string - x-okta-tags: - - User - PasswordCredentialHook: - properties: - type: - type: string - type: object - x-okta-tags: - - User - SamlApplication: - properties: - settings: - $ref: '#/components/schemas/SamlApplicationSettings' - type: object - x-okta-parent: '#/components/schemas/Application' - x-okta-tags: - - Application - SamlApplicationSettings: - properties: - signOn: - $ref: '#/components/schemas/SamlApplicationSettingsSignOn' - type: object - x-okta-parent: '#/components/schemas/ApplicationSettings' - x-okta-tags: - - Application - SamlApplicationSettingsSignOn: - properties: - acsEndpoints: - items: - $ref: '#/components/schemas/AcsEndpoint' - type: array - allowMultipleAcsEndpoints: - type: boolean - assertionSigned: - type: boolean - attributeStatements: - items: - $ref: '#/components/schemas/SamlAttributeStatement' - type: array - audience: - type: string - audienceOverride: - type: string - authnContextClassRef: - type: string - defaultRelayState: - type: string - destination: - type: string - destinationOverride: - type: string - digestAlgorithm: - type: string - honorForceAuthn: - type: boolean - idpIssuer: - type: string - inlineHooks: - items: - $ref: '#/components/schemas/SignOnInlineHook' - type: array - recipient: - type: string - recipientOverride: - type: string - requestCompressed: - type: boolean - responseSigned: - type: boolean - signatureAlgorithm: - type: string - slo: - $ref: '#/components/schemas/SingleLogout' - spCertificate: - $ref: '#/components/schemas/SpCertificate' - spIssuer: - type: string - ssoAcsUrl: - type: string - ssoAcsUrlOverride: - type: string - subjectNameIdFormat: - type: string - subjectNameIdTemplate: - type: string - type: object - x-okta-tags: - - Application - SamlAttributeStatement: - properties: - filterType: - type: string - filterValue: - type: string - name: - type: string - namespace: - type: string - type: - type: string - values: - items: - type: string - type: array - type: object - x-okta-tags: - - Application - SchemeApplicationCredentials: - properties: - password: - $ref: '#/components/schemas/PasswordCredential' - revealPassword: - type: boolean - scheme: - $ref: '#/components/schemas/ApplicationCredentialsScheme' - signing: - $ref: '#/components/schemas/ApplicationCredentialsSigning' - userName: - type: string - type: object - x-okta-parent: '#/components/schemas/ApplicationCredentials' - x-okta-tags: - - Application - SecurePasswordStoreApplication: - properties: - credentials: - $ref: '#/components/schemas/SchemeApplicationCredentials' - name: - type: object - settings: - $ref: '#/components/schemas/SecurePasswordStoreApplicationSettings' - type: object - x-okta-defined-as: - name: template_sps - x-okta-parent: '#/components/schemas/Application' - x-okta-tags: - - Application - SecurePasswordStoreApplicationSettings: - properties: - app: - $ref: '#/components/schemas/SecurePasswordStoreApplicationSettingsApplication' - type: object - x-okta-parent: '#/components/schemas/ApplicationSettings' - x-okta-tags: - - Application - SecurePasswordStoreApplicationSettingsApplication: - properties: - optionalField1: - type: string - optionalField1Value: - type: string - optionalField2: - type: string - optionalField2Value: - type: string - optionalField3: - type: string - optionalField3Value: - type: string - passwordField: - type: string - url: - type: string - usernameField: - type: string - type: object - x-okta-parent: '#/components/schemas/ApplicationSettingsApplication' - x-okta-tags: - - Application - SignOnInlineHook: - properties: - id: - type: string - type: object - x-okta-tags: - - Application - SingleLogout: - properties: - enabled: - type: boolean - issuer: - type: string - logoutUrl: - type: string - type: object - x-okta-tags: - - Application - SpCertificate: - properties: - x5c: - items: - type: string - type: array - type: object - x-okta-tags: - - Application - SwaApplication: - properties: - name: - type: object - settings: - $ref: '#/components/schemas/SwaApplicationSettings' - type: object - x-okta-defined-as: - name: template_swa - x-okta-parent: '#/components/schemas/BrowserPluginApplication' - x-okta-tags: - - Application - SwaApplicationSettings: - properties: - app: - $ref: '#/components/schemas/SwaApplicationSettingsApplication' - type: object - x-okta-parent: '#/components/schemas/ApplicationSettings' - x-okta-tags: - - Application - SwaApplicationSettingsApplication: - properties: - buttonField: - type: string - loginUrlRegex: - type: string - passwordField: - type: string - url: - type: string - usernameField: - type: string - type: object - x-okta-parent: '#/components/schemas/ApplicationSettingsApplication' - x-okta-tags: - - Application - SwaThreeFieldApplication: - properties: - name: - type: object - settings: - $ref: '#/components/schemas/SwaThreeFieldApplicationSettings' - type: object - x-okta-defined-as: - name: template_swa3field - x-okta-parent: '#/components/schemas/BrowserPluginApplication' - x-okta-tags: - - Application - SwaThreeFieldApplicationSettings: - properties: - app: - $ref: '#/components/schemas/SwaThreeFieldApplicationSettingsApplication' - type: object - x-okta-parent: '#/components/schemas/ApplicationSettings' - x-okta-tags: - - Application - SwaThreeFieldApplicationSettingsApplication: - properties: - buttonSelector: - type: string - extraFieldSelector: - type: string - extraFieldValue: - type: string - loginUrlRegex: - type: string - passwordSelector: - type: string - targetURL: - type: string - userNameSelector: - type: string - type: object - x-okta-parent: '#/components/schemas/ApplicationSettingsApplication' - x-okta-tags: - - Application - WsFederationApplication: - properties: - name: - type: object - settings: - $ref: '#/components/schemas/WsFederationApplicationSettings' - type: object - x-okta-defined-as: - name: template_wsfed - x-okta-parent: '#/components/schemas/Application' - x-okta-tags: - - Application - WsFederationApplicationSettings: - properties: - app: - $ref: '#/components/schemas/WsFederationApplicationSettingsApplication' - type: object - x-okta-parent: '#/components/schemas/ApplicationSettings' - x-okta-tags: - - Application - WsFederationApplicationSettingsApplication: - properties: - attributeStatements: - type: string - audienceRestriction: - type: string - authnContextClassRef: - type: string - groupFilter: - type: string - groupName: - type: string - groupValueFormat: - type: string - nameIDFormat: - type: string - realm: - type: string - siteURL: - type: string - usernameAttribute: - type: string - wReplyOverride: - type: boolean - wReplyURL: - type: string - type: object - x-okta-parent: '#/components/schemas/ApplicationSettingsApplication' - x-okta-tags: - - Application - securitySchemes: - api_token: - description: SSWS {API Token} - in: header - name: Authorization - type: apiKey - x-stackQL-resources: - apps: - id: okta.application.apps - methods: - activate: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1lifecycle~1activate/post' - response: - openAPIDocKey: '200' - deactivate: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1lifecycle~1deactivate/post' - response: - openAPIDocKey: '200' - delete: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}/delete' - response: - openAPIDocKey: '200' - deleteall: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1tokens/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1apps/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1apps/get' - response: - mediaType: application/json - openAPIDocKey: '200' - update: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}/put' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - name: apps - title: apps - csrs: - id: okta.application.csrs - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1credentials~1csrs~1{csrId}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1credentials~1csrs~1{csrId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1credentials~1csrs/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '201' - list: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1credentials~1csrs/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: csrs - title: csrs - grants: - id: okta.application.grants - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1grants~1{grantId}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1grants~1{grantId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1grants/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '201' - list: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1grants/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: grants - title: grants - groups: - id: okta.application.groups - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1groups~1{groupId}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1groups~1{groupId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1groups/get' - response: - mediaType: application/json - openAPIDocKey: '200' - update: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1groups~1{groupId}/put' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - name: groups - title: groups - keys: - id: okta.application.keys - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1credentials~1csrs~1{csrId}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1credentials~1keys~1{keyId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1credentials~1keys~1generate/post' - response: - mediaType: application/json - openAPIDocKey: '201' - list: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1credentials~1keys/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: keys - title: keys - tokens: - id: okta.application.tokens - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1tokens~1{tokenId}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1tokens~1{tokenId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1tokens/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: tokens - title: tokens - users: - id: okta.application.users - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1users~1{userId}/DELETE' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1users~1{userId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1users/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1users/get' - response: - mediaType: application/json - openAPIDocKey: '200' - update: - operation: - $ref: '#/paths/~1api~1v1~1apps~1{appId}~1users~1{userId}/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - name: users - title: users -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html -info: - contact: - email: devex-public@okta.com - name: Okta Developer Team - url: https://developer.okta.com/ - description: Allows customers to easily access the Okta API - license: - name: Apache-2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - termsOfService: https://developer.okta.com/terms/ - title: Okta API - version: 2.8.0 - x-serviceName: application -openapi: 3.0.1 -paths: - /api/v1/apps: - get: - description: Enumerates apps added to your organization with pagination. A subset - of apps can be returned that match a supported filter expression or query. - operationId: listApplications - parameters: - - in: query - name: q - schema: - type: string - - description: Specifies the pagination cursor for the next page of apps - in: query - name: after - schema: - type: string - - description: Specifies the number of results for a page - in: query - name: limit - schema: - default: -1 - format: int32 - type: integer - - description: Filters apps by status, user.id, group.id or credentials.signing.kid - expression - in: query - name: filter - schema: - type: string - - description: Traverses users link relationship and optionally embeds Application - User resource - in: query - name: expand - schema: - type: string - - in: query - name: includeNonDeleted - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/Application' - type: array - description: Success - security: - - api_token: [] - summary: List Applications - tags: - - Application - post: - description: Adds a new application to your Okta organization. - operationId: createApplication - parameters: - - description: Executes activation lifecycle operation when creating the app - in: query - name: activate - schema: - default: true - type: boolean - - in: header - name: OktaAccessGateway-Agent - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Application' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Application' - description: Success - security: - - api_token: [] - summary: Add Application - tags: - - Application - x-codegen-request-body-name: application - /api/v1/apps/{appId}: - delete: - description: Removes an inactive application. - operationId: deleteApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string - responses: - '200': - content: {} - description: Success - security: - - api_token: [] - summary: Delete Application - tags: - - Application - get: - description: Fetches an application from your Okta organization by `id`. - operationId: getApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: query - name: expand - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Application' - description: Success - security: - - api_token: [] - summary: Get Application - tags: - - Application - put: - description: Updates an application in your organization. - operationId: updateApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Application' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Application' - description: Success - security: - - api_token: [] - summary: Update Application - tags: - - Application - x-codegen-request-body-name: application - /api/v1/apps/{appId}/credentials/csrs: - get: - description: Enumerates Certificate Signing Requests for an application - operationId: listCsrsForApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/Csr' - type: array - description: Success - security: - - api_token: [] - summary: List Certificate Signing Requests for Application - tags: - - Application - post: - description: Generates a new key pair and returns the Certificate Signing Request - for it. - operationId: generateCsrForApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/CsrMetadata' - required: true - responses: - '201': - content: - application/json: - schema: - $ref: '#/components/schemas/Csr' - description: Created - security: - - api_token: [] - summary: Generate Certificate Signing Request for Application - tags: - - Application - x-codegen-request-body-name: metadata - /api/v1/apps/{appId}/credentials/csrs/{csrId}: - delete: - operationId: revokeCsrFromApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: path - name: csrId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - Application - get: - operationId: getCsrForApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: path - name: csrId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Csr' - description: Success - security: - - api_token: [] - tags: - - Application - /api/v1/apps/{appId}/credentials/csrs/{csrId}/lifecycle/publish: - post: - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: path - name: csrId - required: true - schema: - type: string - responses: - '201': - content: - application/json: - schema: - $ref: '#/components/schemas/JsonWebKey' - description: Created - security: - - api_token: [] - tags: - - Application - x-okta-multi-operation: - - consumes: - - application/x-x509-ca-cert - encoding: base64 - operationId: publishCerCert - parameters: - - in: body - name: certificate - required: true - type: string - - consumes: - - application/x-x509-ca-cert - operationId: publishBinaryCerCert - parameters: - - format: binary - in: body - name: certificate - required: true - type: string - - consumes: - - application/pkix-cert - encoding: base64 - operationId: publishDerCert - parameters: - - in: body - name: certificate - required: true - type: string - - consumes: - - application/pkix-cert - operationId: publishBinaryDerCert - parameters: - - format: binary - in: body - name: certificate - required: true - type: string - - consumes: - - application/x-pem-file - operationId: publishBinaryPemCert - parameters: - - format: binary - in: body - name: certificate - required: true - type: string - /api/v1/apps/{appId}/credentials/keys: - get: - description: Enumerates key credentials for an application - operationId: listApplicationKeys - parameters: - - in: path - name: appId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/JsonWebKey' - type: array - description: Success - security: - - api_token: [] - summary: List Key Credentials for Application - tags: - - Application - /api/v1/apps/{appId}/credentials/keys/generate: - post: - description: Generates a new X.509 certificate for an application key credential - operationId: generateApplicationKey - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: query - name: validityYears - schema: - type: integer - responses: - '201': - content: - application/json: - schema: - $ref: '#/components/schemas/JsonWebKey' - description: Created - security: - - api_token: [] - tags: - - Application - /api/v1/apps/{appId}/credentials/keys/{keyId}: - get: - description: Gets a specific application key credential by kid - operationId: getApplicationKey - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: path - name: keyId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/JsonWebKey' - description: Success - security: - - api_token: [] - summary: Get Key Credential for Application - tags: - - Application - /api/v1/apps/{appId}/credentials/keys/{keyId}/clone: - post: - description: Clones a X.509 certificate for an application key credential from - a source application to target application. - operationId: cloneApplicationKey - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: path - name: keyId - required: true - schema: - type: string - - description: Unique key of the target Application - in: query - name: targetAid - required: true - schema: - type: string - responses: - '201': - content: - application/json: - schema: - $ref: '#/components/schemas/JsonWebKey' - description: Created - security: - - api_token: [] - summary: Clone Application Key Credential - tags: - - Application - /api/v1/apps/{appId}/grants: - get: - description: Lists all scope consent grants for the application - operationId: listScopeConsentGrants - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: query - name: expand - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/OAuth2ScopeConsentGrant' - type: array - description: Success - security: - - api_token: [] - tags: - - Application - post: - description: Grants consent for the application to request an OAuth 2.0 Okta - scope - operationId: grantConsentToScope - parameters: - - in: path - name: appId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/OAuth2ScopeConsentGrant' - required: true - responses: - '201': - content: - application/json: - schema: - $ref: '#/components/schemas/OAuth2ScopeConsentGrant' - description: Created - security: - - api_token: [] - tags: - - Application - x-codegen-request-body-name: oAuth2ScopeConsentGrant - /api/v1/apps/{appId}/grants/{grantId}: - delete: - description: Revokes permission for the application to request the given scope - operationId: revokeScopeConsentGrant - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: path - name: grantId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - Application - get: - description: Fetches a single scope consent grant for the application - operationId: getScopeConsentGrant - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: path - name: grantId - required: true - schema: - type: string - - in: query - name: expand - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/OAuth2ScopeConsentGrant' - description: Success - security: - - api_token: [] - tags: - - Application - /api/v1/apps/{appId}/groups: - get: - description: Enumerates group assignments for an application. - operationId: listApplicationGroupAssignments - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: query - name: q - schema: - type: string - - description: Specifies the pagination cursor for the next page of assignments - in: query - name: after - schema: - type: string - - description: Specifies the number of results for a page - in: query - name: limit - schema: - default: -1 - format: int32 - type: integer - - in: query - name: expand - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/ApplicationGroupAssignment' - type: array - description: Success - security: - - api_token: [] - summary: List Groups Assigned to Application - tags: - - Application - /api/v1/apps/{appId}/groups/{groupId}: - delete: - description: Removes a group assignment from an application. - operationId: deleteApplicationGroupAssignment - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: path - name: groupId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - summary: Remove Group from Application - tags: - - Application - get: - description: Fetches an application group assignment - operationId: getApplicationGroupAssignment - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: path - name: groupId - required: true - schema: - type: string - - in: query - name: expand - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/ApplicationGroupAssignment' - description: Success - security: - - api_token: [] - summary: Get Assigned Group for Application - tags: - - Application - put: - description: Assigns a group to an application - operationId: createApplicationGroupAssignment - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: path - name: groupId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/ApplicationGroupAssignment' - required: false - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/ApplicationGroupAssignment' - description: Success - security: - - api_token: [] - summary: Assign Group to Application - tags: - - Application - x-codegen-request-body-name: applicationGroupAssignment - /api/v1/apps/{appId}/lifecycle/activate: - post: - description: Activates an inactive application. - operationId: activateApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string - responses: - '200': - content: {} - description: Success - security: - - api_token: [] - summary: Activate Application - tags: - - Application - /api/v1/apps/{appId}/lifecycle/deactivate: - post: - description: Deactivates an active application. - operationId: deactivateApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string - responses: - '200': - content: {} - description: Success - security: - - api_token: [] - summary: Deactivate Application - tags: - - Application - /api/v1/apps/{appId}/tokens: - delete: - description: Revokes all tokens for the specified application - operationId: revokeOAuth2TokensForApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - Application - get: - description: Lists all tokens for the application - operationId: listOAuth2TokensForApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: query - name: expand - schema: - type: string - - in: query - name: after - schema: - type: string - - in: query - name: limit - schema: - default: 20 - format: int32 - type: integer - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/OAuth2Token' - type: array - description: Success - security: - - api_token: [] - tags: - - Application - /api/v1/apps/{appId}/tokens/{tokenId}: - delete: - description: Revokes the specified token for the specified application - operationId: revokeOAuth2TokenForApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: path - name: tokenId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - Application - get: - description: Gets a token for the specified application - operationId: getOAuth2TokenForApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: path - name: tokenId - required: true - schema: - type: string - - in: query - name: expand - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/OAuth2Token' - description: Success - security: - - api_token: [] - tags: - - Application - /api/v1/apps/{appId}/users: - get: - description: Enumerates all assigned [application users](#application-user-model) - for an application. - operationId: listApplicationUsers - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: query - name: q - schema: - type: string - - in: query - name: query_scope - schema: - type: string - - description: specifies the pagination cursor for the next page of assignments - in: query - name: after - schema: - type: string - - description: specifies the number of results for a page - in: query - name: limit - schema: - default: -1 - format: int32 - type: integer - - in: query - name: filter - schema: - type: string - - in: query - name: expand - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/AppUser' - type: array - description: Success - security: - - api_token: [] - summary: List Users Assigned to Application - tags: - - Application - post: - description: Assigns an user to an application with [credentials](#application-user-credentials-object) - and an app-specific [profile](#application-user-profile-object). Profile mappings - defined for the application are first applied before applying any profile - properties specified in the request. - operationId: assignUserToApplication - parameters: - - in: path - name: appId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/AppUser' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/AppUser' - description: Success - security: - - api_token: [] - summary: Assign User to Application for SSO & Provisioning - tags: - - Application - x-codegen-request-body-name: appUser - /api/v1/apps/{appId}/users/{userId}: - delete: - description: Removes an assignment for a user from an application. - operationId: deleteApplicationUser - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: path - name: userId - required: true - schema: - type: string - - in: query - name: sendEmail - schema: - default: false - type: boolean - x-okta-added-version: 1.5.0 - x-okta-added-version: 1.5.0 - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - summary: Remove User from Application - tags: - - Application - get: - description: Fetches a specific user assignment for application by `id`. - operationId: getApplicationUser - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: path - name: userId - required: true - schema: - type: string - - in: query - name: expand - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/AppUser' - description: Success - security: - - api_token: [] - summary: Get Assigned User for Application - tags: - - Application - post: - description: Updates a user's profile for an application - operationId: updateApplicationUser - parameters: - - in: path - name: appId - required: true - schema: - type: string - - in: path - name: userId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/AppUser' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/AppUser' - description: Success - security: - - api_token: [] - summary: Update Application Profile for Assigned User - tags: - - Application - x-codegen-request-body-name: appUser -servers: -- url: https://{subdomain}.okta.com/ - variables: - subdomain: - default: my-domain diff --git a/providers/src/okta/v00.00.00000/services/Authenticator.yaml b/providers/src/okta/v00.00.00000/services/Authenticator.yaml deleted file mode 100644 index f6222837..00000000 --- a/providers/src/okta/v00.00.00000/services/Authenticator.yaml +++ /dev/null @@ -1,220 +0,0 @@ -components: - schemas: - AllowedForEnum: - enum: - - recovery - - sso - - any - - none - type: string - x-okta-tags: - - Authenticator - Authenticator: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - created: - format: date-time - readOnly: true - type: string - id: - readOnly: true - type: string - key: - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - name: - type: string - settings: - $ref: '#/components/schemas/AuthenticatorSettings' - status: - $ref: '#/components/schemas/AuthenticatorStatus' - type: - $ref: '#/components/schemas/AuthenticatorType' - type: object - x-okta-operations: - - alias: activate - arguments: - - dest: authenticatorId - src: id - operationId: activateAuthenticator - - alias: deactivate - arguments: - - dest: authenticatorId - src: id - operationId: deactivateAuthenticator - x-okta-tags: - - Authenticator - AuthenticatorSettings: - properties: - allowedFor: - $ref: '#/components/schemas/AllowedForEnum' - tokenLifetimeInMinutes: - type: integer - type: object - x-okta-tags: - - Authenticator - AuthenticatorStatus: - enum: - - ACTIVE - - INACTIVE - type: string - x-okta-tags: - - Authenticator - AuthenticatorType: - enum: - - app - - password - - security_question - - phone - - email - - security_key - - federated - type: string - x-okta-tags: - - Authenticator - securitySchemes: - api_token: - description: SSWS {API Token} - in: header - name: Authorization - type: apiKey - x-stackQL-resources: - authenticators: - id: okta.authenticator.authenticators - methods: - activate: - operation: - $ref: '#/paths/~1api~1v1~1authenticators~1{authenticatorId}~1lifecycle~1activate/post' - response: - mediaType: application/json - openAPIDocKey: '200' - deactivate: - operation: - $ref: '#/paths/~1api~1v1~1authenticators~1{authenticatorId}~1lifecycle~1deactivate/post' - response: - mediaType: application/json - openAPIDocKey: '200' - get: - operation: - $ref: '#/paths/~1api~1v1~1authenticators~1{authenticatorId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1authenticators/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: authenticators - title: authenticators -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html -info: - contact: - email: devex-public@okta.com - name: Okta Developer Team - url: https://developer.okta.com/ - description: Allows customers to easily access the Okta API - license: - name: Apache-2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - termsOfService: https://developer.okta.com/terms/ - title: Okta API - version: 2.8.0 -openapi: 3.0.1 -paths: - /api/v1/authenticators: - get: - description: Success - operationId: listAuthenticators - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/Authenticator' - type: array - description: Success - security: - - api_token: [] - tags: - - Authenticator - /api/v1/authenticators/{authenticatorId}: - get: - description: Success - operationId: getAuthenticator - parameters: - - in: path - name: authenticatorId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Authenticator' - description: Success - security: - - api_token: [] - tags: - - Authenticator - /api/v1/authenticators/{authenticatorId}/lifecycle/activate: - post: - description: Success - operationId: activateAuthenticator - parameters: - - in: path - name: authenticatorId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Authenticator' - description: Success - security: - - api_token: [] - tags: - - Authenticator - /api/v1/authenticators/{authenticatorId}/lifecycle/deactivate: - post: - description: Success - operationId: deactivateAuthenticator - parameters: - - in: path - name: authenticatorId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Authenticator' - description: Success - security: - - api_token: [] - tags: - - Authenticator -servers: -- url: https://{subdomain}.okta.com/ - variables: - subdomain: - default: my-domain diff --git a/providers/src/okta/v00.00.00000/services/AuthorizationServer.yaml b/providers/src/okta/v00.00.00000/services/AuthorizationServer.yaml deleted file mode 100644 index 0ec141cc..00000000 --- a/providers/src/okta/v00.00.00000/services/AuthorizationServer.yaml +++ /dev/null @@ -1,2506 +0,0 @@ -components: - schemas: - AppAndInstanceConditionEvaluatorAppOrInstance: - properties: - id: - readOnly: true - type: string - name: - type: string - type: - enum: - - APP_TYPE - - APP - type: string - type: object - x-okta-tags: - - Policy - AppAndInstancePolicyRuleCondition: - properties: - exclude: - items: - $ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance' - type: array - include: - items: - $ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance' - type: array - type: object - x-okta-tags: - - Policy - AppInstancePolicyRuleCondition: - properties: - exclude: - items: - type: string - type: array - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - ApplicationCredentialsSigningUse: - enum: - - sig - type: string - x-okta-tags: - - AuthorizationServer - AuthorizationServer: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - audiences: - items: - type: string - type: array - created: - format: date-time - readOnly: true - type: string - credentials: - $ref: '#/components/schemas/AuthorizationServerCredentials' - description: - type: string - id: - readOnly: true - type: string - issuer: - type: string - issuerMode: - enum: - - ORG_URL - - CUSTOM_URL - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - name: - type: string - status: - enum: - - ACTIVE - - INACTIVE - type: string - type: object - x-okta-crud: - - alias: create - arguments: - - dest: authorizationServer - self: true - operationId: createAuthorizationServer - - alias: read - arguments: [] - operationId: getAuthorizationServer - - alias: update - arguments: - - dest: authServerId - src: id - - dest: authorizationServer - self: true - operationId: updateAuthorizationServer - - alias: delete - arguments: - - dest: authServerId - src: id - - dest: authorizationServer - self: true - operationId: deleteAuthorizationServer - x-okta-operations: - - alias: listOAuth2Claims - arguments: - - dest: authServerId - src: id - operationId: listOAuth2Claims - - alias: createOAuth2Claim - arguments: - - dest: authServerId - src: id - operationId: createOAuth2Claim - - alias: deleteOAuth2Claim - arguments: - - dest: authServerId - src: id - operationId: deleteOAuth2Claim - - alias: getOAuth2Claim - arguments: - - dest: authServerId - src: id - operationId: getOAuth2Claim - - alias: updateOAuth2Claim - arguments: - - dest: authServerId - src: id - operationId: updateOAuth2Claim - - alias: listOAuth2Clients - arguments: - - dest: authServerId - src: id - operationId: listOAuth2ClientsForAuthorizationServer - - alias: revokeRefreshTokensForClient - arguments: - - dest: authServerId - src: id - operationId: revokeRefreshTokensForAuthorizationServerAndClient - - alias: listRefreshTokensForClient - arguments: - - dest: authServerId - src: id - operationId: listRefreshTokensForAuthorizationServerAndClient - - alias: getRefreshTokenForClient - arguments: - - dest: authServerId - src: id - operationId: getRefreshTokenForAuthorizationServerAndClient - - alias: revokeRefreshTokenForClient - arguments: - - dest: authServerId - src: id - operationId: revokeRefreshTokenForAuthorizationServerAndClient - - alias: listKeys - arguments: - - dest: authServerId - src: id - operationId: listAuthorizationServerKeys - - alias: rotateKeys - arguments: - - dest: authServerId - src: id - operationId: rotateAuthorizationServerKeys - - alias: activate - arguments: - - dest: authServerId - src: id - operationId: activateAuthorizationServer - - alias: deactivate - arguments: - - dest: authServerId - src: id - operationId: deactivateAuthorizationServer - - alias: listPolicies - arguments: - - dest: authServerId - src: id - operationId: listAuthorizationServerPolicies - - alias: createPolicy - arguments: - - dest: authServerId - src: id - operationId: createAuthorizationServerPolicy - - alias: deletePolicy - arguments: - - dest: authServerId - src: id - operationId: deleteAuthorizationServerPolicy - - alias: getPolicy - arguments: - - dest: authServerId - src: id - operationId: getAuthorizationServerPolicy - - alias: updatePolicy - arguments: - - dest: authServerId - src: id - operationId: updateAuthorizationServerPolicy - - alias: listOAuth2Scopes - arguments: - - dest: authServerId - src: id - operationId: listOAuth2Scopes - - alias: createOAuth2Scope - arguments: - - dest: authServerId - src: id - operationId: createOAuth2Scope - - alias: deleteOAuth2Scope - arguments: - - dest: authServerId - src: id - operationId: deleteOAuth2Scope - - alias: getOAuth2Scope - arguments: - - dest: authServerId - src: id - operationId: getOAuth2Scope - - alias: updateOAuth2Scope - arguments: - - dest: authServerId - src: id - operationId: updateOAuth2Scope - x-okta-tags: - - AuthorizationServer - AuthorizationServerCredentials: - properties: - signing: - $ref: '#/components/schemas/AuthorizationServerCredentialsSigningConfig' - type: object - x-okta-tags: - - Application - AuthorizationServerCredentialsRotationMode: - enum: - - AUTO - - MANUAL - type: string - x-okta-tags: - - AuthorizationServer - AuthorizationServerCredentialsSigningConfig: - properties: - kid: - type: string - lastRotated: - format: date-time - readOnly: true - type: string - nextRotation: - format: date-time - readOnly: true - type: string - rotationMode: - $ref: '#/components/schemas/AuthorizationServerCredentialsRotationMode' - use: - $ref: '#/components/schemas/AuthorizationServerCredentialsUse' - type: object - x-okta-tags: - - AuthorizationServer - AuthorizationServerCredentialsUse: - enum: - - sig - type: string - x-okta-tags: - - AuthorizationServer - AuthorizationServerPolicy: - properties: - _embedded: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - conditions: - $ref: '#/components/schemas/PolicyRuleConditions' - created: - format: date-time - readOnly: true - type: string - description: - type: string - id: - readOnly: true - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - name: - type: string - priority: - type: integer - status: - enum: - - ACTIVE - - INACTIVE - type: string - system: - type: boolean - type: - $ref: '#/components/schemas/PolicyType' - type: object - x-okta-crud: - - alias: read - arguments: - - dest: policyId - src: id - operationId: getAuthorizationServerPolicy - - alias: update - arguments: - - dest: policyId - src: id - - dest: policy - self: true - operationId: updateAuthorizationServerPolicy - - alias: delete - arguments: - - dest: policyId - src: id - operationId: deleteAuthorizationServerPolicy - x-okta-operations: - - alias: listPolicyRules - arguments: - - dest: policyId - src: id - operationId: listAuthorizationServerPolicyRules - - alias: createPolicyRule - arguments: - - dest: policyId - src: id - operationId: createAuthorizationServerPolicyRule - - alias: getPolicyRule - arguments: - - dest: policyId - src: id - operationId: getAuthorizationServerPolicyRule - - alias: deletePolicyRule - arguments: - - dest: policyId - src: id - operationId: deleteAuthorizationServerPolicyRule - - alias: activate - arguments: - - dest: policyId - src: id - operationId: activateAuthorizationServerPolicy - - alias: deactivate - arguments: - - dest: policyId - src: id - operationId: deactivateAuthorizationServerPolicy - x-okta-tags: - - AuthorizationServer - AuthorizationServerPolicyRule: - properties: - actions: - $ref: '#/components/schemas/AuthorizationServerPolicyRuleActions' - conditions: - $ref: '#/components/schemas/AuthorizationServerPolicyRuleConditions' - created: - format: date-time - readOnly: true - type: string - id: - readOnly: true - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - name: - type: string - priority: - type: integer - status: - default: ACTIVE - enum: - - ACTIVE - - INACTIVE - type: string - system: - default: false - type: boolean - type: - enum: - - RESOURCE_ACCESS - type: string - type: object - x-okta-crud: - - alias: update - arguments: - - dest: ruleId - src: id - - dest: policyRule - self: true - - dest: policyId - parentSrc: id - operationId: updateAuthorizationServerPolicyRule - - alias: delete - arguments: - - dest: ruleId - src: id - - dest: policyId - parentSrc: policyId - operationId: deleteAuthorizationServerPolicyRule - x-okta-operations: - - alias: activate - arguments: - - dest: ruleId - src: id - - dest: policyId - parentSrc: policyId - operationId: activateAuthorizationServerPolicyRule - - alias: deactivate - arguments: - - dest: ruleId - src: id - - dest: policyId - parentSrc: policyId - operationId: deactivateAuthorizationServerPolicyRule - x-okta-tags: - - AuthorizationServerPolicy - AuthorizationServerPolicyRuleActions: - properties: - token: - $ref: '#/components/schemas/TokenAuthorizationServerPolicyRuleAction' - type: object - x-okta-tags: - - AuthorizationServerPolicy - AuthorizationServerPolicyRuleConditions: - properties: - clients: - $ref: '#/components/schemas/ClientPolicyCondition' - grantTypes: - $ref: '#/components/schemas/GrantTypePolicyRuleCondition' - people: - $ref: '#/components/schemas/PolicyPeopleCondition' - scopes: - $ref: '#/components/schemas/OAuth2ScopesMediationPolicyRuleCondition' - type: object - x-okta-tags: - - AuthorizationServerPolicy - BeforeScheduledActionPolicyRuleCondition: - properties: - duration: - $ref: '#/components/schemas/Duration' - lifecycleAction: - $ref: '#/components/schemas/ScheduledUserLifecycleAction' - type: object - x-okta-tags: - - Policy - ClientPolicyCondition: - properties: - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - ContextPolicyRuleCondition: - properties: - expression: - type: string - type: object - x-okta-tags: - - Policy - DevicePolicyRuleCondition: - properties: - migrated: - type: boolean - platform: - $ref: '#/components/schemas/DevicePolicyRuleConditionPlatform' - rooted: - type: boolean - trustLevel: - enum: - - ANY - - TRUSTED - type: string - type: object - x-okta-tags: - - Policy - DevicePolicyRuleConditionPlatform: - properties: - supportedMDMFrameworks: - items: - enum: - - AFW - - SAFE - - NATIVE - type: string - type: array - types: - items: - enum: - - IOS - - ANDROID - - OSX - - WINDOWS - type: string - type: array - type: object - x-okta-tags: - - Policy - Duration: - properties: - number: - type: integer - unit: - type: string - type: object - x-okta-tags: - - Policy - GrantTypePolicyRuleCondition: - properties: - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - GroupCondition: - properties: - exclude: - items: - type: string - type: array - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - GroupPolicyRuleCondition: - properties: - exclude: - items: - type: string - type: array - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - IdentityProviderPolicyRuleCondition: - properties: - idpIds: - items: - type: string - type: array - provider: - enum: - - ANY - - OKTA - - SPECIFIC_IDP - type: string - type: object - x-okta-tags: - - Policy - InactivityPolicyRuleCondition: - properties: - number: - type: integer - unit: - type: string - type: object - x-okta-tags: - - Policy - JsonWebKey: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - alg: - type: string - created: - format: date-time - type: string - e: - type: string - expiresAt: - format: date-time - type: string - key_ops: - items: - type: string - type: array - kid: - type: string - kty: - type: string - lastUpdated: - format: date-time - type: string - n: - type: string - status: - type: string - use: - type: string - x5c: - items: - type: string - type: array - x5t: - type: string - x5t#S256: - type: string - x5u: - type: string - type: object - x-okta-tags: - - Application - JwkUse: - properties: - use: - enum: - - sig - type: string - type: object - x-okta-tags: - - Application - LifecycleExpirationPolicyRuleCondition: - properties: - lifecycleStatus: - type: string - number: - type: integer - unit: - type: string - type: object - x-okta-tags: - - Policy - MDMEnrollmentPolicyRuleCondition: - properties: - blockNonSafeAndroid: - type: boolean - enrollment: - enum: - - OMM - - ANY_OR_NONE - type: string - type: object - x-okta-tags: - - Policy - OAuth2Actor: - properties: - id: - readOnly: true - type: string - type: - type: string - type: object - x-okta-tags: - - Application - OAuth2Claim: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - alwaysIncludeInToken: - type: boolean - claimType: - enum: - - IDENTITY - - RESOURCE - type: string - conditions: - $ref: '#/components/schemas/OAuth2ClaimConditions' - group_filter_type: - enum: - - STARTS_WITH - - EQUALS - - CONTAINS - - REGEX - type: string - id: - readOnly: true - type: string - name: - type: string - status: - enum: - - ACTIVE - - INACTIVE - type: string - system: - type: boolean - value: - type: string - valueType: - enum: - - EXPRESSION - - GROUPS - - SYSTEM - type: string - type: object - x-okta-tags: - - Application - OAuth2ClaimConditions: - properties: - scopes: - items: - type: string - type: array - type: object - x-okta-tags: - - Application - OAuth2Client: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - client_id: - readOnly: true - type: string - client_name: - readOnly: true - type: string - client_uri: - readOnly: true - type: string - logo_uri: - readOnly: true - type: string - type: object - x-okta-tags: - - Application - OAuth2RefreshToken: - properties: - _embedded: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - clientId: - type: string - created: - format: date-time - readOnly: true - type: string - createdBy: - $ref: '#/components/schemas/OAuth2Actor' - expiresAt: - format: date-time - readOnly: true - type: string - id: - readOnly: true - type: string - issuer: - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - scopes: - items: - type: string - type: array - status: - enum: - - ACTIVE - - REVOKED - type: string - userId: - type: string - type: object - x-okta-tags: - - Application - OAuth2Scope: - properties: - consent: - enum: - - REQUIRED - - IMPLICIT - - ADMIN - type: string - default: - type: boolean - description: - type: string - displayName: - type: string - id: - readOnly: true - type: string - metadataPublish: - enum: - - ALL_CLIENTS - - NO_CLIENTS - type: string - name: - type: string - system: - type: boolean - type: object - x-okta-tags: - - Application - OAuth2ScopesMediationPolicyRuleCondition: - properties: - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Application - PasswordExpirationPolicyRuleCondition: - properties: - number: - type: integer - unit: - type: string - type: object - x-okta-tags: - - Policy - PasswordPolicyAuthenticationProviderCondition: - properties: - include: - items: - type: string - type: array - provider: - enum: - - ACTIVE_DIRECTORY - - ANY - - LDAP - - OKTA - type: string - type: object - x-okta-tags: - - Policy - PlatformConditionEvaluatorPlatform: - properties: - os: - $ref: '#/components/schemas/PlatformConditionEvaluatorPlatformOperatingSystem' - type: - enum: - - DESKTOP - - MOBILE - - OTHER - - ANY - type: string - type: object - x-okta-tags: - - Policy - PlatformConditionEvaluatorPlatformOperatingSystem: - properties: - expression: - type: string - type: - enum: - - ANDROID - - IOS - - WINDOWS - - OSX - - OTHER - - ANY - type: string - version: - $ref: '#/components/schemas/PlatformConditionEvaluatorPlatformOperatingSystemVersion' - type: object - x-okta-tags: - - Policy - PlatformConditionEvaluatorPlatformOperatingSystemVersion: - properties: - matchType: - enum: - - EXPRESSION - - SEMVER - type: string - value: - type: string - type: object - x-okta-tags: - - Policy - PlatformPolicyRuleCondition: - properties: - exclude: - items: - $ref: '#/components/schemas/PlatformConditionEvaluatorPlatform' - type: array - include: - items: - $ref: '#/components/schemas/PlatformConditionEvaluatorPlatform' - type: array - type: object - x-okta-tags: - - Policy - PolicyNetworkCondition: - properties: - connection: - enum: - - ANYWHERE - - ZONE - type: string - exclude: - items: - type: string - type: array - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - PolicyPeopleCondition: - properties: - groups: - $ref: '#/components/schemas/GroupCondition' - users: - $ref: '#/components/schemas/UserCondition' - type: object - x-okta-tags: - - Policy - PolicyRuleAuthContextCondition: - properties: - authType: - enum: - - ANY - - RADIUS - type: string - type: object - x-okta-tags: - - Policy - PolicyRuleConditions: - properties: - app: - $ref: '#/components/schemas/AppAndInstancePolicyRuleCondition' - apps: - $ref: '#/components/schemas/AppInstancePolicyRuleCondition' - authContext: - $ref: '#/components/schemas/PolicyRuleAuthContextCondition' - authProvider: - $ref: '#/components/schemas/PasswordPolicyAuthenticationProviderCondition' - beforeScheduledAction: - $ref: '#/components/schemas/BeforeScheduledActionPolicyRuleCondition' - clients: - $ref: '#/components/schemas/ClientPolicyCondition' - context: - $ref: '#/components/schemas/ContextPolicyRuleCondition' - device: - $ref: '#/components/schemas/DevicePolicyRuleCondition' - grantTypes: - $ref: '#/components/schemas/GrantTypePolicyRuleCondition' - groups: - $ref: '#/components/schemas/GroupPolicyRuleCondition' - identityProvider: - $ref: '#/components/schemas/IdentityProviderPolicyRuleCondition' - mdmEnrollment: - $ref: '#/components/schemas/MDMEnrollmentPolicyRuleCondition' - network: - $ref: '#/components/schemas/PolicyNetworkCondition' - people: - $ref: '#/components/schemas/PolicyPeopleCondition' - platform: - $ref: '#/components/schemas/PlatformPolicyRuleCondition' - risk: - $ref: '#/components/schemas/RiskPolicyRuleCondition' - riskScore: - $ref: '#/components/schemas/RiskScorePolicyRuleCondition' - scopes: - $ref: '#/components/schemas/OAuth2ScopesMediationPolicyRuleCondition' - userIdentifier: - $ref: '#/components/schemas/UserIdentifierPolicyRuleCondition' - userStatus: - $ref: '#/components/schemas/UserStatusPolicyRuleCondition' - users: - $ref: '#/components/schemas/UserPolicyRuleCondition' - type: object - x-okta-tags: - - Policy - PolicyType: - enum: - - OAUTH_AUTHORIZATION_POLICY - - OKTA_SIGN_ON - - PASSWORD - - IDP_DISCOVERY - type: string - x-okta-tags: - - Policy - RiskPolicyRuleCondition: - properties: - behaviors: - items: - type: string - type: array - uniqueItems: true - type: object - x-okta-tags: - - Policy - RiskScorePolicyRuleCondition: - properties: - level: - type: string - type: object - x-okta-tags: - - Policy - ScheduledUserLifecycleAction: - properties: - status: - enum: - - ACTIVE - - INACTIVE - - PENDING - - DELETED - - EXPIRED_PASSWORD - - ACTIVATING - - SUSPENDED - - DELETING - type: string - type: object - x-okta-tags: - - Policy - TokenAuthorizationServerPolicyRuleAction: - properties: - accessTokenLifetimeMinutes: - type: integer - inlineHook: - $ref: '#/components/schemas/TokenAuthorizationServerPolicyRuleActionInlineHook' - refreshTokenLifetimeMinutes: - type: integer - refreshTokenWindowMinutes: - type: integer - type: object - x-okta-tags: - - AuthorizationServerPolicy - TokenAuthorizationServerPolicyRuleActionInlineHook: - properties: - id: - type: string - type: object - x-okta-tags: - - AuthorizationServerPolicy - UserCondition: - properties: - exclude: - items: - type: string - type: array - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - UserIdentifierConditionEvaluatorPattern: - properties: - matchType: - enum: - - SUFFIX - - EXPRESSION - - STARTS_WITH - - EQUALS - - CONTAINS - type: string - value: - type: string - type: object - x-okta-tags: - - Policy - UserIdentifierPolicyRuleCondition: - properties: - attribute: - type: string - patterns: - items: - $ref: '#/components/schemas/UserIdentifierConditionEvaluatorPattern' - type: array - type: - enum: - - IDENTIFIER - - ATTRIBUTE - type: string - type: object - x-okta-tags: - - Policy - UserLifecycleAttributePolicyRuleCondition: - properties: - attributeName: - type: string - matchingValue: - type: string - type: object - x-okta-tags: - - Policy - UserPolicyRuleCondition: - properties: - exclude: - items: - type: string - type: array - inactivity: - $ref: '#/components/schemas/InactivityPolicyRuleCondition' - include: - items: - type: string - type: array - lifecycleExpiration: - $ref: '#/components/schemas/LifecycleExpirationPolicyRuleCondition' - passwordExpiration: - $ref: '#/components/schemas/PasswordExpirationPolicyRuleCondition' - userLifecycleAttribute: - $ref: '#/components/schemas/UserLifecycleAttributePolicyRuleCondition' - type: object - x-okta-tags: - - Policy - UserStatusPolicyRuleCondition: - properties: - value: - enum: - - ACTIVE - - INACTIVE - - PENDING - - DELETED - - EXPIRED_PASSWORD - - ACTIVATING - - SUSPENDED - - DELETING - type: string - type: object - x-okta-tags: - - Policy - securitySchemes: - api_token: - description: SSWS {API Token} - in: header - name: Authorization - type: apiKey - x-stackQL-resources: - authorizationservers: - id: okta.authorizationserver.authorizationservers - methods: - activate: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1lifecycle~1activate/post' - response: - openAPIDocKey: '200' - deactivate: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1lifecycle~1deactivate/post' - response: - openAPIDocKey: '200' - delete: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers/get' - response: - mediaType: application/json - openAPIDocKey: '200' - update: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}/put' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - name: authorizationservers - title: authorizationservers - claims: - id: okta.authorizationserver.claims - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1claims~1{claimId}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1claims~1{claimId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1claims/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1claims/get' - response: - mediaType: application/json - openAPIDocKey: '200' - update: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1claims~1{claimId}/put' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - name: claims - title: claims - clients: - id: okta.authorizationserver.clients - methods: - list: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1clients/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: clients - title: clients - keys: - id: okta.authorizationserver.keys - methods: - list: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1credentials~1keys/get' - response: - mediaType: application/json - openAPIDocKey: '200' - rotate: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1credentials~1lifecycle~1keyRotate/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - name: keys - title: keys - policies: - id: okta.authorizationserver.policies - methods: - activate: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies~1{policyId}~1lifecycle~1activate/post' - response: - openAPIDocKey: '200' - deactivate: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies~1{policyId}~1lifecycle~1deactivate/post' - response: - openAPIDocKey: '200' - delete: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies~1{policyId}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies~1{policyId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies/get' - response: - mediaType: application/json - openAPIDocKey: '200' - update: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies~1{policyId}/put' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - name: policies - title: policies - rules: - id: okta.authorizationserver.rules - methods: - activate: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies~1{policyId}~1rules~1{ruleId}~1lifecycle~1activate/post' - response: - openAPIDocKey: '200' - deactivate: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies~1{policyId}~1rules~1{ruleId}~1lifecycle~1deactivate/post' - response: - openAPIDocKey: '200' - delete: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies~1{policyId}~1rules~1{ruleId}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies~1{policyId}~1rules~1{ruleId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies~1{policyId}~1rules/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies~1{policyId}~1rules/get' - response: - mediaType: application/json - openAPIDocKey: '200' - update: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies~1{policyId}~1rules~1{ruleId}/put' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - name: rules - title: rules - scopes: - id: okta.authorizationserver.scopes - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1scopes~1{scopeId}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1scopes~1{scopeId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1scopes/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1scopes/get' - response: - mediaType: application/json - openAPIDocKey: '200' - update: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1scopes~1{scopeId}/put' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - name: scopes - title: scopes - tokens: - id: okta.authorizationserver.tokens - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1clients~1{clientId}~1tokens~1{tokenId}/delete' - response: - openAPIDocKey: '204' - deleteall: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1clients~1{clientId}~1tokens/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1clients~1{clientId}~1tokens~1{tokenId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}~1clients~1{clientId}~1tokens/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: tokens - title: tokens -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html -info: - contact: - email: devex-public@okta.com - name: Okta Developer Team - url: https://developer.okta.com/ - description: Allows customers to easily access the Okta API - license: - name: Apache-2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - termsOfService: https://developer.okta.com/terms/ - title: Okta API - version: 2.8.0 -openapi: 3.0.1 -paths: - /api/v1/authorizationServers: - get: - description: Success - operationId: listAuthorizationServers - parameters: - - in: query - name: q - schema: - type: string - - in: query - name: limit - schema: - type: string - - in: query - name: after - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/AuthorizationServer' - type: array - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - post: - description: Success - operationId: createAuthorizationServer - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/AuthorizationServer' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/AuthorizationServer' - description: Success - '201': - content: {} - description: Created - security: - - api_token: [] - tags: - - AuthorizationServer - x-codegen-request-body-name: authorizationServer - /api/v1/authorizationServers/{authServerId}: - delete: - description: Success - operationId: deleteAuthorizationServer - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - AuthorizationServer - get: - description: Success - operationId: getAuthorizationServer - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/AuthorizationServer' - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - put: - description: Success - operationId: updateAuthorizationServer - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/AuthorizationServer' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/AuthorizationServer' - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - x-codegen-request-body-name: authorizationServer - /api/v1/authorizationServers/{authServerId}/claims: - get: - description: Success - operationId: listOAuth2Claims - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/OAuth2Claim' - type: array - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - post: - description: Success - operationId: createOAuth2Claim - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/OAuth2Claim' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/OAuth2Claim' - description: Created - '201': - content: {} - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - x-codegen-request-body-name: oAuth2Claim - /api/v1/authorizationServers/{authServerId}/claims/{claimId}: - delete: - description: Success - operationId: deleteOAuth2Claim - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - - in: path - name: claimId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - AuthorizationServer - get: - description: Success - operationId: getOAuth2Claim - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - - in: path - name: claimId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/OAuth2Claim' - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - put: - description: Success - operationId: updateOAuth2Claim - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - - in: path - name: claimId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/OAuth2Claim' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/OAuth2Claim' - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - x-codegen-request-body-name: oAuth2Claim - /api/v1/authorizationServers/{authServerId}/clients: - get: - description: Success - operationId: listOAuth2ClientsForAuthorizationServer - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/OAuth2Client' - type: array - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens: - delete: - description: Success - operationId: revokeRefreshTokensForAuthorizationServerAndClient - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - - in: path - name: clientId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - AuthorizationServer - get: - description: Success - operationId: listRefreshTokensForAuthorizationServerAndClient - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - - in: path - name: clientId - required: true - schema: - type: string - - in: query - name: expand - schema: - type: string - - in: query - name: after - schema: - type: string - - in: query - name: limit - schema: - default: -1 - format: int32 - type: integer - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/OAuth2RefreshToken' - type: array - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens/{tokenId}: - delete: - description: Success - operationId: revokeRefreshTokenForAuthorizationServerAndClient - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - - in: path - name: clientId - required: true - schema: - type: string - - in: path - name: tokenId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - AuthorizationServer - get: - description: Success - operationId: getRefreshTokenForAuthorizationServerAndClient - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - - in: path - name: clientId - required: true - schema: - type: string - - in: path - name: tokenId - required: true - schema: - type: string - - in: query - name: expand - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/OAuth2RefreshToken' - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/credentials/keys: - get: - description: Success - operationId: listAuthorizationServerKeys - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/JsonWebKey' - type: array - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/credentials/lifecycle/keyRotate: - post: - description: Success - operationId: rotateAuthorizationServerKeys - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/JwkUse' - required: true - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/JsonWebKey' - type: array - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - x-codegen-request-body-name: use - /api/v1/authorizationServers/{authServerId}/lifecycle/activate: - post: - description: Success - operationId: activateAuthorizationServer - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - responses: - '200': - content: {} - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/lifecycle/deactivate: - post: - description: Success - operationId: deactivateAuthorizationServer - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - responses: - '200': - content: {} - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/policies: - get: - description: Success - operationId: listAuthorizationServerPolicies - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/AuthorizationServerPolicy' - type: array - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - post: - description: Success - operationId: createAuthorizationServerPolicy - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/AuthorizationServerPolicy' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/AuthorizationServerPolicy' - description: Success - '201': - content: {} - description: Created - security: - - api_token: [] - tags: - - AuthorizationServer - x-codegen-request-body-name: policy - /api/v1/authorizationServers/{authServerId}/policies/{policyId}: - delete: - description: Success - operationId: deleteAuthorizationServerPolicy - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - - in: path - name: policyId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - AuthorizationServer - get: - description: Success - operationId: getAuthorizationServerPolicy - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - - in: path - name: policyId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/AuthorizationServerPolicy' - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - put: - description: Success - operationId: updateAuthorizationServerPolicy - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - - in: path - name: policyId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/AuthorizationServerPolicy' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/AuthorizationServerPolicy' - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - x-codegen-request-body-name: policy - /api/v1/authorizationServers/{authServerId}/policies/{policyId}/lifecycle/activate: - post: - description: Activate Authorization Server Policy - operationId: activateAuthorizationServerPolicy - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - - in: path - name: policyId - required: true - schema: - type: string - responses: - '200': - content: {} - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/policies/{policyId}/lifecycle/deactivate: - post: - description: Deactivate Authorization Server Policy - operationId: deactivateAuthorizationServerPolicy - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - - in: path - name: policyId - required: true - schema: - type: string - responses: - '200': - content: {} - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules: - get: - description: Enumerates all policy rules for the specified Custom Authorization - Server and Policy. - operationId: listAuthorizationServerPolicyRules - parameters: - - in: path - name: policyId - required: true - schema: - type: string - - in: path - name: authServerId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/AuthorizationServerPolicyRule' - type: array - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - post: - description: Creates a policy rule for the specified Custom Authorization Server - and Policy. - operationId: createAuthorizationServerPolicyRule - parameters: - - in: path - name: policyId - required: true - schema: - type: string - - in: path - name: authServerId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/AuthorizationServerPolicyRule' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/AuthorizationServerPolicyRule' - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - x-codegen-request-body-name: policyRule - /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}: - delete: - description: Deletes a Policy Rule defined in the specified Custom Authorization - Server and Policy. - operationId: deleteAuthorizationServerPolicyRule - parameters: - - in: path - name: policyId - required: true - schema: - type: string - - in: path - name: authServerId - required: true - schema: - type: string - - in: path - name: ruleId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - AuthorizationServer - get: - description: Returns a Policy Rule by ID that is defined in the specified Custom - Authorization Server and Policy. - operationId: getAuthorizationServerPolicyRule - parameters: - - in: path - name: policyId - required: true - schema: - type: string - - in: path - name: authServerId - required: true - schema: - type: string - - in: path - name: ruleId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/AuthorizationServerPolicyRule' - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - put: - description: Updates the configuration of the Policy Rule defined in the specified - Custom Authorization Server and Policy. - operationId: updateAuthorizationServerPolicyRule - parameters: - - in: path - name: policyId - required: true - schema: - type: string - - in: path - name: authServerId - required: true - schema: - type: string - - in: path - name: ruleId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/AuthorizationServerPolicyRule' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/AuthorizationServerPolicyRule' - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - x-codegen-request-body-name: policyRule - /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}/lifecycle/activate: - post: - description: Activate Authorization Server Policy Rule - operationId: activateAuthorizationServerPolicyRule - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - - in: path - name: policyId - required: true - schema: - type: string - - in: path - name: ruleId - required: true - schema: - type: string - responses: - '200': - content: {} - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate: - post: - description: Deactivate Authorization Server Policy Rule - operationId: deactivateAuthorizationServerPolicyRule - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - - in: path - name: policyId - required: true - schema: - type: string - - in: path - name: ruleId - required: true - schema: - type: string - responses: - '200': - content: {} - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - /api/v1/authorizationServers/{authServerId}/scopes: - get: - description: Success - operationId: listOAuth2Scopes - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - - in: query - name: q - schema: - type: string - - in: query - name: filter - schema: - type: string - - in: query - name: cursor - schema: - type: string - - in: query - name: limit - schema: - default: -1 - format: int32 - type: integer - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/OAuth2Scope' - type: array - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - post: - description: Success - operationId: createOAuth2Scope - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/OAuth2Scope' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/OAuth2Scope' - description: Success - '201': - content: {} - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - x-codegen-request-body-name: oAuth2Scope - /api/v1/authorizationServers/{authServerId}/scopes/{scopeId}: - delete: - description: Success - operationId: deleteOAuth2Scope - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - - in: path - name: scopeId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - AuthorizationServer - get: - description: Success - operationId: getOAuth2Scope - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - - in: path - name: scopeId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/OAuth2Scope' - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - put: - description: Success - operationId: updateOAuth2Scope - parameters: - - in: path - name: authServerId - required: true - schema: - type: string - - in: path - name: scopeId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/OAuth2Scope' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/OAuth2Scope' - description: Success - security: - - api_token: [] - tags: - - AuthorizationServer - x-codegen-request-body-name: oAuth2Scope -servers: -- url: https://{subdomain}.okta.com/ - variables: - subdomain: - default: my-domain diff --git a/providers/src/okta/v00.00.00000/services/Domain.yaml b/providers/src/okta/v00.00.00000/services/Domain.yaml deleted file mode 100644 index bf2f045a..00000000 --- a/providers/src/okta/v00.00.00000/services/Domain.yaml +++ /dev/null @@ -1,307 +0,0 @@ -components: - schemas: - DNSRecord: - properties: - expiration: - type: string - fqdn: - type: string - recordType: - $ref: '#/components/schemas/DNSRecordType' - values: - items: - type: string - type: array - type: object - x-okta-tags: - - Domain - DNSRecordType: - enum: - - TXT - - CNAME - type: string - x-okta-tags: - - Domain - Domain: - properties: - certificateSourceType: - $ref: '#/components/schemas/DomainCertificateSourceType' - dnsRecords: - items: - $ref: '#/components/schemas/DNSRecord' - type: array - domain: - type: string - id: - readOnly: true - type: string - publicCertificate: - $ref: '#/components/schemas/DomainCertificateMetadata' - validationStatus: - $ref: '#/components/schemas/DomainValidationStatus' - type: object - x-okta-tags: - - Domain - DomainCertificate: - properties: - certificate: - type: string - certificateChain: - type: string - privateKey: - type: string - type: - $ref: '#/components/schemas/DomainCertificateType' - type: object - x-okta-operations: - - alias: createCertificate - arguments: - - dest: certificate - self: true - operationId: createCertificate - x-okta-tags: - - Domain - DomainCertificateMetadata: - properties: - expiration: - type: string - fingerprint: - type: string - subject: - type: string - type: object - x-okta-tags: - - Domain - DomainCertificateSourceType: - enum: - - MANUAL - type: string - x-okta-tags: - - Domain - DomainCertificateType: - enum: - - PEM - type: string - x-okta-tags: - - Domain - DomainListResponse: - properties: - domains: - items: - $ref: '#/components/schemas/Domain' - type: array - type: object - x-okta-tags: - - Domain - DomainValidationStatus: - enum: - - NOT_STARTED - - IN_PROGRESS - - VERIFIED - - COMPLETED - type: string - x-okta-tags: - - Domain - securitySchemes: - api_token: - description: SSWS {API Token} - in: header - name: Authorization - type: apiKey - x-stackQL-resources: - certificates: - id: okta.domain.certificates - methods: - insert: - operation: - $ref: '#/paths/~1api~1v1~1domains~1{domainId}~1certificate/put' - request: - mediaType: application/json - response: - openAPIDocKey: '204' - name: certificates - title: certificates - domains: - id: okta.domain.domains - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1domains~1{domainId}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1domains~1{domainId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1domains/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1domains/get' - response: - mediaType: application/json - openAPIDocKey: '200' - verify: - operation: - $ref: '#/paths/~1api~1v1~1domains~1{domainId}~1verify/post' - response: - mediaType: application/json - openAPIDocKey: '200' - name: domains - title: domains -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html -info: - contact: - email: devex-public@okta.com - name: Okta Developer Team - url: https://developer.okta.com/ - description: Allows customers to easily access the Okta API - license: - name: Apache-2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - termsOfService: https://developer.okta.com/terms/ - title: Okta API - version: 2.8.0 -openapi: 3.0.1 -paths: - /api/v1/domains: - get: - description: List all verified custom Domains for the org. - operationId: listDomains - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/DomainListResponse' - description: Success - security: - - api_token: [] - summary: List Domains - tags: - - Domain - post: - description: Creates your domain. - operationId: createDomain - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Domain' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Domain' - description: Success - security: - - api_token: [] - summary: Create Domain - tags: - - Domain - x-codegen-request-body-name: domain - /api/v1/domains/{domainId}: - delete: - description: Deletes a Domain by `id`. - operationId: deleteDomain - parameters: - - in: path - name: domainId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - summary: Delete Domain - tags: - - Domain - get: - description: Fetches a Domain by `id`. - operationId: getDomain - parameters: - - in: path - name: domainId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Domain' - description: Success - security: - - api_token: [] - summary: Get Domain - tags: - - Domain - /api/v1/domains/{domainId}/certificate: - put: - description: Creates the Certificate for the Domain. - operationId: createCertificate - parameters: - - in: path - name: domainId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/DomainCertificate' - required: true - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - summary: Create Certificate - tags: - - Domain - x-codegen-request-body-name: certificate - /api/v1/domains/{domainId}/verify: - post: - description: Verifies the Domain by `id`. - operationId: verifyDomain - parameters: - - in: path - name: domainId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Domain' - description: Success - security: - - api_token: [] - summary: Verify Domain - tags: - - Domain -servers: -- url: https://{subdomain}.okta.com/ - variables: - subdomain: - default: my-domain diff --git a/providers/src/okta/v00.00.00000/services/EventHook.yaml b/providers/src/okta/v00.00.00000/services/EventHook.yaml deleted file mode 100644 index 2e74837c..00000000 --- a/providers/src/okta/v00.00.00000/services/EventHook.yaml +++ /dev/null @@ -1,398 +0,0 @@ -components: - schemas: - EventHook: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - channel: - $ref: '#/components/schemas/EventHookChannel' - created: - format: date-time - readOnly: true - type: string - createdBy: - type: string - events: - $ref: '#/components/schemas/EventSubscriptions' - id: - readOnly: true - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - name: - type: string - status: - enum: - - ACTIVE - - INACTIVE - type: string - verificationStatus: - enum: - - UNVERIFIED - - VERIFIED - type: string - type: object - x-okta-crud: - - alias: create - arguments: - - dest: eventHook - self: true - operationId: createEventHook - - alias: read - arguments: [] - operationId: getEventHook - - alias: update - arguments: - - dest: eventHookId - src: id - - dest: eventHook - self: true - operationId: updateEventHook - - alias: delete - arguments: - - dest: eventHookId - src: id - operationId: deleteEventHook - x-okta-operations: - - alias: activate - arguments: - - dest: eventHookId - src: id - operationId: activateEventHook - - alias: deactivate - arguments: - - dest: eventHookId - src: id - operationId: deactivateEventHook - - alias: verify - arguments: - - dest: eventHookId - src: id - operationId: verifyEventHook - x-okta-tags: - - EventHook - EventHookChannel: - properties: - config: - $ref: '#/components/schemas/EventHookChannelConfig' - type: - enum: - - HTTP - type: string - version: - type: string - type: object - x-okta-tags: - - EventHook - EventHookChannelConfig: - properties: - authScheme: - $ref: '#/components/schemas/EventHookChannelConfigAuthScheme' - headers: - items: - $ref: '#/components/schemas/EventHookChannelConfigHeader' - type: array - uri: - type: string - type: object - x-okta-tags: - - EventHook - EventHookChannelConfigAuthScheme: - properties: - key: - type: string - type: - $ref: '#/components/schemas/EventHookChannelConfigAuthSchemeType' - value: - type: string - type: object - x-okta-tags: - - EventHook - EventHookChannelConfigAuthSchemeType: - enum: - - HEADER - type: string - x-okta-tags: - - EventHook - EventHookChannelConfigHeader: - properties: - key: - type: string - value: - type: string - type: object - x-okta-tags: - - EventHook - EventSubscriptions: - discriminator: - propertyName: type - properties: - items: - items: - type: string - type: array - type: - enum: - - EVENT_TYPE - - FLOW_EVENT - type: string - type: object - x-okta-tags: - - EventHook - securitySchemes: - api_token: - description: SSWS {API Token} - in: header - name: Authorization - type: apiKey - x-stackQL-resources: - eventhooks: - id: okta.eventhook.eventhooks - methods: - activate: - operation: - $ref: '#/paths/~1api~1v1~1eventHooks~1{eventHookId}~1lifecycle~1activate/post' - response: - mediaType: application/json - openAPIDocKey: '200' - deactivate: - operation: - $ref: '#/paths/~1api~1v1~1eventHooks~1{eventHookId}~1lifecycle~1activate/post' - response: - mediaType: application/json - openAPIDocKey: '200' - delete: - operation: - $ref: '#/paths/~1api~1v1~1eventHooks~1{eventHookId}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1eventHooks~1{eventHookId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1eventHooks/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1eventHooks/get' - response: - mediaType: application/json - openAPIDocKey: '200' - update: - operation: - $ref: '#/paths/~1api~1v1~1eventHooks~1{eventHookId}/put' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - verify: - operation: - $ref: '#/paths/~1api~1v1~1eventHooks~1{eventHookId}~1lifecycle~1verify/post' - response: - mediaType: application/json - openAPIDocKey: '200' - name: eventhooks - title: eventhooks -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html -info: - contact: - email: devex-public@okta.com - name: Okta Developer Team - url: https://developer.okta.com/ - description: Allows customers to easily access the Okta API - license: - name: Apache-2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - termsOfService: https://developer.okta.com/terms/ - title: Okta API - version: 2.8.0 -openapi: 3.0.1 -paths: - /api/v1/eventHooks: - get: - description: Success - operationId: listEventHooks - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/EventHook' - type: array - description: Success - security: - - api_token: [] - tags: - - EventHook - post: - description: Success - operationId: createEventHook - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/EventHook' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/EventHook' - description: Success - security: - - api_token: [] - tags: - - EventHook - x-codegen-request-body-name: eventHook - /api/v1/eventHooks/{eventHookId}: - delete: - description: Success - operationId: deleteEventHook - parameters: - - in: path - name: eventHookId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - EventHook - get: - description: Success - operationId: getEventHook - parameters: - - in: path - name: eventHookId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/EventHook' - description: Success - security: - - api_token: [] - tags: - - EventHook - put: - description: Success - operationId: updateEventHook - parameters: - - in: path - name: eventHookId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/EventHook' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/EventHook' - description: Success - security: - - api_token: [] - tags: - - EventHook - x-codegen-request-body-name: eventHook - /api/v1/eventHooks/{eventHookId}/lifecycle/activate: - post: - description: Success - operationId: activateEventHook - parameters: - - in: path - name: eventHookId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/EventHook' - description: Success - security: - - api_token: [] - tags: - - EventHook - /api/v1/eventHooks/{eventHookId}/lifecycle/deactivate: - post: - description: Success - operationId: deactivateEventHook - parameters: - - in: path - name: eventHookId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/EventHook' - description: Success - security: - - api_token: [] - tags: - - EventHook - /api/v1/eventHooks/{eventHookId}/lifecycle/verify: - post: - description: Success - operationId: verifyEventHook - parameters: - - in: path - name: eventHookId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/EventHook' - description: Success - security: - - api_token: [] - tags: - - EventHook -servers: -- url: https://{subdomain}.okta.com/ - variables: - subdomain: - default: my-domain diff --git a/providers/src/okta/v00.00.00000/services/Feature.yaml b/providers/src/okta/v00.00.00000/services/Feature.yaml deleted file mode 100644 index 02f53c00..00000000 --- a/providers/src/okta/v00.00.00000/services/Feature.yaml +++ /dev/null @@ -1,260 +0,0 @@ -components: - schemas: - EnabledStatus: - enum: - - ENABLED - - DISABLED - type: string - x-okta-tags: - - Common - Feature: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - description: - type: string - id: - readOnly: true - type: string - name: - type: string - stage: - $ref: '#/components/schemas/FeatureStage' - status: - $ref: '#/components/schemas/EnabledStatus' - type: - $ref: '#/components/schemas/FeatureType' - type: object - x-okta-crud: - - alias: read - arguments: [] - operationId: getFeature - x-okta-operations: - - alias: updateLifecycle - arguments: - - dest: featureId - src: id - operationId: updateFeatureLifecycle - - alias: getDependents - arguments: - - dest: featureId - src: id - operationId: listFeatureDependents - - alias: getDependencies - arguments: - - dest: featureId - src: id - operationId: listFeatureDependencies - x-okta-tags: - - Feature - FeatureStage: - properties: - state: - $ref: '#/components/schemas/FeatureStageState' - value: - $ref: '#/components/schemas/FeatureStageValue' - type: object - x-okta-tags: - - Feature - FeatureStageState: - enum: - - OPEN - - CLOSED - type: string - x-okta-tags: - - Feature - FeatureStageValue: - enum: - - EA - - BETA - type: string - x-okta-tags: - - Feature - FeatureType: - enum: - - self-service - type: string - x-okta-tags: - - Feature - securitySchemes: - api_token: - description: SSWS {API Token} - in: header - name: Authorization - type: apiKey - x-stackQL-resources: - features: - id: okta.feature.features - methods: - get: - operation: - $ref: '#/paths/~1api~1v1~1features~1{featureId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1features/get' - response: - mediaType: application/json - openAPIDocKey: '200' - listFeatureDependencies: - operation: - $ref: '#/paths/~1api~1v1~1features~1{featureId}~1dependencies/get' - response: - mediaType: application/json - openAPIDocKey: '200' - listFeatureDependents: - operation: - $ref: '#/paths/~1api~1v1~1features~1{featureId}~1dependents/get' - response: - mediaType: application/json - openAPIDocKey: '200' - updateFeatureLifecycle: - operation: - $ref: '#/paths/~1api~1v1~1features~1{featureId}~1{lifecycle}/post' - response: - mediaType: application/json - openAPIDocKey: '200' - name: features - title: features -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html -info: - contact: - email: devex-public@okta.com - name: Okta Developer Team - url: https://developer.okta.com/ - description: Allows customers to easily access the Okta API - license: - name: Apache-2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - termsOfService: https://developer.okta.com/terms/ - title: Okta API - version: 2.8.0 -openapi: 3.0.1 -paths: - /api/v1/features: - get: - description: Success - operationId: listFeatures - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/Feature' - type: array - description: Success - security: - - api_token: [] - tags: - - Feature - /api/v1/features/{featureId}: - get: - description: Success - operationId: getFeature - parameters: - - in: path - name: featureId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Feature' - description: Success - security: - - api_token: [] - tags: - - Feature - /api/v1/features/{featureId}/dependencies: - get: - description: Success - operationId: listFeatureDependencies - parameters: - - in: path - name: featureId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/Feature' - type: array - description: Success - security: - - api_token: [] - tags: - - Feature - /api/v1/features/{featureId}/dependents: - get: - description: Success - operationId: listFeatureDependents - parameters: - - in: path - name: featureId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/Feature' - type: array - description: Success - security: - - api_token: [] - tags: - - Feature - /api/v1/features/{featureId}/{lifecycle}: - post: - description: Success - operationId: updateFeatureLifecycle - parameters: - - in: path - name: featureId - required: true - schema: - type: string - - in: path - name: lifecycle - required: true - schema: - type: string - - in: query - name: mode - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Feature' - description: Success - security: - - api_token: [] - tags: - - Feature -servers: -- url: https://{subdomain}.okta.com/ - variables: - subdomain: - default: my-domain diff --git a/providers/src/okta/v00.00.00000/services/Group.yaml b/providers/src/okta/v00.00.00000/services/Group.yaml deleted file mode 100644 index 76ab5184..00000000 --- a/providers/src/okta/v00.00.00000/services/Group.yaml +++ /dev/null @@ -1,3019 +0,0 @@ -components: - schemas: - AcsEndpoint: - properties: - index: - type: integer - url: - type: string - type: object - x-okta-tags: - - Application - Application: - properties: - _embedded: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - accessibility: - $ref: '#/components/schemas/ApplicationAccessibility' - created: - format: date-time - readOnly: true - type: string - credentials: - $ref: '#/components/schemas/ApplicationCredentials' - features: - items: - type: string - type: array - id: - readOnly: true - type: string - label: - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - licensing: - $ref: '#/components/schemas/ApplicationLicensing' - name: - readOnly: true - type: string - profile: - additionalProperties: - properties: {} - type: object - type: object - settings: - $ref: '#/components/schemas/ApplicationSettings' - signOnMode: - $ref: '#/components/schemas/ApplicationSignOnMode' - status: - enum: - - ACTIVE - - INACTIVE - - DELETED - readOnly: true - type: string - visibility: - $ref: '#/components/schemas/ApplicationVisibility' - type: object - x-okta-crud: - - alias: read - arguments: - - dest: appId - src: id - operationId: getApplication - - alias: update - arguments: - - dest: appId - src: id - - dest: application - self: true - operationId: updateApplication - - alias: delete - arguments: - - dest: appId - src: id - operationId: deleteApplication - x-okta-operations: - - alias: activate - arguments: - - dest: appId - src: id - operationId: activateApplication - - alias: deactivate - arguments: - - dest: appId - src: id - operationId: deactivateApplication - - alias: listApplicationUsers - arguments: - - dest: appId - src: id - operationId: listApplicationUsers - - alias: assignUserToApplication - arguments: - - dest: appId - src: id - operationId: assignUserToApplication - - alias: getApplicationUser - arguments: - - dest: appId - src: id - operationId: getApplicationUser - - alias: createApplicationGroupAssignment - arguments: - - dest: appId - src: id - operationId: createApplicationGroupAssignment - - alias: getApplicationGroupAssignment - arguments: - - dest: appId - src: id - operationId: getApplicationGroupAssignment - - alias: cloneApplicationKey - arguments: - - dest: appId - src: id - operationId: cloneApplicationKey - - alias: getApplicationKey - arguments: - - dest: appId - src: id - operationId: getApplicationKey - - alias: listGroupAssignments - arguments: - - dest: appId - src: id - operationId: listApplicationGroupAssignments - - alias: listKeys - arguments: - - dest: appId - src: id - operationId: listApplicationKeys - - alias: generateKey - arguments: - - dest: appId - src: id - operationId: generateApplicationKey - - alias: generateCsr - arguments: - - dest: appId - src: id - operationId: generateCsrForApplication - - alias: getCsr - arguments: - - dest: appId - src: id - operationId: getCsrForApplication - - alias: revokeCsr - arguments: - - dest: appId - src: id - operationId: revokeCsrFromApplication - - alias: listCsrs - arguments: - - dest: appId - src: id - operationId: listCsrsForApplication - - alias: publishCerCert - arguments: - - dest: appId - src: id - operationId: publishCerCert - - alias: publishBinaryCerCert - arguments: - - dest: appId - src: id - operationId: publishBinaryCerCert - - alias: publishDerCert - arguments: - - dest: appId - src: id - operationId: publishDerCert - - alias: publishBinaryDerCert - arguments: - - dest: appId - src: id - operationId: publishBinaryDerCert - - alias: publishBinaryPemCert - arguments: - - dest: appId - src: id - operationId: publishBinaryPemCert - - alias: listOAuth2Tokens - arguments: - - dest: appId - src: id - operationId: listOAuth2TokensForApplication - - alias: revokeOAuth2TokenForApplication - arguments: - - dest: appId - src: id - operationId: revokeOAuth2TokenForApplication - - alias: getOAuth2Token - arguments: - - dest: appId - src: id - operationId: getOAuth2TokenForApplication - - alias: revokeOAuth2Tokens - arguments: - - dest: appId - src: id - operationId: revokeOAuth2TokensForApplication - - alias: listScopeConsentGrants - arguments: - - dest: appId - src: id - operationId: listScopeConsentGrants - - alias: grantConsentToScope - arguments: - - dest: appId - src: id - operationId: grantConsentToScope - - alias: revokeScopeConsentGrant - arguments: - - dest: appId - src: id - operationId: revokeScopeConsentGrant - - alias: getScopeConsentGrant - arguments: - - dest: appId - src: id - operationId: getScopeConsentGrant - x-okta-tags: - - Application - x-openapi-v3-discriminator: - mapping: - AUTO_LOGIN: '#/components/schemas/AutoLoginApplication' - BASIC_AUTH: '#/components/schemas/BasicAuthApplication' - BOOKMARK: '#/components/schemas/BookmarkApplication' - BROWSER_PLUGIN: '#/components/schemas/BrowserPluginApplication' - OPENID_CONNECT: '#/components/schemas/OpenIdConnectApplication' - SAML_1_1: '#/components/schemas/SamlApplication' - SAML_2_0: '#/components/schemas/SamlApplication' - SECURE_PASSWORD_STORE: '#/components/schemas/SecurePasswordStoreApplication' - WS_FEDERATION: '#/components/schemas/WsFederationApplication' - propertyName: signOnMode - ApplicationAccessibility: - properties: - errorRedirectUrl: - type: string - loginRedirectUrl: - type: string - selfService: - type: boolean - type: object - x-okta-tags: - - Application - ApplicationCredentials: - properties: - signing: - $ref: '#/components/schemas/ApplicationCredentialsSigning' - userNameTemplate: - $ref: '#/components/schemas/ApplicationCredentialsUsernameTemplate' - type: object - x-okta-tags: - - Application - ApplicationCredentialsOAuthClient: - properties: - autoKeyRotation: - type: boolean - client_id: - type: string - client_secret: - type: string - token_endpoint_auth_method: - $ref: '#/components/schemas/OAuthEndpointAuthenticationMethod' - type: object - x-okta-tags: - - Application - ApplicationCredentialsScheme: - enum: - - SHARED_USERNAME_AND_PASSWORD - - EXTERNAL_PASSWORD_SYNC - - EDIT_USERNAME_AND_PASSWORD - - EDIT_PASSWORD_ONLY - - ADMIN_SETS_CREDENTIALS - type: string - x-okta-tags: - - Application - ApplicationCredentialsSigning: - properties: - kid: - type: string - lastRotated: - format: date-time - readOnly: true - type: string - nextRotation: - format: date-time - readOnly: true - type: string - rotationMode: - type: string - use: - $ref: '#/components/schemas/ApplicationCredentialsSigningUse' - type: object - x-okta-tags: - - Application - ApplicationCredentialsSigningUse: - enum: - - sig - type: string - x-okta-tags: - - AuthorizationServer - ApplicationCredentialsUsernameTemplate: - properties: - suffix: - type: string - template: - type: string - type: - type: string - type: object - x-okta-tags: - - Application - ApplicationLicensing: - properties: - seatCount: - type: integer - type: object - x-okta-tags: - - Application - ApplicationSettings: - properties: - app: - $ref: '#/components/schemas/ApplicationSettingsApplication' - implicitAssignment: - type: boolean - inlineHookId: - type: string - notes: - $ref: '#/components/schemas/ApplicationSettingsNotes' - notifications: - $ref: '#/components/schemas/ApplicationSettingsNotifications' - type: object - x-okta-tags: - - Application - ApplicationSettingsApplication: - type: object - x-okta-tags: - - Application - ApplicationSettingsNotes: - properties: - admin: - type: string - enduser: - type: string - type: object - x-okta-tags: - - Application - ApplicationSettingsNotifications: - properties: - vpn: - $ref: '#/components/schemas/ApplicationSettingsNotificationsVpn' - type: object - x-okta-tags: - - Application - ApplicationSettingsNotificationsVpn: - properties: - helpUrl: - type: string - message: - type: string - network: - $ref: '#/components/schemas/ApplicationSettingsNotificationsVpnNetwork' - type: object - x-okta-tags: - - Application - ApplicationSettingsNotificationsVpnNetwork: - properties: - connection: - type: string - exclude: - items: - type: string - type: array - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Application - ApplicationSignOnMode: - enum: - - BOOKMARK - - BASIC_AUTH - - BROWSER_PLUGIN - - SECURE_PASSWORD_STORE - - AUTO_LOGIN - - WS_FEDERATION - - SAML_2_0 - - OPENID_CONNECT - - SAML_1_1 - type: string - x-okta-tags: - - Application - ApplicationVisibility: - properties: - appLinks: - additionalProperties: - type: boolean - type: object - autoLaunch: - type: boolean - autoSubmitToolbar: - type: boolean - hide: - $ref: '#/components/schemas/ApplicationVisibilityHide' - type: object - x-okta-tags: - - Application - ApplicationVisibilityHide: - properties: - iOS: - type: boolean - web: - type: boolean - type: object - x-okta-tags: - - Application - AssignRoleRequest: - properties: - type: - $ref: '#/components/schemas/RoleType' - type: object - x-okta-tags: - - Role - AuthenticationProvider: - properties: - name: - type: string - type: - $ref: '#/components/schemas/AuthenticationProviderType' - type: object - x-okta-tags: - - User - AuthenticationProviderType: - enum: - - ACTIVE_DIRECTORY - - FEDERATION - - LDAP - - OKTA - - SOCIAL - - IMPORT - type: string - x-okta-tags: - - User - AutoLoginApplication: - properties: - credentials: - $ref: '#/components/schemas/SchemeApplicationCredentials' - settings: - $ref: '#/components/schemas/AutoLoginApplicationSettings' - type: object - x-okta-parent: '#/components/schemas/Application' - x-okta-tags: - - Application - AutoLoginApplicationSettings: - properties: - signOn: - $ref: '#/components/schemas/AutoLoginApplicationSettingsSignOn' - type: object - x-okta-parent: '#/components/schemas/ApplicationSettings' - x-okta-tags: - - Application - AutoLoginApplicationSettingsSignOn: - properties: - loginUrl: - type: string - redirectUrl: - type: string - type: object - x-okta-tags: - - Application - BasicApplicationSettings: - properties: - app: - $ref: '#/components/schemas/BasicApplicationSettingsApplication' - type: object - x-okta-parent: '#/components/schemas/ApplicationSettings' - x-okta-tags: - - Application - BasicApplicationSettingsApplication: - properties: - authURL: - type: string - url: - type: string - type: object - x-okta-parent: '#/components/schemas/ApplicationSettingsApplication' - x-okta-tags: - - Application - BasicAuthApplication: - properties: - credentials: - $ref: '#/components/schemas/SchemeApplicationCredentials' - name: - type: object - settings: - $ref: '#/components/schemas/BasicApplicationSettings' - type: object - x-okta-defined-as: - name: template_basic_auth - x-okta-parent: '#/components/schemas/Application' - x-okta-tags: - - Application - BookmarkApplication: - properties: - name: - type: object - settings: - $ref: '#/components/schemas/BookmarkApplicationSettings' - type: object - x-okta-defined-as: - name: bookmark - x-okta-parent: '#/components/schemas/Application' - x-okta-tags: - - Application - BookmarkApplicationSettings: - properties: - app: - $ref: '#/components/schemas/BookmarkApplicationSettingsApplication' - type: object - x-okta-parent: '#/components/schemas/ApplicationSettings' - x-okta-tags: - - Application - BookmarkApplicationSettingsApplication: - properties: - requestIntegration: - type: boolean - url: - type: string - type: object - x-okta-parent: '#/components/schemas/ApplicationSettingsApplication' - x-okta-tags: - - Application - BrowserPluginApplication: - properties: - credentials: - $ref: '#/components/schemas/SchemeApplicationCredentials' - type: object - x-okta-parent: '#/components/schemas/Application' - x-okta-tags: - - Application - x-openapi-v3-discriminator: - mapping: - template_swa: '#/components/schemas/SwaApplication' - template_swa3field: '#/components/schemas/SwaThreeFieldApplication' - propertyName: name - CatalogApplication: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - category: - type: string - description: - type: string - displayName: - type: string - features: - items: - type: string - type: array - id: - readOnly: true - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - name: - type: string - signOnModes: - items: - type: string - type: array - status: - $ref: '#/components/schemas/CatalogApplicationStatus' - verificationStatus: - type: string - website: - type: string - type: object - x-okta-tags: - - Role - CatalogApplicationStatus: - enum: - - ACTIVE - - INACTIVE - type: string - x-okta-tags: - - Role - Group: - properties: - _embedded: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - created: - format: date-time - readOnly: true - type: string - id: - readOnly: true - type: string - lastMembershipUpdated: - format: date-time - readOnly: true - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - objectClass: - items: - type: string - readOnly: true - type: array - profile: - $ref: '#/components/schemas/GroupProfile' - type: - $ref: '#/components/schemas/GroupType' - type: object - x-okta-crud: - - alias: update - arguments: - - dest: groupId - src: id - - dest: group - self: true - operationId: updateGroup - - alias: delete - arguments: - - dest: groupId - src: id - operationId: deleteGroup - x-okta-operations: - - alias: removeUser - arguments: - - dest: groupId - src: id - operationId: removeUserFromGroup - - alias: listUsers - arguments: - - dest: groupId - src: id - operationId: listGroupUsers - - alias: listApplications - arguments: - - dest: groupId - src: id - operationId: listAssignedApplicationsForGroup - - alias: assignRole - arguments: - - dest: groupId - src: id - operationId: assignRoleToGroup - x-okta-tags: - - Group - GroupProfile: - properties: - description: - type: string - name: - type: string - type: object - x-okta-extensible: true - x-okta-tags: - - Group - GroupRule: - properties: - actions: - $ref: '#/components/schemas/GroupRuleAction' - conditions: - $ref: '#/components/schemas/GroupRuleConditions' - created: - format: date-time - readOnly: true - type: string - id: - readOnly: true - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - name: - type: string - status: - $ref: '#/components/schemas/GroupRuleStatus' - type: - type: string - type: object - x-okta-crud: - - alias: update - arguments: - - dest: ruleId - src: id - - dest: groupRule - self: true - operationId: updateGroupRule - - alias: delete - arguments: - - dest: ruleId - src: id - operationId: deleteGroupRule - x-okta-operations: - - alias: activate - arguments: - - dest: ruleId - src: id - operationId: activateGroupRule - - alias: deactivate - arguments: - - dest: ruleId - src: id - operationId: deactivateGroupRule - x-okta-tags: - - GroupRule - GroupRuleAction: - properties: - assignUserToGroups: - $ref: '#/components/schemas/GroupRuleGroupAssignment' - type: object - x-okta-tags: - - GroupRule - GroupRuleConditions: - properties: - expression: - $ref: '#/components/schemas/GroupRuleExpression' - people: - $ref: '#/components/schemas/GroupRulePeopleCondition' - type: object - x-okta-tags: - - GroupRule - GroupRuleExpression: - properties: - type: - type: string - value: - type: string - type: object - x-okta-tags: - - GroupRule - GroupRuleGroupAssignment: - properties: - groupIds: - items: - type: string - type: array - type: object - x-okta-tags: - - GroupRule - GroupRuleGroupCondition: - properties: - exclude: - items: - type: string - type: array - include: - items: - type: string - type: array - type: object - x-okta-tags: - - GroupRule - GroupRulePeopleCondition: - properties: - groups: - $ref: '#/components/schemas/GroupRuleGroupCondition' - users: - $ref: '#/components/schemas/GroupRuleUserCondition' - type: object - x-okta-tags: - - GroupRule - GroupRuleStatus: - enum: - - ACTIVE - - INACTIVE - - INVALID - type: string - x-okta-tags: - - GroupRule - GroupRuleUserCondition: - properties: - exclude: - items: - type: string - type: array - include: - items: - type: string - type: array - type: object - x-okta-tags: - - GroupRule - GroupType: - enum: - - OKTA_GROUP - - APP_GROUP - - BUILT_IN - type: string - x-okta-tags: - - Group - JsonWebKey: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - alg: - type: string - created: - format: date-time - type: string - e: - type: string - expiresAt: - format: date-time - type: string - key_ops: - items: - type: string - type: array - kid: - type: string - kty: - type: string - lastUpdated: - format: date-time - type: string - n: - type: string - status: - type: string - use: - type: string - x5c: - items: - type: string - type: array - x5t: - type: string - x5t#S256: - type: string - x5u: - type: string - type: object - x-okta-tags: - - Application - OAuthApplicationCredentials: - properties: - oauthClient: - $ref: '#/components/schemas/ApplicationCredentialsOAuthClient' - type: object - x-okta-parent: '#/components/schemas/ApplicationCredentials' - x-okta-tags: - - Application - OAuthEndpointAuthenticationMethod: - enum: - - none - - client_secret_post - - client_secret_basic - - client_secret_jwt - - private_key_jwt - type: string - x-okta-tags: - - Application - OAuthGrantType: - enum: - - authorization_code - - implicit - - password - - refresh_token - - client_credentials - type: string - x-okta-tags: - - Application - OAuthResponseType: - enum: - - code - - token - - id_token - type: string - x-okta-tags: - - Application - OpenIdConnectApplication: - properties: - credentials: - $ref: '#/components/schemas/OAuthApplicationCredentials' - name: - type: object - settings: - $ref: '#/components/schemas/OpenIdConnectApplicationSettings' - type: object - x-okta-defined-as: - name: oidc_client - x-okta-parent: '#/components/schemas/Application' - x-okta-tags: - - Application - OpenIdConnectApplicationConsentMethod: - enum: - - REQUIRED - - TRUSTED - type: string - x-okta-tags: - - Application - OpenIdConnectApplicationIdpInitiatedLogin: - properties: - default_scope: - items: - type: string - type: array - mode: - type: string - type: object - x-okta-tags: - - Application - OpenIdConnectApplicationIssuerMode: - enum: - - CUSTOM_URL - - ORG_URL - type: string - x-okta-tags: - - Application - OpenIdConnectApplicationSettings: - properties: - oauthClient: - $ref: '#/components/schemas/OpenIdConnectApplicationSettingsClient' - type: object - x-okta-parent: '#/components/schemas/ApplicationSettings' - x-okta-tags: - - Application - OpenIdConnectApplicationSettingsClient: - properties: - application_type: - $ref: '#/components/schemas/OpenIdConnectApplicationType' - client_uri: - type: string - consent_method: - $ref: '#/components/schemas/OpenIdConnectApplicationConsentMethod' - grant_types: - items: - $ref: '#/components/schemas/OAuthGrantType' - type: array - idp_initiated_login: - $ref: '#/components/schemas/OpenIdConnectApplicationIdpInitiatedLogin' - initiate_login_uri: - type: string - issuer_mode: - $ref: '#/components/schemas/OpenIdConnectApplicationIssuerMode' - jwks: - $ref: '#/components/schemas/OpenIdConnectApplicationSettingsClientKeys' - logo_uri: - type: string - policy_uri: - type: string - post_logout_redirect_uris: - items: - type: string - type: array - redirect_uris: - items: - type: string - type: array - refresh_token: - $ref: '#/components/schemas/OpenIdConnectApplicationSettingsRefreshToken' - response_types: - items: - $ref: '#/components/schemas/OAuthResponseType' - type: array - tos_uri: - type: string - wildcard_redirect: - type: string - type: object - x-okta-tags: - - Application - OpenIdConnectApplicationSettingsClientKeys: - properties: - keys: - items: - $ref: '#/components/schemas/JsonWebKey' - type: array - type: object - x-okta-tags: - - Application - OpenIdConnectApplicationSettingsRefreshToken: - properties: - leeway: - type: integer - rotation_type: - $ref: '#/components/schemas/OpenIdConnectRefreshTokenRotationType' - type: object - x-okta-tags: - - Application - OpenIdConnectApplicationType: - enum: - - web - - native - - browser - - service - type: string - x-okta-tags: - - Application - OpenIdConnectRefreshTokenRotationType: - enum: - - rotate - - static - type: string - x-okta-tags: - - Application - PasswordCredential: - properties: - hash: - $ref: '#/components/schemas/PasswordCredentialHash' - hook: - $ref: '#/components/schemas/PasswordCredentialHook' - value: - format: password - type: string - type: object - x-okta-tags: - - User - PasswordCredentialHash: - properties: - algorithm: - $ref: '#/components/schemas/PasswordCredentialHashAlgorithm' - salt: - type: string - saltOrder: - type: string - value: - type: string - workFactor: - type: integer - type: object - x-okta-tags: - - User - PasswordCredentialHashAlgorithm: - enum: - - BCRYPT - - SHA-512 - - SHA-256 - - SHA-1 - - MD5 - type: string - x-okta-tags: - - User - PasswordCredentialHook: - properties: - type: - type: string - type: object - x-okta-tags: - - User - RecoveryQuestionCredential: - properties: - answer: - type: string - question: - type: string - type: object - x-okta-tags: - - User - Role: - properties: - _embedded: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - assignmentType: - $ref: '#/components/schemas/RoleAssignmentType' - created: - format: date-time - readOnly: true - type: string - description: - type: string - id: - readOnly: true - type: string - label: - readOnly: true - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - status: - $ref: '#/components/schemas/RoleStatus' - type: - $ref: '#/components/schemas/RoleType' - type: object - x-okta-operations: - - alias: addAdminGroupTarget - arguments: - - dest: roleId - src: id - - dest: groupId - parentSrc: id - operationId: addGroupTargetToGroupAdministratorRoleForGroup - - alias: addAppInstanceTargetToAdminRole - arguments: - - dest: roleId - src: id - - dest: groupId - parentSrc: id - operationId: addApplicationInstanceTargetToAppAdminRoleGivenToGroup - - alias: addAppTargetToAdminRole - arguments: - - dest: roleId - src: id - - dest: groupId - parentSrc: id - operationId: addApplicationTargetToAdminRoleGivenToGroup - - alias: addAllAppsAsTargetToRole - arguments: - - dest: roleId - src: id - - dest: userId - parentSrc: id - operationId: addAllAppsAsTargetToRole - - alias: addAppTargetToAppAdminRoleForUser - arguments: - - dest: roleId - src: id - - dest: userId - parentSrc: id - operationId: addApplicationTargetToAppAdminRoleForUser - - alias: addAppTargetToAdminRoleForUser - arguments: - - dest: roleId - src: id - - dest: userId - parentSrc: id - operationId: addApplicationTargetToAdminRoleForUser - x-okta-tags: - - User - RoleAssignmentType: - enum: - - GROUP - - USER - type: string - x-okta-tags: - - Role - RoleStatus: - enum: - - ACTIVE - - INACTIVE - type: string - x-okta-tags: - - User - RoleType: - enum: - - SUPER_ADMIN - - ORG_ADMIN - - APP_ADMIN - - USER_ADMIN - - HELP_DESK_ADMIN - - READ_ONLY_ADMIN - - MOBILE_ADMIN - - API_ACCESS_MANAGEMENT_ADMIN - - REPORT_ADMIN - - GROUP_MEMBERSHIP_ADMIN - type: string - x-okta-tags: - - Role - SamlApplication: - properties: - settings: - $ref: '#/components/schemas/SamlApplicationSettings' - type: object - x-okta-parent: '#/components/schemas/Application' - x-okta-tags: - - Application - SamlApplicationSettings: - properties: - signOn: - $ref: '#/components/schemas/SamlApplicationSettingsSignOn' - type: object - x-okta-parent: '#/components/schemas/ApplicationSettings' - x-okta-tags: - - Application - SamlApplicationSettingsSignOn: - properties: - acsEndpoints: - items: - $ref: '#/components/schemas/AcsEndpoint' - type: array - allowMultipleAcsEndpoints: - type: boolean - assertionSigned: - type: boolean - attributeStatements: - items: - $ref: '#/components/schemas/SamlAttributeStatement' - type: array - audience: - type: string - audienceOverride: - type: string - authnContextClassRef: - type: string - defaultRelayState: - type: string - destination: - type: string - destinationOverride: - type: string - digestAlgorithm: - type: string - honorForceAuthn: - type: boolean - idpIssuer: - type: string - inlineHooks: - items: - $ref: '#/components/schemas/SignOnInlineHook' - type: array - recipient: - type: string - recipientOverride: - type: string - requestCompressed: - type: boolean - responseSigned: - type: boolean - signatureAlgorithm: - type: string - slo: - $ref: '#/components/schemas/SingleLogout' - spCertificate: - $ref: '#/components/schemas/SpCertificate' - spIssuer: - type: string - ssoAcsUrl: - type: string - ssoAcsUrlOverride: - type: string - subjectNameIdFormat: - type: string - subjectNameIdTemplate: - type: string - type: object - x-okta-tags: - - Application - SamlAttributeStatement: - properties: - filterType: - type: string - filterValue: - type: string - name: - type: string - namespace: - type: string - type: - type: string - values: - items: - type: string - type: array - type: object - x-okta-tags: - - Application - SchemeApplicationCredentials: - properties: - password: - $ref: '#/components/schemas/PasswordCredential' - revealPassword: - type: boolean - scheme: - $ref: '#/components/schemas/ApplicationCredentialsScheme' - signing: - $ref: '#/components/schemas/ApplicationCredentialsSigning' - userName: - type: string - type: object - x-okta-parent: '#/components/schemas/ApplicationCredentials' - x-okta-tags: - - Application - SecurePasswordStoreApplication: - properties: - credentials: - $ref: '#/components/schemas/SchemeApplicationCredentials' - name: - type: object - settings: - $ref: '#/components/schemas/SecurePasswordStoreApplicationSettings' - type: object - x-okta-defined-as: - name: template_sps - x-okta-parent: '#/components/schemas/Application' - x-okta-tags: - - Application - SecurePasswordStoreApplicationSettings: - properties: - app: - $ref: '#/components/schemas/SecurePasswordStoreApplicationSettingsApplication' - type: object - x-okta-parent: '#/components/schemas/ApplicationSettings' - x-okta-tags: - - Application - SecurePasswordStoreApplicationSettingsApplication: - properties: - optionalField1: - type: string - optionalField1Value: - type: string - optionalField2: - type: string - optionalField2Value: - type: string - optionalField3: - type: string - optionalField3Value: - type: string - passwordField: - type: string - url: - type: string - usernameField: - type: string - type: object - x-okta-parent: '#/components/schemas/ApplicationSettingsApplication' - x-okta-tags: - - Application - SignOnInlineHook: - properties: - id: - type: string - type: object - x-okta-tags: - - Application - SingleLogout: - properties: - enabled: - type: boolean - issuer: - type: string - logoutUrl: - type: string - type: object - x-okta-tags: - - Application - SpCertificate: - properties: - x5c: - items: - type: string - type: array - type: object - x-okta-tags: - - Application - SwaApplication: - properties: - name: - type: object - settings: - $ref: '#/components/schemas/SwaApplicationSettings' - type: object - x-okta-defined-as: - name: template_swa - x-okta-parent: '#/components/schemas/BrowserPluginApplication' - x-okta-tags: - - Application - SwaApplicationSettings: - properties: - app: - $ref: '#/components/schemas/SwaApplicationSettingsApplication' - type: object - x-okta-parent: '#/components/schemas/ApplicationSettings' - x-okta-tags: - - Application - SwaApplicationSettingsApplication: - properties: - buttonField: - type: string - loginUrlRegex: - type: string - passwordField: - type: string - url: - type: string - usernameField: - type: string - type: object - x-okta-parent: '#/components/schemas/ApplicationSettingsApplication' - x-okta-tags: - - Application - SwaThreeFieldApplication: - properties: - name: - type: object - settings: - $ref: '#/components/schemas/SwaThreeFieldApplicationSettings' - type: object - x-okta-defined-as: - name: template_swa3field - x-okta-parent: '#/components/schemas/BrowserPluginApplication' - x-okta-tags: - - Application - SwaThreeFieldApplicationSettings: - properties: - app: - $ref: '#/components/schemas/SwaThreeFieldApplicationSettingsApplication' - type: object - x-okta-parent: '#/components/schemas/ApplicationSettings' - x-okta-tags: - - Application - SwaThreeFieldApplicationSettingsApplication: - properties: - buttonSelector: - type: string - extraFieldSelector: - type: string - extraFieldValue: - type: string - loginUrlRegex: - type: string - passwordSelector: - type: string - targetURL: - type: string - userNameSelector: - type: string - type: object - x-okta-parent: '#/components/schemas/ApplicationSettingsApplication' - x-okta-tags: - - Application - User: - properties: - _embedded: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - activated: - format: date-time - readOnly: true - type: string - created: - format: date-time - readOnly: true - type: string - credentials: - $ref: '#/components/schemas/UserCredentials' - id: - readOnly: true - type: string - lastLogin: - format: date-time - readOnly: true - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - passwordChanged: - format: date-time - readOnly: true - type: string - profile: - $ref: '#/components/schemas/UserProfile' - status: - $ref: '#/components/schemas/UserStatus' - statusChanged: - format: date-time - readOnly: true - type: string - transitioningToStatus: - $ref: '#/components/schemas/UserStatus' - type: - $ref: '#/components/schemas/UserType' - type: object - x-okta-crud: - - alias: create - arguments: - - dest: user - self: true - operationId: createUser - - alias: read - arguments: [] - operationId: getUser - - alias: update - arguments: - - dest: userId - src: id - - dest: user - self: true - operationId: updateUser - - alias: delete - arguments: - - dest: userId - src: id - - dest: user - self: true - operationId: deactivateOrDeleteUser - x-okta-operations: - - alias: listAppLinks - arguments: - - dest: userId - src: id - operationId: listAppLinks - - alias: changePassword - arguments: - - dest: userId - src: id - operationId: changePassword - - alias: changeRecoveryQuestion - arguments: - - dest: userId - src: id - operationId: changeRecoveryQuestion - - alias: forgotPasswordSetNewPassword - arguments: - - dest: userId - src: id - operationId: forgotPasswordSetNewPassword - - alias: forgotPasswordGenerateOneTimeToken - arguments: - - dest: userId - src: id - operationId: forgotPasswordGenerateOneTimeToken - - alias: assignRole - arguments: - - dest: userId - src: id - operationId: assignRoleToUser - - alias: getRole - arguments: - - dest: userId - src: id - operationId: getUserRole - - alias: removeRole - arguments: - - dest: userId - src: id - operationId: removeRoleFromUser - - alias: listGroupTargets - arguments: - - dest: userId - src: id - operationId: listGroupTargetsForRole - - alias: removeGroupTarget - arguments: - - dest: userId - src: id - operationId: removeGroupTargetFromRole - - alias: addGroupTarget - arguments: - - dest: userId - src: id - operationId: addGroupTargetToRole - - alias: listAssignedRoles - arguments: - - dest: userId - src: id - operationId: listAssignedRolesForUser - - alias: addAllAppsAsTarget - arguments: - - dest: userId - src: id - operationId: addAllAppsAsTargetToRole - - alias: listGroups - arguments: - - dest: userId - src: id - operationId: listUserGroups - - alias: listGrants - arguments: - - dest: userId - src: id - operationId: listUserGrants - - alias: revokeGrants - arguments: - - dest: userId - src: id - operationId: revokeUserGrants - - alias: revokeGrant - arguments: - - dest: userId - src: id - operationId: revokeUserGrant - - alias: revokeGrantsForUserAndClient - arguments: - - dest: userId - src: id - operationId: revokeGrantsForUserAndClient - - alias: listRefreshTokensForUserAndClient - arguments: - - dest: userId - src: id - operationId: listRefreshTokensForUserAndClient - - alias: revokeTokenForUserAndClient - arguments: - - dest: userId - src: id - operationId: revokeTokenForUserAndClient - - alias: getRefreshTokenForUserAndClient - arguments: - - dest: userId - src: id - operationId: getRefreshTokenForUserAndClient - - alias: revokeTokensForUserAndClient - arguments: - - dest: userId - src: id - operationId: revokeTokensForUserAndClient - - alias: listClients - arguments: - - dest: userId - src: id - operationId: listUserClients - - alias: activate - arguments: - - dest: userId - src: id - operationId: activateUser - - alias: reactivate - arguments: - - dest: userId - src: id - operationId: reactivateUser - - alias: deactivate - arguments: - - dest: userId - src: id - operationId: deactivateUser - - alias: suspend - arguments: - - dest: userId - src: id - operationId: suspendUser - - alias: unsuspend - arguments: - - dest: userId - src: id - operationId: unsuspendUser - - alias: resetPassword - arguments: - - dest: userId - src: id - operationId: resetPassword - - alias: expirePassword - arguments: - - dest: userId - src: id - operationId: expirePassword - - alias: expirePasswordAndGetTemporaryPassword - arguments: - - dest: userId - src: id - operationId: expirePasswordAndGetTemporaryPassword - - alias: unlock - arguments: - - dest: userId - src: id - operationId: unlockUser - - alias: resetFactors - arguments: - - dest: userId - src: id - operationId: resetFactors - - alias: deleteFactor - arguments: - - dest: userId - src: id - operationId: deleteFactor - - alias: addToGroup - arguments: - - dest: userId - src: id - description: Adds a user to a group with 'OKTA_GROUP' type - operationId: addUserToGroup - - alias: enrollFactor - arguments: - - dest: userId - src: id - operationId: enrollFactor - - alias: listSupportedFactors - arguments: - - dest: userId - src: id - operationId: listSupportedFactors - - alias: listFactors - arguments: - - dest: userId - src: id - operationId: listFactors - - alias: listSupportedSecurityQuestions - arguments: - - dest: userId - src: id - operationId: listSupportedSecurityQuestions - - alias: getFactor - arguments: - - dest: userId - src: id - operationId: getFactor - - alias: setLinkedObject - arguments: - - dest: associatedUserId - src: id - operationId: setLinkedObjectForUser - - alias: listIdentityProviders - arguments: - - dest: userId - src: id - operationId: listUserIdentityProviders - - alias: getLinkedObjects - arguments: - - dest: userId - src: id - operationId: getLinkedObjectsForUser - - alias: clearSessions - arguments: - - dest: userId - src: id - operationId: clearUserSessions - - alias: removeLinkedObject - arguments: - - dest: userId - src: id - operationId: removeLinkedObjectForUser - x-okta-tags: - - User - UserCredentials: - properties: - password: - $ref: '#/components/schemas/PasswordCredential' - provider: - $ref: '#/components/schemas/AuthenticationProvider' - recovery_question: - $ref: '#/components/schemas/RecoveryQuestionCredential' - type: object - x-okta-tags: - - User - UserProfile: - properties: - city: - type: string - costCenter: - type: string - countryCode: - type: string - department: - type: string - displayName: - type: string - division: - type: string - email: - type: string - employeeNumber: - type: string - firstName: - type: string - honorificPrefix: - type: string - honorificSuffix: - type: string - lastName: - type: string - locale: - type: string - login: - type: string - manager: - type: string - managerId: - type: string - middleName: - type: string - mobilePhone: - type: string - nickName: - type: string - organization: - type: string - postalAddress: - type: string - preferredLanguage: - type: string - primaryPhone: - type: string - profileUrl: - type: string - secondEmail: - type: string - state: - type: string - streetAddress: - type: string - timezone: - type: string - title: - type: string - userType: - type: string - zipCode: - type: string - type: object - x-okta-extensible: true - x-okta-tags: - - User - UserStatus: - enum: - - ACTIVE - - DEPROVISIONED - - LOCKED_OUT - - PASSWORD_EXPIRED - - PROVISIONED - - RECOVERY - - STAGED - - SUSPENDED - type: string - x-okta-tags: - - User - UserType: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - created: - format: date-time - readOnly: true - type: string - createdBy: - readOnly: true - type: string - default: - readOnly: true - type: boolean - description: - type: string - displayName: - type: string - id: - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - lastUpdatedBy: - readOnly: true - type: string - name: - type: string - type: object - x-okta-crud: - - alias: create - arguments: - - dest: userType - self: true - operationId: createUserType - - alias: update - arguments: - - dest: typeId - src: id - - dest: userType - self: true - operationId: updateUserType - - alias: read - arguments: - - dest: typeId - src: id - operationId: getUserType - - alias: delete - arguments: - - dest: typeId - src: id - operationId: deleteUserType - x-okta-operations: - - alias: replaceUserType - arguments: - - dest: roleId - src: id - operationId: replaceUserType - x-okta-tags: - - UserType - WsFederationApplication: - properties: - name: - type: object - settings: - $ref: '#/components/schemas/WsFederationApplicationSettings' - type: object - x-okta-defined-as: - name: template_wsfed - x-okta-parent: '#/components/schemas/Application' - x-okta-tags: - - Application - WsFederationApplicationSettings: - properties: - app: - $ref: '#/components/schemas/WsFederationApplicationSettingsApplication' - type: object - x-okta-parent: '#/components/schemas/ApplicationSettings' - x-okta-tags: - - Application - WsFederationApplicationSettingsApplication: - properties: - attributeStatements: - type: string - audienceRestriction: - type: string - authnContextClassRef: - type: string - groupFilter: - type: string - groupName: - type: string - groupValueFormat: - type: string - nameIDFormat: - type: string - realm: - type: string - siteURL: - type: string - usernameAttribute: - type: string - wReplyOverride: - type: boolean - wReplyURL: - type: string - type: object - x-okta-parent: '#/components/schemas/ApplicationSettingsApplication' - x-okta-tags: - - Application - securitySchemes: - api_token: - description: SSWS {API Token} - in: header - name: Authorization - type: apiKey - x-stackQL-resources: - appinstancetargets: - id: okta.group.appinstancetargets - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1roles~1{roleId}~1targets~1catalog~1apps~1{appName}~1{applicationId}/delete' - response: - openAPIDocKey: '204' - insert: - operation: - $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1roles~1{roleId}~1targets~1catalog~1apps~1{appName}~1{applicationId}/put' - response: - openAPIDocKey: '204' - name: appinstancetargets - title: appinstancetargets - apps: - id: okta.group.apps - methods: - list: - operation: - $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1apps/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: apps - title: apps - apptargets: - id: okta.group.apptargets - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1roles~1{roleId}~1targets~1catalog~1apps~1{appName}/delete' - response: - openAPIDocKey: '204' - insert: - operation: - $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1roles~1{roleId}~1targets~1catalog~1apps~1{appName}/put' - response: - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1roles~1{roleId}~1targets~1catalog~1apps/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: apptargets - title: apptargets - groups: - id: okta.group.groups - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1groups~1{groupId}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1groups~1{groupId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1groups/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1groups/get' - response: - mediaType: application/json - openAPIDocKey: '200' - update: - operation: - $ref: '#/paths/~1api~1v1~1groups~1{groupId}/put' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - name: groups - title: groups - grouptargets: - id: okta.group.grouptargets - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1roles~1{roleId}~1targets~1groups~1{targetGroupId}/delete' - response: - openAPIDocKey: '204' - insert: - operation: - $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1roles~1{roleId}~1targets~1groups~1{targetGroupId}/put' - response: - openAPIDocKey: '204' - list: - operation: - $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1roles~1{roleId}~1targets~1groups/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: grouptargets - title: grouptargets - roles: - id: okta.group.roles - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1roles~1{roleId}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1roles~1{roleId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1roles/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1roles/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: roles - title: roles - ruleactivations: - id: okta.group.ruleactivations - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1groups~1rules~1{ruleId}~1lifecycle~1deactivate/post' - response: - openAPIDocKey: '204' - insert: - operation: - $ref: '#/paths/~1api~1v1~1groups~1rules~1{ruleId}~1lifecycle~1activate/post' - response: - openAPIDocKey: '204' - name: ruleactivations - title: ruleactivations - rules: - id: okta.group.rules - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1groups~1rules~1{ruleId}/delete' - response: - openAPIDocKey: '202' - get: - operation: - $ref: '#/paths/~1api~1v1~1groups~1rules~1{ruleId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1groups~1rules/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1groups~1rules/get' - response: - mediaType: application/json - openAPIDocKey: '200' - update: - operation: - $ref: '#/paths/~1api~1v1~1groups~1rules~1{ruleId}/put' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - name: rules - title: rules - users: - id: okta.group.users - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1users~1{userId}/delete' - response: - openAPIDocKey: '204' - insert: - operation: - $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1users~1{userId}/put' - response: - openAPIDocKey: '204' - list: - operation: - $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1users/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: users - title: users -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html -info: - contact: - email: devex-public@okta.com - name: Okta Developer Team - url: https://developer.okta.com/ - description: Allows customers to easily access the Okta API - license: - name: Apache-2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - termsOfService: https://developer.okta.com/terms/ - title: Okta API - version: 2.8.0 -openapi: 3.0.1 -paths: - /api/v1/groups: - get: - description: Enumerates groups in your organization with pagination. A subset - of groups can be returned that match a supported filter expression or query. - operationId: listGroups - parameters: - - description: Searches the name property of groups for matching value - in: query - name: q - schema: - type: string - - description: Filter expression for groups - in: query - name: search - schema: - type: string - - description: Specifies the pagination cursor for the next page of groups - in: query - name: after - schema: - type: string - - description: Specifies the number of group results in a page - in: query - name: limit - schema: - default: 10000 - format: int32 - type: integer - - description: If specified, it causes additional metadata to be included in - the response. - in: query - name: expand - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/Group' - type: array - description: Success - security: - - api_token: [] - summary: List Groups - tags: - - Group - post: - description: Adds a new group with `OKTA_GROUP` type to your organization. - operationId: createGroup - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Group' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Group' - description: Success - security: - - api_token: [] - summary: Add Group - tags: - - Group - x-codegen-request-body-name: group - /api/v1/groups/rules: - get: - description: Lists all group rules for your organization. - operationId: listGroupRules - parameters: - - description: Specifies the number of rule results in a page - in: query - name: limit - schema: - default: 50 - format: int32 - type: integer - - description: Specifies the pagination cursor for the next page of rules - in: query - name: after - schema: - type: string - - description: Specifies the keyword to search fules for - in: query - name: search - schema: - type: string - - description: If specified as `groupIdToGroupNameMap`, then show group names - in: query - name: expand - schema: - type: string - x-okta-added-version: 1.3.0 - x-okta-added-version: 1.3.0 - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/GroupRule' - type: array - description: Success - security: - - api_token: [] - summary: List Group Rules - tags: - - Group - post: - description: Creates a group rule to dynamically add users to the specified - group if they match the condition - operationId: createGroupRule - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/GroupRule' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/GroupRule' - description: Success - security: - - api_token: [] - summary: Create Group Rule - tags: - - Group - x-codegen-request-body-name: groupRule - /api/v1/groups/rules/{ruleId}: - delete: - description: Removes a specific group rule by id from your organization - operationId: deleteGroupRule - parameters: - - in: path - name: ruleId - required: true - schema: - type: string - - description: Indicates whether to keep or remove users from groups assigned - by this rule. - in: query - name: removeUsers - schema: - type: boolean - responses: - '202': - content: {} - description: Accepted - security: - - api_token: [] - summary: Delete a group Rule - tags: - - Group - get: - description: Fetches a specific group rule by id from your organization - operationId: getGroupRule - parameters: - - in: path - name: ruleId - required: true - schema: - type: string - - in: query - name: expand - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/GroupRule' - description: Success - security: - - api_token: [] - summary: Get Group Rule - tags: - - Group - put: - description: Updates a group rule. Only `INACTIVE` rules can be updated. - operationId: updateGroupRule - parameters: - - in: path - name: ruleId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/GroupRule' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/GroupRule' - description: Success - security: - - api_token: [] - tags: - - Group - x-codegen-request-body-name: groupRule - /api/v1/groups/rules/{ruleId}/lifecycle/activate: - post: - description: Activates a specific group rule by id from your organization - operationId: activateGroupRule - parameters: - - in: path - name: ruleId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - summary: Activate a group Rule - tags: - - Group - /api/v1/groups/rules/{ruleId}/lifecycle/deactivate: - post: - description: Deactivates a specific group rule by id from your organization - operationId: deactivateGroupRule - parameters: - - in: path - name: ruleId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - summary: Deactivate a group Rule - tags: - - Group - /api/v1/groups/{groupId}: - delete: - description: Removes a group with `OKTA_GROUP` type from your organization. - operationId: deleteGroup - parameters: - - in: path - name: groupId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - summary: Remove Group - tags: - - Group - get: - description: Fetches a group from your organization. - operationId: getGroup - parameters: - - in: path - name: groupId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Group' - description: Success - security: - - api_token: [] - summary: List Group Rules - tags: - - Group - put: - description: Updates the profile for a group with `OKTA_GROUP` type from your - organization. - operationId: updateGroup - parameters: - - in: path - name: groupId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Group' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Group' - description: Success - security: - - api_token: [] - summary: Update Group - tags: - - Group - x-codegen-request-body-name: group - /api/v1/groups/{groupId}/apps: - get: - description: Enumerates all applications that are assigned to a group. - operationId: listAssignedApplicationsForGroup - parameters: - - in: path - name: groupId - required: true - schema: - type: string - - description: Specifies the pagination cursor for the next page of apps - in: query - name: after - schema: - type: string - - description: Specifies the number of app results for a page - in: query - name: limit - schema: - default: 20 - format: int32 - type: integer - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/Application' - type: array - description: Success - security: - - api_token: [] - summary: List Assigned Applications - tags: - - Group - /api/v1/groups/{groupId}/roles: - get: - description: Success - operationId: listGroupAssignedRoles - parameters: - - in: path - name: groupId - required: true - schema: - type: string - - in: query - name: expand - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/Role' - type: array - description: Success - security: - - api_token: [] - tags: - - Group - post: - description: Assigns a Role to a Group - operationId: assignRoleToGroup - parameters: - - in: path - name: groupId - required: true - schema: - type: string - - in: query - name: disableNotifications - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/AssignRoleRequest' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Role' - description: Success - '201': - content: {} - description: Success - security: - - api_token: [] - tags: - - Group - x-codegen-request-body-name: assignRoleRequest - /api/v1/groups/{groupId}/roles/{roleId}: - delete: - description: Unassigns a Role from a Group - operationId: removeRoleFromGroup - parameters: - - in: path - name: groupId - required: true - schema: - type: string - - in: path - name: roleId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - Group - get: - description: Success - operationId: getRole - parameters: - - in: path - name: groupId - required: true - schema: - type: string - - in: path - name: roleId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Role' - description: Success - security: - - api_token: [] - tags: - - Group - /api/v1/groups/{groupId}/roles/{roleId}/targets/catalog/apps: - get: - description: Lists all App targets for an `APP_ADMIN` Role assigned to a Group. - This methods return list may include full Applications or Instances. The response - for an instance will have an `ID` value, while Application will not have an - ID. - operationId: listApplicationTargetsForApplicationAdministratorRoleForGroup - parameters: - - in: path - name: groupId - required: true - schema: - type: string - - in: path - name: roleId - required: true - schema: - type: string - - in: query - name: after - schema: - type: string - - in: query - name: limit - schema: - default: 20 - format: int32 - type: integer - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/CatalogApplication' - type: array - description: Success - security: - - api_token: [] - tags: - - Group - /api/v1/groups/{groupId}/roles/{roleId}/targets/catalog/apps/{appName}: - delete: - description: Success - operationId: removeApplicationTargetFromApplicationAdministratorRoleGivenToGroup - parameters: - - in: path - name: groupId - required: true - schema: - type: string - - in: path - name: roleId - required: true - schema: - type: string - - in: path - name: appName - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - Group - put: - description: Success - operationId: addApplicationTargetToAdminRoleGivenToGroup - parameters: - - in: path - name: groupId - required: true - schema: - type: string - - in: path - name: roleId - required: true - schema: - type: string - - in: path - name: appName - required: true - schema: - type: string - responses: - '200': - content: {} - description: Success - security: - - api_token: [] - tags: - - Group - /api/v1/groups/{groupId}/roles/{roleId}/targets/catalog/apps/{appName}/{applicationId}: - delete: - description: Remove App Instance Target to App Administrator Role given to a - Group - operationId: removeApplicationTargetFromAdministratorRoleGivenToGroup - parameters: - - in: path - name: groupId - required: true - schema: - type: string - - in: path - name: roleId - required: true - schema: - type: string - - in: path - name: appName - required: true - schema: - type: string - - in: path - name: applicationId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - summary: Remove App Instance Target to App Administrator Role given to a Group - tags: - - Group - put: - description: Add App Instance Target to App Administrator Role given to a Group - operationId: addApplicationInstanceTargetToAppAdminRoleGivenToGroup - parameters: - - in: path - name: groupId - required: true - schema: - type: string - - in: path - name: roleId - required: true - schema: - type: string - - in: path - name: appName - required: true - schema: - type: string - - in: path - name: applicationId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - summary: Add App Instance Target to App Administrator Role given to a Group - tags: - - Group - /api/v1/groups/{groupId}/roles/{roleId}/targets/groups: - get: - description: Success - operationId: listGroupTargetsForGroupRole - parameters: - - in: path - name: groupId - required: true - schema: - type: string - - in: path - name: roleId - required: true - schema: - type: string - - in: query - name: after - schema: - type: string - - in: query - name: limit - schema: - default: 20 - format: int32 - type: integer - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/Group' - type: array - description: Success - security: - - api_token: [] - tags: - - Group - /api/v1/groups/{groupId}/roles/{roleId}/targets/groups/{targetGroupId}: - delete: - operationId: removeGroupTargetFromGroupAdministratorRoleGivenToGroup - parameters: - - in: path - name: groupId - required: true - schema: - type: string - - in: path - name: roleId - required: true - schema: - type: string - - in: path - name: targetGroupId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - Group - put: - operationId: addGroupTargetToGroupAdministratorRoleForGroup - parameters: - - in: path - name: groupId - required: true - schema: - type: string - - in: path - name: roleId - required: true - schema: - type: string - - in: path - name: targetGroupId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - Group - /api/v1/groups/{groupId}/users: - get: - description: Enumerates all users that are a member of a group. - operationId: listGroupUsers - parameters: - - in: path - name: groupId - required: true - schema: - type: string - - description: Specifies the pagination cursor for the next page of users - in: query - name: after - schema: - type: string - - description: Specifies the number of user results in a page - in: query - name: limit - schema: - default: 1000 - format: int32 - type: integer - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/User' - type: array - description: Success - security: - - api_token: [] - summary: List Group Members - tags: - - Group - /api/v1/groups/{groupId}/users/{userId}: - delete: - description: Removes a user from a group with 'OKTA_GROUP' type. - operationId: removeUserFromGroup - parameters: - - in: path - name: groupId - required: true - schema: - type: string - - in: path - name: userId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - summary: Remove User from Group - tags: - - Group - put: - description: Adds a user to a group with 'OKTA_GROUP' type. - operationId: addUserToGroup - parameters: - - in: path - name: groupId - required: true - schema: - type: string - - in: path - name: userId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - summary: Add User to Group - tags: - - Group -servers: -- url: https://{subdomain}.okta.com/ - variables: - subdomain: - default: my-domain diff --git a/providers/src/okta/v00.00.00000/services/GroupSchema.yaml b/providers/src/okta/v00.00.00000/services/GroupSchema.yaml deleted file mode 100644 index 17c6567c..00000000 --- a/providers/src/okta/v00.00.00000/services/GroupSchema.yaml +++ /dev/null @@ -1,332 +0,0 @@ -components: - schemas: - GroupSchema: - properties: - $schema: - readOnly: true - type: string - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - created: - readOnly: true - type: string - definitions: - $ref: '#/components/schemas/GroupSchemaDefinitions' - description: - type: string - id: - readOnly: true - type: string - lastUpdated: - readOnly: true - type: string - name: - readOnly: true - type: string - properties: - $ref: '#/components/schemas/UserSchemaProperties' - title: - type: string - type: - readOnly: true - type: string - type: object - x-okta-tags: - - GroupSchema - GroupSchemaAttribute: - properties: - description: - type: string - enum: - items: - type: string - type: array - externalName: - type: string - externalNamespace: - type: string - items: - $ref: '#/components/schemas/UserSchemaAttributeItems' - master: - $ref: '#/components/schemas/UserSchemaAttributeMaster' - maxLength: - type: integer - minLength: - type: integer - mutability: - type: string - oneOf: - items: - $ref: '#/components/schemas/UserSchemaAttributeEnum' - type: array - permissions: - items: - $ref: '#/components/schemas/UserSchemaAttributePermission' - type: array - required: - type: boolean - scope: - $ref: '#/components/schemas/UserSchemaAttributeScope' - title: - type: string - type: - $ref: '#/components/schemas/UserSchemaAttributeType' - union: - $ref: '#/components/schemas/UserSchemaAttributeUnion' - unique: - type: string - type: object - x-okta-tags: - - GroupSchema - GroupSchemaBase: - properties: - id: - readOnly: true - type: string - properties: - $ref: '#/components/schemas/GroupSchemaBaseProperties' - required: - items: - type: string - type: array - type: - type: string - type: object - x-okta-tags: - - GroupSchema - GroupSchemaBaseProperties: - properties: - description: - $ref: '#/components/schemas/GroupSchemaAttribute' - name: - $ref: '#/components/schemas/GroupSchemaAttribute' - type: object - x-okta-tags: - - GroupSchema - GroupSchemaCustom: - properties: - id: - readOnly: true - type: string - properties: - additionalProperties: - $ref: '#/components/schemas/GroupSchemaAttribute' - type: object - required: - items: - type: string - type: array - type: - type: string - type: object - x-okta-tags: - - GroupSchema - GroupSchemaDefinitions: - properties: - base: - $ref: '#/components/schemas/GroupSchemaBase' - custom: - $ref: '#/components/schemas/GroupSchemaCustom' - type: object - x-okta-tags: - - GroupSchema - UserSchemaAttributeEnum: - properties: - const: - type: string - title: - type: string - type: object - x-okta-tags: - - UserSchema - UserSchemaAttributeItems: - properties: - enum: - items: - type: string - type: array - oneOf: - items: - $ref: '#/components/schemas/UserSchemaAttributeEnum' - type: array - type: - type: string - type: object - x-okta-tags: - - UserSchema - UserSchemaAttributeMaster: - properties: - priority: - items: - $ref: '#/components/schemas/UserSchemaAttributeMasterPriority' - type: array - type: - $ref: '#/components/schemas/UserSchemaAttributeMasterType' - type: object - x-okta-tags: - - UserSchema - UserSchemaAttributeMasterPriority: - properties: - type: - type: string - value: - type: string - type: object - x-okta-tags: - - UserSchema - UserSchemaAttributeMasterType: - enum: - - PROFILE_MASTER - - OKTA - - OVERRIDE - type: string - x-okta-tags: - - UserSchema - UserSchemaAttributePermission: - properties: - action: - type: string - principal: - type: string - type: object - x-okta-tags: - - UserSchema - UserSchemaAttributeScope: - enum: - - SELF - - NONE - type: object - x-okta-tags: - - UserSchema - UserSchemaAttributeType: - enum: - - string - - boolean - - number - - integer - - array - type: string - x-okta-tags: - - UserSchema - UserSchemaAttributeUnion: - enum: - - DISABLE - - ENABLE - type: object - x-okta-tags: - - UserSchema - UserSchemaProperties: - properties: - profile: - $ref: '#/components/schemas/UserSchemaPropertiesProfile' - type: object - x-okta-tags: - - UserSchema - UserSchemaPropertiesProfile: - properties: - allOf: - items: - $ref: '#/components/schemas/UserSchemaPropertiesProfileItem' - type: array - type: object - x-okta-tags: - - UserSchema - UserSchemaPropertiesProfileItem: - properties: - $ref: - type: string - type: object - x-okta-tags: - - UserSchema - securitySchemes: - api_token: - description: SSWS {API Token} - in: header - name: Authorization - type: apiKey - x-stackQL-resources: - default: - id: okta.groupschema.default - methods: - get: - operation: - $ref: '#/paths/~1api~1v1~1meta~1schemas~1group~1default/get' - response: - mediaType: application/json - openAPIDocKey: '200' - update: - operation: - $ref: '#/paths/~1api~1v1~1meta~1schemas~1group~1default/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - name: default - title: default -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html -info: - contact: - email: devex-public@okta.com - name: Okta Developer Team - url: https://developer.okta.com/ - description: Allows customers to easily access the Okta API - license: - name: Apache-2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - termsOfService: https://developer.okta.com/terms/ - title: Okta API - version: 2.8.0 -openapi: 3.0.1 -paths: - /api/v1/meta/schemas/group/default: - get: - description: Fetches the group schema - operationId: getGroupSchema - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/GroupSchema' - description: successful operation - security: - - api_token: [] - summary: Fetches the group schema - tags: - - GroupSchema - post: - description: Updates, adds ore removes one or more custom Group Profile properties - in the schema - operationId: updateGroupSchema - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/GroupSchema' - required: false - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/GroupSchema' - description: successful operation - security: - - api_token: [] - summary: Updates, adds ore removes one or more custom Group Profile properties - in the schema - tags: - - GroupSchema - x-codegen-request-body-name: body -servers: -- url: https://{subdomain}.okta.com/ - variables: - subdomain: - default: my-domain diff --git a/providers/src/okta/v00.00.00000/services/IdentityProvider.yaml b/providers/src/okta/v00.00.00000/services/IdentityProvider.yaml deleted file mode 100644 index 65db51ab..00000000 --- a/providers/src/okta/v00.00.00000/services/IdentityProvider.yaml +++ /dev/null @@ -1,2352 +0,0 @@ -components: - schemas: - AppAndInstanceConditionEvaluatorAppOrInstance: - properties: - id: - readOnly: true - type: string - name: - type: string - type: - enum: - - APP_TYPE - - APP - type: string - type: object - x-okta-tags: - - Policy - AppAndInstancePolicyRuleCondition: - properties: - exclude: - items: - $ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance' - type: array - include: - items: - $ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance' - type: array - type: object - x-okta-tags: - - Policy - AppInstancePolicyRuleCondition: - properties: - exclude: - items: - type: string - type: array - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - BeforeScheduledActionPolicyRuleCondition: - properties: - duration: - $ref: '#/components/schemas/Duration' - lifecycleAction: - $ref: '#/components/schemas/ScheduledUserLifecycleAction' - type: object - x-okta-tags: - - Policy - ClientPolicyCondition: - properties: - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - ContextPolicyRuleCondition: - properties: - expression: - type: string - type: object - x-okta-tags: - - Policy - Csr: - properties: - created: - format: date-time - readOnly: true - type: string - csr: - readOnly: true - type: string - id: - readOnly: true - type: string - kty: - readOnly: true - type: string - type: object - x-okta-tags: - - Application - CsrMetadata: - properties: - subject: - $ref: '#/components/schemas/CsrMetadataSubject' - subjectAltNames: - $ref: '#/components/schemas/CsrMetadataSubjectAltNames' - type: object - x-okta-tags: - - Application - CsrMetadataSubject: - properties: - commonName: - type: string - countryName: - type: string - localityName: - type: string - organizationName: - type: string - organizationalUnitName: - type: string - stateOrProvinceName: - type: string - type: object - x-okta-tags: - - Application - CsrMetadataSubjectAltNames: - properties: - dnsNames: - items: - type: string - type: array - type: object - x-okta-tags: - - Application - DevicePolicyRuleCondition: - properties: - migrated: - type: boolean - platform: - $ref: '#/components/schemas/DevicePolicyRuleConditionPlatform' - rooted: - type: boolean - trustLevel: - enum: - - ANY - - TRUSTED - type: string - type: object - x-okta-tags: - - Policy - DevicePolicyRuleConditionPlatform: - properties: - supportedMDMFrameworks: - items: - enum: - - AFW - - SAFE - - NATIVE - type: string - type: array - types: - items: - enum: - - IOS - - ANDROID - - OSX - - WINDOWS - type: string - type: array - type: object - x-okta-tags: - - Policy - Duration: - properties: - number: - type: integer - unit: - type: string - type: object - x-okta-tags: - - Policy - GrantTypePolicyRuleCondition: - properties: - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - GroupCondition: - properties: - exclude: - items: - type: string - type: array - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - GroupPolicyRuleCondition: - properties: - exclude: - items: - type: string - type: array - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - IdentityProvider: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - created: - format: date-time - readOnly: true - type: string - id: - readOnly: true - type: string - issuerMode: - enum: - - ORG_URL - - CUSTOM_URL - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - name: - type: string - policy: - $ref: '#/components/schemas/IdentityProviderPolicy' - protocol: - $ref: '#/components/schemas/Protocol' - status: - enum: - - ACTIVE - - INACTIVE - type: string - type: - enum: - - SAML2 - - GOOGLE - - FACEBOOK - - LINKEDIN - - MICROSOFT - - OIDC - - OKTA - - IWA - - AgentlessDSSO - - X509 - type: string - type: object - x-okta-crud: - - alias: create - arguments: - - dest: idpTrust - self: true - operationId: createIdentityProvider - - alias: read - arguments: [] - operationId: getIdentityProvider - - alias: update - arguments: - - dest: idpId - src: id - - dest: idpTrust - self: true - operationId: updateIdentityProvider - - alias: delete - arguments: - - dest: idpId - src: id - operationId: deleteIdentityProvider - x-okta-operations: - - alias: listSigningCsrs - arguments: - - dest: idpId - src: id - operationId: listCsrsForIdentityProvider - - alias: generateCsr - arguments: - - dest: idpId - src: id - operationId: generateCsrForIdentityProvider - - alias: deleteSigningCsr - arguments: - - dest: idpId - src: id - operationId: revokeCsrForIdentityProvider - - alias: getSigningCsr - arguments: - - dest: idpId - src: id - operationId: getCsrForIdentityProvider - - alias: listSigningKeys - arguments: - - dest: idpId - src: id - operationId: listIdentityProviderSigningKeys - - alias: generateSigningKey - arguments: - - dest: idpId - src: id - operationId: generateIdentityProviderSigningKey - - alias: getSigningKey - arguments: - - dest: idpId - src: id - operationId: getIdentityProviderSigningKey - - alias: cloneKey - arguments: - - dest: idpId - src: id - operationId: cloneIdentityProviderKey - - alias: activate - arguments: - - dest: idpId - src: id - operationId: activateIdentityProvider - - alias: deactivate - arguments: - - dest: idpId - src: id - operationId: deactivateIdentityProvider - - alias: listUsers - arguments: - - dest: idpId - src: id - operationId: listIdentityProviderApplicationUsers - - alias: unlinkUser - arguments: - - dest: idpId - src: id - operationId: unlinkUserFromIdentityProvider - - alias: getUser - arguments: - - dest: idpId - src: id - operationId: getIdentityProviderApplicationUser - - alias: linkUser - arguments: - - dest: idpId - src: id - operationId: linkUserToIdentityProvider - - alias: listSocialAuthTokens - arguments: - - dest: idpId - src: id - operationId: listSocialAuthTokens - x-okta-tags: - - IdentityProvider - IdentityProviderApplicationUser: - properties: - _embedded: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - created: - type: string - externalId: - type: string - id: - readOnly: true - type: string - lastUpdated: - type: string - profile: - additionalProperties: - properties: {} - type: object - type: object - type: object - x-okta-tags: - - IdentityProvider - IdentityProviderCredentials: - properties: - client: - $ref: '#/components/schemas/IdentityProviderCredentialsClient' - signing: - $ref: '#/components/schemas/IdentityProviderCredentialsSigning' - trust: - $ref: '#/components/schemas/IdentityProviderCredentialsTrust' - type: object - x-okta-tags: - - IdentityProvider - IdentityProviderCredentialsClient: - properties: - client_id: - type: string - client_secret: - type: string - type: object - x-okta-tags: - - IdentityProvider - IdentityProviderCredentialsSigning: - properties: - kid: - type: string - type: object - x-okta-tags: - - IdentityProvider - IdentityProviderCredentialsTrust: - properties: - audience: - type: string - issuer: - type: string - kid: - type: string - revocation: - enum: - - CRL - - DELTA_CRL - - OCSP - type: string - revocationCacheLifetime: - type: integer - type: object - x-okta-tags: - - IdentityProvider - IdentityProviderPolicy: - properties: - accountLink: - $ref: '#/components/schemas/PolicyAccountLink' - maxClockSkew: - type: integer - provisioning: - $ref: '#/components/schemas/Provisioning' - subject: - $ref: '#/components/schemas/PolicySubject' - type: object - x-okta-parent: '#/components/schemas/Policy' - x-okta-tags: - - Policy - IdentityProviderPolicyRuleCondition: - properties: - idpIds: - items: - type: string - type: array - provider: - enum: - - ANY - - OKTA - - SPECIFIC_IDP - type: string - type: object - x-okta-tags: - - Policy - InactivityPolicyRuleCondition: - properties: - number: - type: integer - unit: - type: string - type: object - x-okta-tags: - - Policy - JsonWebKey: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - alg: - type: string - created: - format: date-time - type: string - e: - type: string - expiresAt: - format: date-time - type: string - key_ops: - items: - type: string - type: array - kid: - type: string - kty: - type: string - lastUpdated: - format: date-time - type: string - n: - type: string - status: - type: string - use: - type: string - x5c: - items: - type: string - type: array - x5t: - type: string - x5t#S256: - type: string - x5u: - type: string - type: object - x-okta-tags: - - Application - LifecycleExpirationPolicyRuleCondition: - properties: - lifecycleStatus: - type: string - number: - type: integer - unit: - type: string - type: object - x-okta-tags: - - Policy - MDMEnrollmentPolicyRuleCondition: - properties: - blockNonSafeAndroid: - type: boolean - enrollment: - enum: - - OMM - - ANY_OR_NONE - type: string - type: object - x-okta-tags: - - Policy - OAuth2ScopesMediationPolicyRuleCondition: - properties: - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Application - OAuthAuthorizationPolicy: - type: object - x-okta-parent: '#/components/schemas/Policy' - x-okta-tags: - - Policy - OktaSignOnPolicy: - properties: - conditions: - $ref: '#/components/schemas/OktaSignOnPolicyConditions' - type: object - x-okta-parent: '#/components/schemas/Policy' - x-okta-tags: - - Policy - OktaSignOnPolicyConditions: - properties: - people: - $ref: '#/components/schemas/PolicyPeopleCondition' - type: object - x-okta-parent: '#/components/schemas/PolicyRuleConditions' - x-okta-tags: - - Policy - PasswordDictionary: - properties: - common: - $ref: '#/components/schemas/PasswordDictionaryCommon' - type: object - x-okta-tags: - - Policy - PasswordDictionaryCommon: - properties: - exclude: - default: false - type: boolean - type: object - x-okta-tags: - - Policy - PasswordExpirationPolicyRuleCondition: - properties: - number: - type: integer - unit: - type: string - type: object - x-okta-tags: - - Policy - PasswordPolicy: - properties: - conditions: - $ref: '#/components/schemas/PasswordPolicyConditions' - settings: - $ref: '#/components/schemas/PasswordPolicySettings' - type: object - x-okta-parent: '#/components/schemas/Policy' - x-okta-tags: - - Policy - PasswordPolicyAuthenticationProviderCondition: - properties: - include: - items: - type: string - type: array - provider: - enum: - - ACTIVE_DIRECTORY - - ANY - - LDAP - - OKTA - type: string - type: object - x-okta-tags: - - Policy - PasswordPolicyConditions: - properties: - authProvider: - $ref: '#/components/schemas/PasswordPolicyAuthenticationProviderCondition' - people: - $ref: '#/components/schemas/PolicyPeopleCondition' - type: object - x-okta-parent: '#/components/schemas/PolicyRuleConditions' - x-okta-tags: - - Policy - PasswordPolicyDelegationSettings: - properties: - options: - $ref: '#/components/schemas/PasswordPolicyDelegationSettingsOptions' - type: object - x-okta-tags: - - Policy - PasswordPolicyDelegationSettingsOptions: - properties: - skipUnlock: - type: boolean - type: object - x-okta-tags: - - Policy - PasswordPolicyPasswordSettings: - properties: - age: - $ref: '#/components/schemas/PasswordPolicyPasswordSettingsAge' - complexity: - $ref: '#/components/schemas/PasswordPolicyPasswordSettingsComplexity' - lockout: - $ref: '#/components/schemas/PasswordPolicyPasswordSettingsLockout' - type: object - x-okta-tags: - - Policy - PasswordPolicyPasswordSettingsAge: - properties: - expireWarnDays: - type: integer - historyCount: - type: integer - maxAgeDays: - type: integer - minAgeMinutes: - type: integer - type: object - x-okta-tags: - - Policy - PasswordPolicyPasswordSettingsComplexity: - properties: - dictionary: - $ref: '#/components/schemas/PasswordDictionary' - excludeAttributes: - items: - type: string - type: array - excludeUsername: - default: true - type: boolean - minLength: - type: integer - minLowerCase: - type: integer - minNumber: - type: integer - minSymbol: - type: integer - minUpperCase: - type: integer - type: object - x-okta-tags: - - Policy - PasswordPolicyPasswordSettingsLockout: - properties: - autoUnlockMinutes: - type: integer - maxAttempts: - type: integer - showLockoutFailures: - type: boolean - userLockoutNotificationChannels: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoveryEmail: - properties: - properties: - $ref: '#/components/schemas/PasswordPolicyRecoveryEmailProperties' - status: - enum: - - ACTIVE - - INACTIVE - readOnly: true - type: string - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoveryEmailProperties: - properties: - recoveryToken: - $ref: '#/components/schemas/PasswordPolicyRecoveryEmailRecoveryToken' - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoveryEmailRecoveryToken: - properties: - tokenLifetimeMinutes: - type: integer - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoveryFactorSettings: - properties: - status: - default: INACTIVE - enum: - - ACTIVE - - INACTIVE - type: string - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoveryFactors: - properties: - okta_call: - $ref: '#/components/schemas/PasswordPolicyRecoveryFactorSettings' - okta_email: - $ref: '#/components/schemas/PasswordPolicyRecoveryEmail' - okta_sms: - $ref: '#/components/schemas/PasswordPolicyRecoveryFactorSettings' - recovery_question: - $ref: '#/components/schemas/PasswordPolicyRecoveryQuestion' - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoveryQuestion: - properties: - properties: - $ref: '#/components/schemas/PasswordPolicyRecoveryQuestionProperties' - status: - enum: - - ACTIVE - - INACTIVE - readOnly: true - type: string - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoveryQuestionComplexity: - properties: - minLength: - readOnly: true - type: integer - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoveryQuestionProperties: - properties: - complexity: - $ref: '#/components/schemas/PasswordPolicyRecoveryQuestionComplexity' - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoverySettings: - properties: - factors: - $ref: '#/components/schemas/PasswordPolicyRecoveryFactors' - type: object - x-okta-tags: - - Policy - PasswordPolicySettings: - properties: - delegation: - $ref: '#/components/schemas/PasswordPolicyDelegationSettings' - password: - $ref: '#/components/schemas/PasswordPolicyPasswordSettings' - recovery: - $ref: '#/components/schemas/PasswordPolicyRecoverySettings' - type: object - x-okta-tags: - - Policy - PlatformConditionEvaluatorPlatform: - properties: - os: - $ref: '#/components/schemas/PlatformConditionEvaluatorPlatformOperatingSystem' - type: - enum: - - DESKTOP - - MOBILE - - OTHER - - ANY - type: string - type: object - x-okta-tags: - - Policy - PlatformConditionEvaluatorPlatformOperatingSystem: - properties: - expression: - type: string - type: - enum: - - ANDROID - - IOS - - WINDOWS - - OSX - - OTHER - - ANY - type: string - version: - $ref: '#/components/schemas/PlatformConditionEvaluatorPlatformOperatingSystemVersion' - type: object - x-okta-tags: - - Policy - PlatformConditionEvaluatorPlatformOperatingSystemVersion: - properties: - matchType: - enum: - - EXPRESSION - - SEMVER - type: string - value: - type: string - type: object - x-okta-tags: - - Policy - PlatformPolicyRuleCondition: - properties: - exclude: - items: - $ref: '#/components/schemas/PlatformConditionEvaluatorPlatform' - type: array - include: - items: - $ref: '#/components/schemas/PlatformConditionEvaluatorPlatform' - type: array - type: object - x-okta-tags: - - Policy - Policy: - properties: - _embedded: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - conditions: - $ref: '#/components/schemas/PolicyRuleConditions' - created: - format: date-time - readOnly: true - type: string - description: - type: string - id: - readOnly: true - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - name: - type: string - priority: - type: integer - status: - enum: - - ACTIVE - - INACTIVE - type: string - system: - type: boolean - type: - $ref: '#/components/schemas/PolicyType' - type: object - x-okta-crud: - - alias: read - arguments: - - dest: policyId - src: id - operationId: getPolicy - - alias: update - arguments: - - dest: policyId - src: id - - dest: policy - self: true - operationId: updatePolicy - - alias: delete - arguments: - - dest: policyId - src: id - operationId: deletePolicy - x-okta-operations: - - alias: activate - arguments: - - dest: policyId - src: id - operationId: activatePolicy - - alias: deactivate - arguments: - - dest: policyId - src: id - operationId: deactivatePolicy - - alias: listPolicyRules - arguments: - - dest: policyId - src: id - operationId: listPolicyRules - - alias: createRule - arguments: - - dest: policyId - src: id - operationId: createPolicyRule - - alias: getPolicyRule - arguments: - - dest: policyId - src: id - operationId: getPolicyRule - x-okta-tags: - - Policy - x-openapi-v3-discriminator: - mapping: - IDP_DISCOVERY: '#/components/schemas/IdentityProviderPolicy' - OAUTH_AUTHORIZATION_POLICY: '#/components/schemas/OAuthAuthorizationPolicy' - OKTA_SIGN_ON: '#/components/schemas/OktaSignOnPolicy' - PASSWORD: '#/components/schemas/PasswordPolicy' - propertyName: type - PolicyAccountLink: - properties: - action: - enum: - - AUTO - - DISABLED - type: string - filter: - $ref: '#/components/schemas/PolicyAccountLinkFilter' - type: object - x-okta-tags: - - Policy - PolicyAccountLinkFilter: - properties: - groups: - $ref: '#/components/schemas/PolicyAccountLinkFilterGroups' - type: object - x-okta-tags: - - Policy - PolicyAccountLinkFilterGroups: - properties: - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - PolicyNetworkCondition: - properties: - connection: - enum: - - ANYWHERE - - ZONE - type: string - exclude: - items: - type: string - type: array - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - PolicyPeopleCondition: - properties: - groups: - $ref: '#/components/schemas/GroupCondition' - users: - $ref: '#/components/schemas/UserCondition' - type: object - x-okta-tags: - - Policy - PolicyRuleAuthContextCondition: - properties: - authType: - enum: - - ANY - - RADIUS - type: string - type: object - x-okta-tags: - - Policy - PolicyRuleConditions: - properties: - app: - $ref: '#/components/schemas/AppAndInstancePolicyRuleCondition' - apps: - $ref: '#/components/schemas/AppInstancePolicyRuleCondition' - authContext: - $ref: '#/components/schemas/PolicyRuleAuthContextCondition' - authProvider: - $ref: '#/components/schemas/PasswordPolicyAuthenticationProviderCondition' - beforeScheduledAction: - $ref: '#/components/schemas/BeforeScheduledActionPolicyRuleCondition' - clients: - $ref: '#/components/schemas/ClientPolicyCondition' - context: - $ref: '#/components/schemas/ContextPolicyRuleCondition' - device: - $ref: '#/components/schemas/DevicePolicyRuleCondition' - grantTypes: - $ref: '#/components/schemas/GrantTypePolicyRuleCondition' - groups: - $ref: '#/components/schemas/GroupPolicyRuleCondition' - identityProvider: - $ref: '#/components/schemas/IdentityProviderPolicyRuleCondition' - mdmEnrollment: - $ref: '#/components/schemas/MDMEnrollmentPolicyRuleCondition' - network: - $ref: '#/components/schemas/PolicyNetworkCondition' - people: - $ref: '#/components/schemas/PolicyPeopleCondition' - platform: - $ref: '#/components/schemas/PlatformPolicyRuleCondition' - risk: - $ref: '#/components/schemas/RiskPolicyRuleCondition' - riskScore: - $ref: '#/components/schemas/RiskScorePolicyRuleCondition' - scopes: - $ref: '#/components/schemas/OAuth2ScopesMediationPolicyRuleCondition' - userIdentifier: - $ref: '#/components/schemas/UserIdentifierPolicyRuleCondition' - userStatus: - $ref: '#/components/schemas/UserStatusPolicyRuleCondition' - users: - $ref: '#/components/schemas/UserPolicyRuleCondition' - type: object - x-okta-tags: - - Policy - PolicySubject: - properties: - filter: - type: string - format: - items: - type: string - type: array - matchAttribute: - type: string - matchType: - $ref: '#/components/schemas/PolicySubjectMatchType' - userNameTemplate: - $ref: '#/components/schemas/PolicyUserNameTemplate' - type: object - x-okta-tags: - - Policy - PolicySubjectMatchType: - enum: - - USERNAME - - EMAIL - - USERNAME_OR_EMAIL - - CUSTOM_ATTRIBUTE - type: string - x-okta-tags: - - Policy - PolicyType: - enum: - - OAUTH_AUTHORIZATION_POLICY - - OKTA_SIGN_ON - - PASSWORD - - IDP_DISCOVERY - type: string - x-okta-tags: - - Policy - PolicyUserNameTemplate: - properties: - template: - type: string - type: object - x-okta-tags: - - Policy - Protocol: - properties: - algorithms: - $ref: '#/components/schemas/ProtocolAlgorithms' - credentials: - $ref: '#/components/schemas/IdentityProviderCredentials' - endpoints: - $ref: '#/components/schemas/ProtocolEndpoints' - issuer: - $ref: '#/components/schemas/ProtocolEndpoint' - relayState: - $ref: '#/components/schemas/ProtocolRelayState' - scopes: - items: - type: string - type: array - settings: - $ref: '#/components/schemas/ProtocolSettings' - type: - enum: - - SAML2 - - OIDC - - OAUTH2 - - MTLS - type: string - type: object - x-okta-tags: - - IdentityProvider - ProtocolAlgorithmType: - properties: - signature: - $ref: '#/components/schemas/ProtocolAlgorithmTypeSignature' - type: object - x-okta-tags: - - IdentityProvider - ProtocolAlgorithmTypeSignature: - properties: - algorithm: - type: string - scope: - enum: - - RESPONSE - - TOKEN - - ANY - - REQUEST - - NONE - type: string - type: object - x-okta-tags: - - IdentityProvider - ProtocolAlgorithms: - properties: - request: - $ref: '#/components/schemas/ProtocolAlgorithmType' - response: - $ref: '#/components/schemas/ProtocolAlgorithmType' - type: object - x-okta-tags: - - IdentityProvider - ProtocolEndpoint: - properties: - binding: - enum: - - HTTP-POST - - HTTP-REDIRECT - type: string - destination: - type: string - type: - enum: - - INSTANCE - - ORG - type: string - url: - type: string - type: object - x-okta-tags: - - IdentityProvider - ProtocolEndpoints: - properties: - acs: - $ref: '#/components/schemas/ProtocolEndpoint' - authorization: - $ref: '#/components/schemas/ProtocolEndpoint' - jwks: - $ref: '#/components/schemas/ProtocolEndpoint' - metadata: - $ref: '#/components/schemas/ProtocolEndpoint' - slo: - $ref: '#/components/schemas/ProtocolEndpoint' - sso: - $ref: '#/components/schemas/ProtocolEndpoint' - token: - $ref: '#/components/schemas/ProtocolEndpoint' - userInfo: - $ref: '#/components/schemas/ProtocolEndpoint' - type: object - x-okta-tags: - - IdentityProvider - ProtocolRelayState: - properties: - format: - $ref: '#/components/schemas/ProtocolRelayStateFormat' - type: object - x-okta-tags: - - IdentityProvider - ProtocolRelayStateFormat: - enum: - - OPAQUE - - FROM_URL - type: string - x-okta-tags: - - IdentityProvider - ProtocolSettings: - properties: - nameFormat: - type: string - type: object - x-okta-tags: - - IdentityProvider - Provisioning: - properties: - action: - enum: - - AUTO - - CALLOUT - - DISABLED - type: string - conditions: - $ref: '#/components/schemas/ProvisioningConditions' - groups: - $ref: '#/components/schemas/ProvisioningGroups' - profileMaster: - type: boolean - type: object - x-okta-tags: - - IdentityProvider - ProvisioningConditions: - properties: - deprovisioned: - $ref: '#/components/schemas/ProvisioningDeprovisionedCondition' - suspended: - $ref: '#/components/schemas/ProvisioningSuspendedCondition' - type: object - x-okta-tags: - - IdentityProvider - ProvisioningDeprovisionedCondition: - properties: - action: - enum: - - NONE - - REACTIVATE - type: string - type: object - x-okta-tags: - - IdentityProvider - ProvisioningGroups: - properties: - action: - enum: - - NONE - - APPEND - - SYNC - - ASSIGN - type: string - assignments: - items: - type: string - type: array - filter: - items: - type: string - type: array - sourceAttributeName: - type: string - type: object - x-okta-tags: - - IdentityProvider - ProvisioningSuspendedCondition: - properties: - action: - enum: - - NONE - - UNSUSPEND - type: string - type: object - x-okta-tags: - - IdentityProvider - RiskPolicyRuleCondition: - properties: - behaviors: - items: - type: string - type: array - uniqueItems: true - type: object - x-okta-tags: - - Policy - RiskScorePolicyRuleCondition: - properties: - level: - type: string - type: object - x-okta-tags: - - Policy - ScheduledUserLifecycleAction: - properties: - status: - enum: - - ACTIVE - - INACTIVE - - PENDING - - DELETED - - EXPIRED_PASSWORD - - ACTIVATING - - SUSPENDED - - DELETING - type: string - type: object - x-okta-tags: - - Policy - SocialAuthToken: - properties: - expiresAt: - format: date-time - readOnly: true - type: string - id: - readOnly: true - type: string - scopes: - items: - type: string - type: array - token: - type: string - tokenAuthScheme: - type: string - tokenType: - type: string - type: object - x-okta-tags: - - IdentityProvider - UserCondition: - properties: - exclude: - items: - type: string - type: array - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - UserIdentifierConditionEvaluatorPattern: - properties: - matchType: - enum: - - SUFFIX - - EXPRESSION - - STARTS_WITH - - EQUALS - - CONTAINS - type: string - value: - type: string - type: object - x-okta-tags: - - Policy - UserIdentifierPolicyRuleCondition: - properties: - attribute: - type: string - patterns: - items: - $ref: '#/components/schemas/UserIdentifierConditionEvaluatorPattern' - type: array - type: - enum: - - IDENTIFIER - - ATTRIBUTE - type: string - type: object - x-okta-tags: - - Policy - UserIdentityProviderLinkRequest: - properties: - externalId: - type: string - type: object - x-okta-tags: - - Policy - UserLifecycleAttributePolicyRuleCondition: - properties: - attributeName: - type: string - matchingValue: - type: string - type: object - x-okta-tags: - - Policy - UserPolicyRuleCondition: - properties: - exclude: - items: - type: string - type: array - inactivity: - $ref: '#/components/schemas/InactivityPolicyRuleCondition' - include: - items: - type: string - type: array - lifecycleExpiration: - $ref: '#/components/schemas/LifecycleExpirationPolicyRuleCondition' - passwordExpiration: - $ref: '#/components/schemas/PasswordExpirationPolicyRuleCondition' - userLifecycleAttribute: - $ref: '#/components/schemas/UserLifecycleAttributePolicyRuleCondition' - type: object - x-okta-tags: - - Policy - UserStatusPolicyRuleCondition: - properties: - value: - enum: - - ACTIVE - - INACTIVE - - PENDING - - DELETED - - EXPIRED_PASSWORD - - ACTIVATING - - SUSPENDED - - DELETING - type: string - type: object - x-okta-tags: - - Policy - securitySchemes: - api_token: - description: SSWS {API Token} - in: header - name: Authorization - type: apiKey - x-stackQL-resources: - csrs: - id: okta.identityprovider.csrs - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1credentials~1csrs~1{csrId}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1credentials~1csrs~1{csrId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1credentials~1csrs/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '201' - list: - operation: - $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1credentials~1csrs/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: csrs - title: csrs - idpkeys: - id: okta.identityprovider.idpkeys - methods: - clone: - operation: - $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1credentials~1keys~1{keyId}~1clone/post' - response: - mediaType: application/json - openAPIDocKey: '201' - get: - operation: - $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1credentials~1keys~1{keyId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1credentials~1keys~1generate/post' - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1credentials~1keys/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: idpkeys - title: idpkeys - idps: - id: okta.identityprovider.idps - methods: - activate: - operation: - $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1lifecycle~1activate/post' - response: - mediaType: application/json - openAPIDocKey: '200' - deactivate: - operation: - $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1lifecycle~1activate/post' - response: - mediaType: application/json - openAPIDocKey: '200' - delete: - operation: - $ref: '#/paths/~1api~1v1~1idps~1{idpId}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1idps~1{idpId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1idps/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1idps/get' - response: - mediaType: application/json - openAPIDocKey: '200' - update: - operation: - $ref: '#/paths/~1api~1v1~1idps~1{idpId}/put' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - name: idps - title: idps - keys: - id: okta.identityprovider.keys - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1idps~1credentials~1keys~1{keyId}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1idps~1credentials~1keys~1{keyId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1idps~1credentials~1keys/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1idps~1credentials~1keys/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: keys - title: keys - users: - id: okta.identityprovider.users - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1users~1{userId}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1users~1{userId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1users~1{userId}/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1users/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: users - title: users - usertokens: - id: okta.identityprovider.usertokens - methods: - list: - operation: - $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1users~1{userId}~1credentials~1tokens/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: usertokens - title: usertokens -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html -info: - contact: - email: devex-public@okta.com - name: Okta Developer Team - url: https://developer.okta.com/ - description: Allows customers to easily access the Okta API - license: - name: Apache-2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - termsOfService: https://developer.okta.com/terms/ - title: Okta API - version: 2.8.0 -openapi: 3.0.1 -paths: - /api/v1/idps: - get: - description: Enumerates IdPs in your organization with pagination. A subset - of IdPs can be returned that match a supported filter expression or query. - operationId: listIdentityProviders - parameters: - - description: Searches the name property of IdPs for matching value - in: query - name: q - schema: - type: string - - description: Specifies the pagination cursor for the next page of IdPs - in: query - name: after - schema: - type: string - - description: Specifies the number of IdP results in a page - in: query - name: limit - schema: - default: 20 - format: int32 - type: integer - - description: Filters IdPs by type - in: query - name: type - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/IdentityProvider' - type: array - description: Success - security: - - api_token: [] - summary: List Identity Providers - tags: - - IdentityProvider - post: - description: Adds a new IdP to your organization. - operationId: createIdentityProvider - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/IdentityProvider' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/IdentityProvider' - description: Success - security: - - api_token: [] - summary: Add Identity Provider - tags: - - IdentityProvider - x-codegen-request-body-name: identityProvider - /api/v1/idps/credentials/keys: - get: - description: Enumerates IdP key credentials. - operationId: listIdentityProviderKeys - parameters: - - description: Specifies the pagination cursor for the next page of keys - in: query - name: after - schema: - type: string - - description: Specifies the number of key results in a page - in: query - name: limit - schema: - default: 20 - format: int32 - type: integer - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/JsonWebKey' - type: array - description: Success - security: - - api_token: [] - summary: List Keys - tags: - - IdentityProvider - post: - description: Adds a new X.509 certificate credential to the IdP key store. - operationId: createIdentityProviderKey - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/JsonWebKey' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/JsonWebKey' - description: Success - security: - - api_token: [] - summary: Add X.509 Certificate Public Key - tags: - - IdentityProvider - x-codegen-request-body-name: jsonWebKey - /api/v1/idps/credentials/keys/{keyId}: - delete: - description: Deletes a specific IdP Key Credential by `kid` if it is not currently - being used by an Active or Inactive IdP. - operationId: deleteIdentityProviderKey - parameters: - - in: path - name: keyId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - summary: Delete Key - tags: - - IdentityProvider - get: - description: Gets a specific IdP Key Credential by `kid` - operationId: getIdentityProviderKey - parameters: - - in: path - name: keyId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/JsonWebKey' - description: Success - security: - - api_token: [] - summary: Get Key - tags: - - IdentityProvider - /api/v1/idps/{idpId}: - delete: - description: Removes an IdP from your organization. - operationId: deleteIdentityProvider - parameters: - - in: path - name: idpId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - summary: Delete Identity Provider - tags: - - IdentityProvider - get: - description: Fetches an IdP by `id`. - operationId: getIdentityProvider - parameters: - - in: path - name: idpId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/IdentityProvider' - description: Success - security: - - api_token: [] - summary: Get Identity Provider - tags: - - IdentityProvider - put: - description: Updates the configuration for an IdP. - operationId: updateIdentityProvider - parameters: - - in: path - name: idpId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/IdentityProvider' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/IdentityProvider' - description: Success - security: - - api_token: [] - summary: Update Identity Provider - tags: - - IdentityProvider - x-codegen-request-body-name: identityProvider - /api/v1/idps/{idpId}/credentials/csrs: - get: - description: Enumerates Certificate Signing Requests for an IdP - operationId: listCsrsForIdentityProvider - parameters: - - in: path - name: idpId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/Csr' - type: array - description: Success - security: - - api_token: [] - summary: List Certificate Signing Requests for IdP - tags: - - IdentityProvider - post: - description: Generates a new key pair and returns a Certificate Signing Request - for it. - operationId: generateCsrForIdentityProvider - parameters: - - in: path - name: idpId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/CsrMetadata' - required: true - responses: - '201': - content: - application/json: - schema: - $ref: '#/components/schemas/Csr' - description: Created - security: - - api_token: [] - summary: Generate Certificate Signing Request for IdP - tags: - - IdentityProvider - x-codegen-request-body-name: metadata - /api/v1/idps/{idpId}/credentials/csrs/{csrId}: - delete: - description: Revoke a Certificate Signing Request and delete the key pair from - the IdP - operationId: revokeCsrForIdentityProvider - parameters: - - in: path - name: idpId - required: true - schema: - type: string - - in: path - name: csrId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - IdentityProvider - get: - description: Gets a specific Certificate Signing Request model by id - operationId: getCsrForIdentityProvider - parameters: - - in: path - name: idpId - required: true - schema: - type: string - - in: path - name: csrId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Csr' - description: Success - security: - - api_token: [] - tags: - - IdentityProvider - /api/v1/idps/{idpId}/credentials/csrs/{csrId}/lifecycle/publish: - post: - description: Update the Certificate Signing Request with a signed X.509 certificate - and add it into the signing key credentials for the IdP. - parameters: - - in: path - name: idpId - required: true - schema: - type: string - - in: path - name: csrId - required: true - schema: - type: string - responses: - '201': - content: - application/json: - schema: - $ref: '#/components/schemas/JsonWebKey' - description: Created - security: - - api_token: [] - tags: - - IdentityProvider - x-okta-multi-operation: - - consumes: - - application/x-x509-ca-cert - encoding: base64 - operationId: publishCerCertForIdentityProvider - parameters: - - in: body - name: certificate - required: true - type: string - - consumes: - - application/x-x509-ca-cert - operationId: publishBinaryCerCertForIdentityProvider - parameters: - - format: binary - in: body - name: certificate - required: true - type: string - - consumes: - - application/pkix-cert - encoding: base64 - operationId: publishDerCertForIdentityProvider - parameters: - - in: body - name: certificate - required: true - type: string - - consumes: - - application/pkix-cert - operationId: publishBinaryDerCertForIdentityProvider - parameters: - - format: binary - in: body - name: certificate - required: true - type: string - - consumes: - - application/x-pem-file - operationId: publishBinaryPemCertForIdentityProvider - parameters: - - format: binary - in: body - name: certificate - required: true - type: string - /api/v1/idps/{idpId}/credentials/keys: - get: - description: Enumerates signing key credentials for an IdP - operationId: listIdentityProviderSigningKeys - parameters: - - in: path - name: idpId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/JsonWebKey' - type: array - description: Success - security: - - api_token: [] - summary: List Signing Key Credentials for IdP - tags: - - IdentityProvider - /api/v1/idps/{idpId}/credentials/keys/generate: - post: - description: Generates a new X.509 certificate for an IdP signing key credential - to be used for signing assertions sent to the IdP - operationId: generateIdentityProviderSigningKey - parameters: - - in: path - name: idpId - required: true - schema: - type: string - - description: expiry of the IdP Key Credential - in: query - name: validityYears - required: true - schema: - format: int32 - type: integer - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/JsonWebKey' - description: Success - security: - - api_token: [] - summary: Generate New IdP Signing Key Credential - tags: - - IdentityProvider - /api/v1/idps/{idpId}/credentials/keys/{keyId}: - get: - description: Gets a specific IdP Key Credential by `kid` - operationId: getIdentityProviderSigningKey - parameters: - - in: path - name: idpId - required: true - schema: - type: string - - in: path - name: keyId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/JsonWebKey' - description: Success - security: - - api_token: [] - summary: Get Signing Key Credential for IdP - tags: - - IdentityProvider - /api/v1/idps/{idpId}/credentials/keys/{keyId}/clone: - post: - description: Clones a X.509 certificate for an IdP signing key credential from - a source IdP to target IdP - operationId: cloneIdentityProviderKey - parameters: - - in: path - name: idpId - required: true - schema: - type: string - - in: path - name: keyId - required: true - schema: - type: string - - in: query - name: targetIdpId - required: true - schema: - type: string - responses: - '201': - content: - application/json: - schema: - $ref: '#/components/schemas/JsonWebKey' - description: Created - security: - - api_token: [] - summary: Clone Signing Key Credential for IdP - tags: - - IdentityProvider - /api/v1/idps/{idpId}/lifecycle/activate: - post: - description: Activates an inactive IdP. - operationId: activateIdentityProvider - parameters: - - in: path - name: idpId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/IdentityProvider' - description: Success - security: - - api_token: [] - summary: Activate Identity Provider - tags: - - IdentityProvider - /api/v1/idps/{idpId}/lifecycle/deactivate: - post: - description: Deactivates an active IdP. - operationId: deactivateIdentityProvider - parameters: - - in: path - name: idpId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/IdentityProvider' - description: Success - security: - - api_token: [] - summary: Deactivate Identity Provider - tags: - - IdentityProvider - /api/v1/idps/{idpId}/users: - get: - description: Find all the users linked to an identity provider - operationId: listIdentityProviderApplicationUsers - parameters: - - in: path - name: idpId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/IdentityProviderApplicationUser' - type: array - description: Success - security: - - api_token: [] - summary: Find Users - tags: - - IdentityProvider - /api/v1/idps/{idpId}/users/{userId}: - delete: - description: Removes the link between the Okta user and the IdP user. - operationId: unlinkUserFromIdentityProvider - parameters: - - in: path - name: idpId - required: true - schema: - type: string - - in: path - name: userId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - summary: Unlink User from IdP - tags: - - IdentityProvider - get: - description: Fetches a linked IdP user by ID - operationId: getIdentityProviderApplicationUser - parameters: - - in: path - name: idpId - required: true - schema: - type: string - - in: path - name: userId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/IdentityProviderApplicationUser' - description: Success - security: - - api_token: [] - tags: - - IdentityProvider - post: - description: Links an Okta user to an existing Social Identity Provider. This - does not support the SAML2 Identity Provider Type - operationId: linkUserToIdentityProvider - parameters: - - in: path - name: idpId - required: true - schema: - type: string - - in: path - name: userId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/UserIdentityProviderLinkRequest' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/IdentityProviderApplicationUser' - description: Success - security: - - api_token: [] - summary: Link a user to a Social IdP without a transaction - tags: - - IdentityProvider - x-codegen-request-body-name: userIdentityProviderLinkRequest - /api/v1/idps/{idpId}/users/{userId}/credentials/tokens: - get: - description: Fetches the tokens minted by the Social Authentication Provider - when the user authenticates with Okta via Social Auth. - operationId: listSocialAuthTokens - parameters: - - in: path - name: idpId - required: true - schema: - type: string - - in: path - name: userId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/SocialAuthToken' - type: array - description: Success - security: - - api_token: [] - summary: Social Authentication Token Operation - tags: - - IdentityProvider -servers: -- url: https://{subdomain}.okta.com/ - variables: - subdomain: - default: my-domain diff --git a/providers/src/okta/v00.00.00000/services/InlineHook.yaml b/providers/src/okta/v00.00.00000/services/InlineHook.yaml deleted file mode 100644 index 4865d0a4..00000000 --- a/providers/src/okta/v00.00.00000/services/InlineHook.yaml +++ /dev/null @@ -1,442 +0,0 @@ -components: - schemas: - InlineHook: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - channel: - $ref: '#/components/schemas/InlineHookChannel' - created: - format: date-time - readOnly: true - type: string - id: - readOnly: true - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - name: - type: string - status: - $ref: '#/components/schemas/InlineHookStatus' - type: - $ref: '#/components/schemas/InlineHookType' - version: - type: string - type: object - x-okta-crud: - - alias: create - arguments: - - dest: inlineHook - self: true - operationId: createInlineHook - - alias: read - arguments: [] - operationId: getInlineHook - - alias: update - arguments: - - dest: inlineHookId - src: id - - dest: inlineHook - self: true - operationId: updateInlineHook - - alias: delete - arguments: - - dest: inlineHookId - src: id - operationId: deleteInlineHook - x-okta-operations: - - alias: activate - arguments: - - dest: inlineHookId - src: id - operationId: activateInlineHook - - alias: deactivate - arguments: - - dest: inlineHookId - src: id - operationId: deactivateInlineHook - - alias: execute - arguments: - - dest: inlineHookId - src: id - operationId: executeInlineHook - x-okta-tags: - - InlineHook - InlineHookChannel: - properties: - config: - $ref: '#/components/schemas/InlineHookChannelConfig' - type: - enum: - - HTTP - type: string - version: - type: string - type: object - x-okta-tags: - - InlineHook - InlineHookChannelConfig: - properties: - authScheme: - $ref: '#/components/schemas/InlineHookChannelConfigAuthScheme' - headers: - items: - $ref: '#/components/schemas/InlineHookChannelConfigHeaders' - type: array - method: - type: string - uri: - type: string - type: object - x-okta-tags: - - InlineHook - InlineHookChannelConfigAuthScheme: - properties: - key: - type: string - type: - type: string - value: - type: string - type: object - x-okta-tags: - - InlineHook - InlineHookChannelConfigHeaders: - properties: - key: - type: string - value: - type: string - type: object - x-okta-tags: - - InlineHook - InlineHookPayload: - type: object - x-okta-extensible: true - x-okta-tags: - - InlineHook - InlineHookResponse: - properties: - commands: - items: - $ref: '#/components/schemas/InlineHookResponseCommands' - type: array - type: object - x-okta-tags: - - InlineHook - InlineHookResponseCommandValue: - properties: - op: - type: string - path: - type: string - value: - type: string - type: object - x-okta-tags: - - InlineHook - InlineHookResponseCommands: - properties: - type: - type: string - value: - items: - $ref: '#/components/schemas/InlineHookResponseCommandValue' - type: array - type: object - x-okta-tags: - - InlineHook - InlineHookStatus: - enum: - - ACTIVE - - INACTIVE - type: string - x-okta-tags: - - InlineHook - InlineHookType: - enum: - - com.okta.oauth2.tokens.transform - - com.okta.import.transform - - com.okta.saml.tokens.transform - - com.okta.user.pre-registration - - com.okta.user.credential.password.import - type: string - x-okta-tags: - - InlineHook - securitySchemes: - api_token: - description: SSWS {API Token} - in: header - name: Authorization - type: apiKey - x-stackQL-resources: - idps: - id: okta.inlinehook.idps - methods: - activate: - operation: - $ref: '#/paths/~1api~1v1~1inlineHooks~1{inlineHookId}~1lifecycle~1activate/post' - response: - mediaType: application/json - openAPIDocKey: '200' - deactivate: - operation: - $ref: '#/paths/~1api~1v1~1inlineHooks~1{inlineHookId}~1lifecycle~1deactivate/post' - response: - mediaType: application/json - openAPIDocKey: '200' - delete: - operation: - $ref: '#/paths/~1api~1v1~1inlineHooks~1{inlineHookId}/delete' - response: - openAPIDocKey: '204' - execute: - operation: - $ref: '#/paths/~1api~1v1~1inlineHooks~1{inlineHookId}~1execute/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - get: - operation: - $ref: '#/paths/~1api~1v1~1inlineHooks~1{inlineHookId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1inlineHooks/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1inlineHooks/get' - response: - mediaType: application/json - openAPIDocKey: '200' - update: - operation: - $ref: '#/paths/~1api~1v1~1inlineHooks~1{inlineHookId}/put' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - name: idps - title: idps -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html -info: - contact: - email: devex-public@okta.com - name: Okta Developer Team - url: https://developer.okta.com/ - description: Allows customers to easily access the Okta API - license: - name: Apache-2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - termsOfService: https://developer.okta.com/terms/ - title: Okta API - version: 2.8.0 -openapi: 3.0.1 -paths: - /api/v1/inlineHooks: - get: - description: Success - operationId: listInlineHooks - parameters: - - in: query - name: type - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/InlineHook' - type: array - description: Success - security: - - api_token: [] - tags: - - InlineHook - post: - description: Success - operationId: createInlineHook - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/InlineHook' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/InlineHook' - description: Success - security: - - api_token: [] - tags: - - InlineHook - x-codegen-request-body-name: inlineHook - /api/v1/inlineHooks/{inlineHookId}: - delete: - description: Deletes the Inline Hook matching the provided id. Once deleted, - the Inline Hook is unrecoverable. As a safety precaution, only Inline Hooks - with a status of INACTIVE are eligible for deletion. - operationId: deleteInlineHook - parameters: - - in: path - name: inlineHookId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - InlineHook - get: - description: Gets an inline hook by ID - operationId: getInlineHook - parameters: - - in: path - name: inlineHookId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/InlineHook' - description: Success - security: - - api_token: [] - tags: - - InlineHook - put: - description: Updates an inline hook by ID - operationId: updateInlineHook - parameters: - - in: path - name: inlineHookId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/InlineHook' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/InlineHook' - description: Success - security: - - api_token: [] - tags: - - InlineHook - x-codegen-request-body-name: inlineHook - /api/v1/inlineHooks/{inlineHookId}/execute: - post: - description: Executes the Inline Hook matching the provided inlineHookId using - the request body as the input. This will send the provided data through the - Channel and return a response if it matches the correct data contract. This - execution endpoint should only be used for testing purposes. - operationId: executeInlineHook - parameters: - - in: path - name: inlineHookId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/InlineHookPayload' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/InlineHookResponse' - description: Success - security: - - api_token: [] - tags: - - InlineHook - x-codegen-request-body-name: payloadData - /api/v1/inlineHooks/{inlineHookId}/lifecycle/activate: - post: - description: Activates the Inline Hook matching the provided id - operationId: activateInlineHook - parameters: - - in: path - name: inlineHookId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/InlineHook' - description: Success - security: - - api_token: [] - tags: - - InlineHook - /api/v1/inlineHooks/{inlineHookId}/lifecycle/deactivate: - post: - description: Deactivates the Inline Hook matching the provided id - operationId: deactivateInlineHook - parameters: - - in: path - name: inlineHookId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/InlineHook' - description: Success - security: - - api_token: [] - tags: - - InlineHook -servers: -- url: https://{subdomain}.okta.com/ - variables: - subdomain: - default: my-domain diff --git a/providers/src/okta/v00.00.00000/services/LinkedObject.yaml b/providers/src/okta/v00.00.00000/services/LinkedObject.yaml deleted file mode 100644 index 9ebaa205..00000000 --- a/providers/src/okta/v00.00.00000/services/LinkedObject.yaml +++ /dev/null @@ -1,185 +0,0 @@ -components: - schemas: - LinkedObject: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - associated: - $ref: '#/components/schemas/LinkedObjectDetails' - primary: - $ref: '#/components/schemas/LinkedObjectDetails' - type: object - x-okta-crud: - - alias: create - arguments: - - dest: linkedObjectDefinition - self: true - operationId: addLinkedObjectDefinition - - alias: read - arguments: [] - operationId: getLinkedObjectDefinition - - alias: delete - arguments: - - dest: linkedObjectName - self: true - operationId: deleteLinkedObjectDefinition - x-okta-tags: - - LinkedObject - LinkedObjectDetails: - properties: - description: - type: string - name: - type: string - title: - type: string - type: - $ref: '#/components/schemas/LinkedObjectDetailsType' - type: object - x-okta-tags: - - LinkedObject - LinkedObjectDetailsType: - enum: - - USER - type: string - x-okta-tags: - - LinkedObject - securitySchemes: - api_token: - description: SSWS {API Token} - in: header - name: Authorization - type: apiKey - x-stackQL-resources: - idps: - id: okta.linkedobject.idps - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1meta~1schemas~1user~1linkedObjects~1{linkedObjectName}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1meta~1schemas~1user~1linkedObjects~1{linkedObjectName}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1meta~1schemas~1user~1linkedObjects/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '201' - list: - operation: - $ref: '#/paths/~1api~1v1~1meta~1schemas~1user~1linkedObjects/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: idps - title: idps -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html -info: - contact: - email: devex-public@okta.com - name: Okta Developer Team - url: https://developer.okta.com/ - description: Allows customers to easily access the Okta API - license: - name: Apache-2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - termsOfService: https://developer.okta.com/terms/ - title: Okta API - version: 2.8.0 -openapi: 3.0.1 -paths: - /api/v1/meta/schemas/user/linkedObjects: - get: - description: Success - operationId: listLinkedObjectDefinitions - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/LinkedObject' - type: array - description: Success - security: - - api_token: [] - tags: - - LinkedObject - post: - description: Success - operationId: addLinkedObjectDefinition - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/LinkedObject' - required: true - responses: - '201': - content: - application/json: - schema: - $ref: '#/components/schemas/LinkedObject' - description: Created - security: - - api_token: [] - tags: - - LinkedObject - x-codegen-request-body-name: linkedObject - /api/v1/meta/schemas/user/linkedObjects/{linkedObjectName}: - delete: - description: Success - operationId: deleteLinkedObjectDefinition - parameters: - - in: path - name: linkedObjectName - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - LinkedObject - get: - description: Success - operationId: getLinkedObjectDefinition - parameters: - - in: path - name: linkedObjectName - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/LinkedObject' - description: Success - security: - - api_token: [] - tags: - - LinkedObject -servers: -- url: https://{subdomain}.okta.com/ - variables: - subdomain: - default: my-domain diff --git a/providers/src/okta/v00.00.00000/services/Log.yaml b/providers/src/okta/v00.00.00000/services/Log.yaml deleted file mode 100644 index a63e96ee..00000000 --- a/providers/src/okta/v00.00.00000/services/Log.yaml +++ /dev/null @@ -1,418 +0,0 @@ -components: - schemas: - LogActor: - properties: - alternateId: - readOnly: true - type: string - detail: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - displayName: - readOnly: true - type: string - id: - readOnly: true - type: string - type: - readOnly: true - type: string - type: object - x-okta-tags: - - Log - LogAuthenticationContext: - properties: - authenticationProvider: - $ref: '#/components/schemas/LogAuthenticationProvider' - authenticationStep: - readOnly: true - type: integer - credentialProvider: - $ref: '#/components/schemas/LogCredentialProvider' - credentialType: - $ref: '#/components/schemas/LogCredentialType' - externalSessionId: - readOnly: true - type: string - interface: - readOnly: true - type: string - issuer: - $ref: '#/components/schemas/LogIssuer' - type: object - x-okta-tags: - - Log - LogAuthenticationProvider: - enum: - - OKTA_AUTHENTICATION_PROVIDER - - ACTIVE_DIRECTORY - - LDAP - - FEDERATION - - SOCIAL - - FACTOR_PROVIDER - type: string - x-okta-tags: - - Log - LogClient: - properties: - device: - readOnly: true - type: string - geographicalContext: - $ref: '#/components/schemas/LogGeographicalContext' - id: - readOnly: true - type: string - ipAddress: - readOnly: true - type: string - userAgent: - $ref: '#/components/schemas/LogUserAgent' - zone: - readOnly: true - type: string - type: object - x-okta-tags: - - Log - LogCredentialProvider: - enum: - - OKTA_AUTHENTICATION_PROVIDER - - OKTA_CREDENTIAL_PROVIDER - - RSA - - SYMANTEC - - GOOGLE - - DUO - - YUBIKEY - type: string - x-okta-tags: - - Log - LogCredentialType: - enum: - - OTP - - SMS - - PASSWORD - - ASSERTION - - IWA - - EMAIL - - OAUTH2 - - JWT - type: string - x-okta-tags: - - Log - LogDebugContext: - properties: - debugData: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - type: object - x-okta-tags: - - Log - LogEvent: - properties: - actor: - $ref: '#/components/schemas/LogActor' - authenticationContext: - $ref: '#/components/schemas/LogAuthenticationContext' - client: - $ref: '#/components/schemas/LogClient' - debugContext: - $ref: '#/components/schemas/LogDebugContext' - displayMessage: - readOnly: true - type: string - eventType: - readOnly: true - type: string - legacyEventType: - readOnly: true - type: string - outcome: - $ref: '#/components/schemas/LogOutcome' - published: - format: date-time - readOnly: true - type: string - request: - $ref: '#/components/schemas/LogRequest' - securityContext: - $ref: '#/components/schemas/LogSecurityContext' - severity: - $ref: '#/components/schemas/LogSeverity' - target: - items: - $ref: '#/components/schemas/LogTarget' - readOnly: true - type: array - transaction: - $ref: '#/components/schemas/LogTransaction' - uuid: - readOnly: true - type: string - version: - readOnly: true - type: string - type: object - x-okta-tags: - - Log - LogGeographicalContext: - properties: - city: - readOnly: true - type: string - country: - readOnly: true - type: string - geolocation: - $ref: '#/components/schemas/LogGeolocation' - postalCode: - readOnly: true - type: string - state: - readOnly: true - type: string - type: object - x-okta-tags: - - Log - LogGeolocation: - properties: - lat: - format: double - readOnly: true - type: number - lon: - format: double - readOnly: true - type: number - type: object - x-okta-tags: - - Log - LogIpAddress: - properties: - geographicalContext: - $ref: '#/components/schemas/LogGeographicalContext' - ip: - readOnly: true - type: string - source: - readOnly: true - type: string - version: - readOnly: true - type: string - type: object - x-okta-tags: - - Log - LogIssuer: - properties: - id: - readOnly: true - type: string - type: - readOnly: true - type: string - type: object - x-okta-tags: - - Log - LogOutcome: - properties: - reason: - readOnly: true - type: string - result: - readOnly: true - type: string - type: object - x-okta-tags: - - Log - LogRequest: - properties: - ipChain: - items: - $ref: '#/components/schemas/LogIpAddress' - readOnly: true - type: array - type: object - x-okta-tags: - - Log - LogSecurityContext: - properties: - asNumber: - readOnly: true - type: integer - asOrg: - readOnly: true - type: string - domain: - readOnly: true - type: string - isProxy: - readOnly: true - type: boolean - isp: - readOnly: true - type: string - type: object - x-okta-tags: - - Log - LogSeverity: - enum: - - DEBUG - - INFO - - WARN - - ERROR - type: string - x-okta-tags: - - Log - LogTarget: - properties: - alternateId: - readOnly: true - type: string - detailEntry: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - displayName: - readOnly: true - type: string - id: - readOnly: true - type: string - type: - readOnly: true - type: string - type: object - x-okta-tags: - - Log - LogTransaction: - properties: - detail: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - id: - readOnly: true - type: string - type: - readOnly: true - type: string - type: object - x-okta-tags: - - Log - LogUserAgent: - properties: - browser: - readOnly: true - type: string - os: - readOnly: true - type: string - rawUserAgent: - readOnly: true - type: string - type: object - x-okta-tags: - - Log - securitySchemes: - api_token: - description: SSWS {API Token} - in: header - name: Authorization - type: apiKey - x-stackQL-resources: - logs: - id: okta.log.logs - methods: - list: - operation: - $ref: '#/paths/~1api~1v1~1logs/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: logs - title: logs -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html -info: - contact: - email: devex-public@okta.com - name: Okta Developer Team - url: https://developer.okta.com/ - description: Allows customers to easily access the Okta API - license: - name: Apache-2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - termsOfService: https://developer.okta.com/terms/ - title: Okta API - version: 2.8.0 -openapi: 3.0.1 -paths: - /api/v1/logs: - get: - description: "The Okta System Log API provides read access to your organization\xE2\ - \u20AC\u2122s system log. This API provides more functionality than the Events\ - \ API" - operationId: getLogs - parameters: - - in: query - name: since - schema: - format: date-time - type: string - - in: query - name: until - schema: - format: date-time - type: string - - in: query - name: filter - schema: - type: string - - in: query - name: q - schema: - type: string - - in: query - name: limit - schema: - default: 100 - type: integer - - in: query - name: sortOrder - schema: - default: ASCENDING - type: string - - in: query - name: after - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/LogEvent' - type: array - description: Success - security: - - api_token: [] - summary: Fetch a list of events from your Okta organization system log. - tags: - - Log -servers: -- url: https://{subdomain}.okta.com/ - variables: - subdomain: - default: my-domain diff --git a/providers/src/okta/v00.00.00000/services/NetworkZone.yaml b/providers/src/okta/v00.00.00000/services/NetworkZone.yaml deleted file mode 100644 index e8bfe0cb..00000000 --- a/providers/src/okta/v00.00.00000/services/NetworkZone.yaml +++ /dev/null @@ -1,379 +0,0 @@ -components: - schemas: - NetworkZone: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - asns: - items: - type: string - type: array - created: - format: date-time - readOnly: true - type: string - gateways: - items: - $ref: '#/components/schemas/NetworkZoneAddress' - type: array - id: - readOnly: true - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - locations: - items: - $ref: '#/components/schemas/NetworkZoneLocation' - type: array - name: - type: string - proxies: - items: - $ref: '#/components/schemas/NetworkZoneAddress' - type: array - proxyType: - type: string - status: - $ref: '#/components/schemas/NetworkZoneStatus' - system: - type: boolean - type: - $ref: '#/components/schemas/NetworkZoneType' - usage: - $ref: '#/components/schemas/NetworkZoneUsage' - type: object - x-okta-crud: - - alias: read - arguments: - - dest: zoneId - src: id - operationId: getNetworkZone - - alias: update - arguments: - - dest: zoneId - src: id - - dest: zone - self: true - operationId: updateNetworkZone - - alias: delete - arguments: - - dest: zoneId - src: id - operationId: deleteNetworkZone - x-okta-operations: - - alias: activate - arguments: - - dest: zoneId - src: id - operationId: activateNetworkZone - - alias: deactivate - arguments: - - dest: zoneId - src: id - operationId: deactivateNetworkZone - x-okta-tags: - - NetworkZone - NetworkZoneAddress: - properties: - type: - $ref: '#/components/schemas/NetworkZoneAddressType' - value: - type: string - type: object - x-okta-tags: - - NetworkZone - NetworkZoneAddressType: - enum: - - CIDR - - RANGE - type: string - x-okta-tags: - - NetworkZone - NetworkZoneLocation: - properties: - country: - type: string - region: - type: string - type: object - x-okta-tags: - - NetworkZone - NetworkZoneStatus: - enum: - - ACTIVE - - INACTIVE - type: string - x-okta-tags: - - NetworkZone - NetworkZoneType: - enum: - - IP - - DYNAMIC - type: string - x-okta-tags: - - NetworkZone - NetworkZoneUsage: - enum: - - POLICY - - BLOCKLIST - type: string - x-okta-tags: - - NetworkZone - securitySchemes: - api_token: - description: SSWS {API Token} - in: header - name: Authorization - type: apiKey - x-stackQL-resources: - zones: - id: okta.networkzone.zones - methods: - activate: - operation: - $ref: '#/paths/~1api~1v1~1zones~1{zoneId}~1lifecycle~1activate/post' - response: - mediaType: application/json - openAPIDocKey: '200' - deactivate: - operation: - $ref: '#/paths/~1api~1v1~1zones~1{zoneId}~1lifecycle~1deactivate/post' - response: - mediaType: application/json - openAPIDocKey: '200' - delete: - operation: - $ref: '#/paths/~1api~1v1~1zones~1{zoneId}/delete' - response: - openAPIDocKey: '200' - get: - operation: - $ref: '#/paths/~1api~1v1~1zones~1{zoneId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1zones/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1zones/get' - response: - mediaType: application/json - openAPIDocKey: '200' - update: - operation: - $ref: '#/paths/~1api~1v1~1zones~1{zoneId}/put' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - name: zones - title: zones -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html -info: - contact: - email: devex-public@okta.com - name: Okta Developer Team - url: https://developer.okta.com/ - description: Allows customers to easily access the Okta API - license: - name: Apache-2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - termsOfService: https://developer.okta.com/terms/ - title: Okta API - version: 2.8.0 -openapi: 3.0.1 -paths: - /api/v1/zones: - get: - description: Enumerates network zones added to your organization with pagination. - A subset of zones can be returned that match a supported filter expression - or query. - operationId: listNetworkZones - parameters: - - description: Specifies the pagination cursor for the next page of network - zones - in: query - name: after - schema: - type: string - - description: Specifies the number of results for a page - in: query - name: limit - schema: - default: -1 - format: int32 - type: integer - - description: Filters zones by usage or id expression - in: query - name: filter - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/NetworkZone' - type: array - description: Success - security: - - api_token: [] - summary: List Network Zones - tags: - - NetworkZone - post: - description: Adds a new network zone to your Okta organization. - operationId: createNetworkZone - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/NetworkZone' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/NetworkZone' - description: Success - security: - - api_token: [] - summary: Add Network Zone - tags: - - NetworkZone - x-codegen-request-body-name: zone - /api/v1/zones/{zoneId}: - delete: - description: Removes network zone. - operationId: deleteNetworkZone - parameters: - - in: path - name: zoneId - required: true - schema: - type: string - responses: - '200': - content: {} - description: Success - security: - - api_token: [] - summary: Delete Network Zone - tags: - - NetworkZone - get: - description: Fetches a network zone from your Okta organization by `id`. - operationId: getNetworkZone - parameters: - - in: path - name: zoneId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/NetworkZone' - description: Success - security: - - api_token: [] - summary: Get Network Zone - tags: - - NetworkZone - put: - description: Updates a network zone in your organization. - operationId: updateNetworkZone - parameters: - - in: path - name: zoneId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/NetworkZone' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/NetworkZone' - description: Success - security: - - api_token: [] - summary: Update Network Zone - tags: - - NetworkZone - x-codegen-request-body-name: zone - /api/v1/zones/{zoneId}/lifecycle/activate: - post: - description: Activate Network Zone - operationId: activateNetworkZone - parameters: - - in: path - name: zoneId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/NetworkZone' - description: Success - security: - - api_token: [] - summary: Activate Network Zone - tags: - - NetworkZone - /api/v1/zones/{zoneId}/lifecycle/deactivate: - post: - description: Deactivates a network zone. - operationId: deactivateNetworkZone - parameters: - - in: path - name: zoneId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/NetworkZone' - description: Success - security: - - api_token: [] - summary: Deactivate Network Zone - tags: - - NetworkZone -servers: -- url: https://{subdomain}.okta.com/ - variables: - subdomain: - default: my-domain diff --git a/providers/src/okta/v00.00.00000/services/Org.yaml b/providers/src/okta/v00.00.00000/services/Org.yaml index 25461bb9..fd43cd5c 100644 --- a/providers/src/okta/v00.00.00000/services/Org.yaml +++ b/providers/src/okta/v00.00.00000/services/Org.yaml @@ -1,679 +1,3138 @@ -components: - schemas: - OrgContactType: - enum: - - BILLING - - TECHNICAL - type: string - x-okta-tags: - - Org - OrgContactTypeObj: - properties: - _links: - type: object - contactType: - $ref: '#/components/schemas/OrgContactType' - type: object - x-okta-tags: - - Org - OrgContactUser: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - userId: - type: string - type: object - x-okta-operations: - - alias: updateContactUser - arguments: - - dest: userId - src: userId - operationId: updateOrgContactUser - x-okta-tags: - - Org - OrgOktaCommunicationSetting: - properties: - _links: - type: object - optOutEmailUsers: - readOnly: true - type: boolean - type: object - x-okta-operations: - - alias: optInUsersToOktaCommunicationEmails - operationId: optInUsersToOktaCommunicationEmails - - alias: optOutUsersFromOktaCommunicationEmails - operationId: optOutUsersFromOktaCommunicationEmails - x-okta-tags: - - Org - OrgOktaSupportSetting: - enum: - - DISABLED - - ENABLED - type: string - x-okta-tags: - - Org - OrgOktaSupportSettingsObj: - properties: - _links: - type: object - expiration: - format: date-time - readOnly: true - type: string - support: - $ref: '#/components/schemas/OrgOktaSupportSetting' - type: object - x-okta-operations: - - alias: extendOktaSupport - operationId: extendOktaSupport - - alias: grantOktaSupport - operationId: grantOktaSupport - - alias: revokeOktaSupport - operationId: revokeOktaSupport - x-okta-tags: - - Org - OrgPreferences: - properties: - _links: - type: object - showEndUserFooter: - readOnly: true - type: boolean - type: object - x-okta-operations: - - alias: hideEndUserFooter - operationId: hideOktaUIFooter - - alias: showEndUserFooter - operationId: showOktaUIFooter - x-okta-tags: - - Org - OrgSetting: - properties: - _links: - type: object - address1: - type: string - address2: - type: string - city: - type: string - companyName: - type: string - country: - type: string - created: - format: date-time - readOnly: true - type: string - endUserSupportHelpURL: - type: string - expiresAt: - format: date-time - readOnly: true - type: string - id: - readOnly: true - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - phoneNumber: - type: string - postalCode: - type: string - state: - type: string - status: - readOnly: true - type: string - subdomain: - readOnly: true - type: string - supportPhoneNumber: - type: string - website: - type: string - type: object - x-okta-crud: - - alias: read - arguments: - - dest: orgSetting - self: true - operationId: getOrgSettings - - alias: update - arguments: - - dest: orgSetting - self: true - operationId: updateOrgSetting - - alias: partialUpdate - arguments: - - dest: orgSetting - self: true - operationId: partialUpdateOrgSetting - - alias: contactTypes - arguments: - - dest: orgSetting - self: true - operationId: getOrgContactTypes - - alias: contactUser - arguments: - - dest: orgSetting - self: true - operationId: getOrgContactUser - - alias: updateContactUser - arguments: - - dest: orgSetting - self: true - operationId: updateOrgContactUser - - alias: supportSettings - arguments: - - dest: orgSetting - self: true - operationId: getOrgOktaSupportSettings - - alias: grantSupport - arguments: - - dest: orgSetting - self: true - operationId: grantOktaSupport - - alias: extendSupport - arguments: - - dest: orgSetting - self: true - operationId: extendOktaSupport - - alias: revokeSupport - arguments: - - dest: orgSetting - self: true - operationId: revokeOktaSupport - - alias: communicationSettings - arguments: - - dest: orgSetting - self: true - operationId: getOktaCommunicationSettings - - alias: optOutCommunications - arguments: - - dest: orgSetting - self: true - operationId: optOutUsersFromOktaCommunicationEmails - - alias: optInCommunications - arguments: - - dest: orgSetting - self: true - operationId: optInUsersToOktaCommunicationEmails - - alias: orgPreferences - arguments: - - dest: orgSetting - self: true - operationId: getOrgPreferences - - alias: showFooter - arguments: - - dest: orgSetting - self: true - operationId: showOktaUIFooter - - alias: hideFooter - arguments: - - dest: orgSetting - self: true - operationId: hideOktaUIFooter - x-okta-tags: - - Org - UserIdString: - properties: - userId: - type: string - type: object - x-okta-tags: - - Org - securitySchemes: - api_token: - description: SSWS {API Token} - in: header - name: Authorization - type: apiKey - x-stackQL-resources: - contacts: - id: okta.org.contacts - methods: - get: - operation: - $ref: '#/paths/~1api~1v1~1org~1contacts~1{contactType}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1org~1contacts/get' - response: - mediaType: application/json - openAPIDocKey: '200' - update: - operation: - $ref: '#/paths/~1api~1v1~1org~1contacts~1{contactType}/put' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - name: contacts - title: contacts - oktacommunication: - id: okta.org.oktacommunication - methods: - get: - operation: - $ref: '#/paths/~1api~1v1~1org~1privacy~1oktaCommunication/get' - response: - mediaType: application/json - openAPIDocKey: '200' - optIn: - operation: - $ref: '#/paths/~1api~1v1~1org~1privacy~1oktaCommunication~1optIn/post' - response: - mediaType: application/json - openAPIDocKey: '200' - optOut: - operation: - $ref: '#/paths/~1api~1v1~1org~1privacy~1oktaCommunication~1optOut/post' - response: - mediaType: application/json - openAPIDocKey: '200' - name: oktacommunication - title: oktacommunication - oktasupport: - id: okta.org.oktasupport - methods: - extend: - operation: - $ref: '#/paths/~1api~1v1~1org~1privacy~1oktaSupport~1extend/post' - response: - mediaType: application/json - openAPIDocKey: '200' - get: - operation: - $ref: '#/paths/~1api~1v1~1org~1privacy~1oktaSupport/get' - response: - mediaType: application/json - openAPIDocKey: '200' - grant: - operation: - $ref: '#/paths/~1api~1v1~1org~1privacy~1oktaSupport~1grant/post' - response: - mediaType: application/json - openAPIDocKey: '200' - revoke: - operation: - $ref: '#/paths/~1api~1v1~1org~1privacy~1oktaSupport~1revoke/post' - response: - mediaType: application/json - openAPIDocKey: '200' - name: oktasupport - title: oktasupport - org: - id: okta.org.org - methods: - get: - operation: - $ref: '#/paths/~1api~1v1~1org/get' - response: - mediaType: application/json - openAPIDocKey: '200' - partialUpdate: - operation: - $ref: '#/paths/~1api~1v1~1org/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - update: - operation: - $ref: '#/paths/~1api~1v1~1org/put' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - name: org - title: org - preferences: - id: okta.org.preferences - methods: - get: - operation: - $ref: '#/paths/~1api~1v1~1org~1preferences/get' - response: - mediaType: application/json - openAPIDocKey: '200' - hideEndUserFooter: - operation: - $ref: '#/paths/~1api~1v1~1org~1preferences~1hideEndUserFooter/post' - response: - mediaType: application/json - openAPIDocKey: '200' - showEndUserFooter: - operation: - $ref: '#/paths/~1api~1v1~1org~1preferences~1showEndUserFooter/post' - response: - mediaType: application/json - openAPIDocKey: '200' - name: preferences - title: preferences -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html +openapi: 3.0.3 info: - contact: - email: devex-public@okta.com - name: Okta Developer Team - url: https://developer.okta.com/ - description: Allows customers to easily access the Okta API - license: - name: Apache-2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - termsOfService: https://developer.okta.com/terms/ - title: Okta API - version: 2.8.0 -openapi: 3.0.1 + title: org API + description: okta org API + version: 5.1.0 paths: /api/v1/org: get: - description: Get settings of your organization. + summary: Retrieve the Org general settings + description: Retrieves the Org General Settings operationId: getOrgSettings + parameters: [] responses: '200': + description: Success content: application/json: schema: $ref: '#/components/schemas/OrgSetting' - description: Success + examples: + example-1: + $ref: '#/components/examples/OrgSettingResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' security: - - api_token: [] - summary: Get org settings + - apiToken: [] + - oauth2: + - okta.orgs.read tags: - - Org + - OrgSettingGeneral + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - description: Partial update settings of your organization. - operationId: partialUpdateOrgSetting + summary: Update the Org general settings + description: Updates partial Org General Settings + operationId: updateOrgSettings requestBody: content: application/json: schema: $ref: '#/components/schemas/OrgSetting' - required: true + examples: + example-1: + $ref: '#/components/examples/UpdateOrgSettingEx' responses: '200': + description: Success content: application/json: schema: $ref: '#/components/schemas/OrgSetting' - description: Success + examples: + example-1: + $ref: '#/components/examples/OrgSettingResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' security: - - api_token: [] - summary: Partial update Org setting + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - Org - x-codegen-request-body-name: orgSetting + - OrgSettingGeneral + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: - description: Update settings of your organization. - operationId: updateOrgSetting + summary: Replace the Org general settings + description: Replaces the Org General Settings for your Okta org + operationId: replaceOrgSettings + x-codegen-request-body-name: orgSetting requestBody: content: application/json: schema: $ref: '#/components/schemas/OrgSetting' + examples: + example-1: + $ref: '#/components/examples/UpdateOrgSettingEx' required: true responses: '200': + description: Success content: application/json: schema: $ref: '#/components/schemas/OrgSetting' + examples: + example-1: + $ref: '#/components/examples/OrgSettingResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - OrgSettingGeneral + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/captcha: + get: + summary: Retrieve the org-wide CAPTCHA settings + description: >- + Retrieves the CAPTCHA settings object for your organization + + > **Note**: If the current organization hasn't configured CAPTCHA + Settings, the request returns an empty object. + operationId: getOrgCaptchaSettings + responses: + '200': description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OrgCAPTCHASettings' + examples: + configured: + $ref: '#/components/examples/OrgCAPTCHASettingsConfigured' + empty: + $ref: '#/components/examples/OrgCAPTCHASettingsEmpty' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' security: - - api_token: [] - summary: Update Org setting + - apiToken: [] + - oauth2: + - okta.captchas.read tags: - - Org - x-codegen-request-body-name: orgSetting + - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace the org-wide CAPTCHA settings + description: >- + Replaces the CAPTCHA settings object for your organization + + > **Note**: You can disable CAPTCHA for your organization by setting + `captchaId` and `enabledPages` to `null`. + operationId: replacesOrgCaptchaSettings + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OrgCAPTCHASettings' + examples: + Update: + $ref: '#/components/examples/OrgCAPTCHASettingsUpdate' + Disable: + $ref: '#/components/examples/OrgCAPTCHASettingsDisable' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OrgCAPTCHASettings' + examples: + Update: + $ref: '#/components/examples/OrgCAPTCHASettingsUpdated' + Disable: + $ref: '#/components/examples/OrgCAPTCHASettingsDisabled' + '400': + description: Bad Request + headers: {} + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + NoDisable: + $ref: '#/components/examples/ErrorCAPTCHAOrgWideSettingNull' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.captchas.manage + tags: + - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + delete: + summary: Delete the org-wide CAPTCHA settings + description: Deletes the CAPTCHA settings object for your organization + operationId: deleteOrgCaptchaSettings + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.captchas.manage + tags: + - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine /api/v1/org/contacts: get: - description: Gets Contact Types of your organization. - operationId: getOrgContactTypes + summary: List all org contact types + description: Lists all org contact types for your Okta org + operationId: listOrgContactTypes + parameters: [] responses: '200': + description: Success content: application/json: schema: items: $ref: '#/components/schemas/OrgContactTypeObj' type: array - description: Success + examples: + orgContactTypeEx: + $ref: '#/components/examples/orgContactTypeResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' security: - - api_token: [] - summary: Get org contact types + - apiToken: [] + - oauth2: + - okta.orgs.read tags: - - Org + - OrgSettingContact + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/contacts/{contactType}: get: - description: Retrieves the URL of the User associated with the specified Contact - Type. + summary: Retrieve the contact type user + description: >- + Retrieves the ID and the user resource associated with the specified + contact type operationId: getOrgContactUser - parameters: - - in: path - name: contactType - required: true - schema: - type: string responses: '200': + description: Success content: application/json: schema: $ref: '#/components/schemas/OrgContactUser' - description: Success + examples: + contactTypeUserEx: + $ref: '#/components/examples/orgContactUserResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' security: - - api_token: [] - summary: Get org contact user + - apiToken: [] + - oauth2: + - okta.orgs.read tags: - - Org + - OrgSettingContact + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true put: - description: Updates the User associated with the specified Contact Type. - operationId: updateOrgContactUser - parameters: - - in: path - name: contactType - required: true - schema: - type: string + summary: Replace the contact type user + description: Replaces the user associated with the specified contact type + operationId: replaceOrgContactUser + x-codegen-request-body-name: orgContactUser requestBody: content: application/json: schema: - $ref: '#/components/schemas/UserIdString' + $ref: '#/components/schemas/OrgContactUser' + examples: + contactTypeUserEx: + summary: Contact user + value: + userId: 00ux3u0ujW1r5AfZC1d7 required: true responses: '200': + description: Success content: application/json: schema: $ref: '#/components/schemas/OrgContactUser' - description: Success + examples: + contactTypeUserEx: + $ref: '#/components/examples/orgContactUserResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' security: - - api_token: [] - summary: Update org contact user + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - Org - x-codegen-request-body-name: userId - /api/v1/org/preferences: - get: - description: Gets preferences of your organization. + - OrgSettingContact + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathContactType' + /api/v1/org/email/bounces/remove-list: + post: + summary: Remove bounced emails + description: > + Removes emails from an email service bounce list. + + + The emails submitted in this operation are removed from the bounce list + by an asynchronous job. + + Any email address that passes validation is accepted for the removal + process, even if there are other email addresses in the request that + failed validation. + + + > **Note:** If there are validation errors for all email addresses, a + `200 OK` HTTP status is still returned. + operationId: bulkRemoveEmailAddressBounces + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/BouncesRemoveListObj' + examples: + example-1: + summary: Request example + value: + emailAddresses: + - name@company.com + - unknown.email@okta.com + - name@okta@com + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/BouncesRemoveListResult' + examples: + example-1: + summary: Response example + value: + errors: + - emailAddress: unknown.email@okta.com + reason: >- + This email address does not belong to any user in your + organization. + - emailAddress: name@okta@com + reason: >- + Invalid email address. The provided email address + failed validation against RFC 3696. + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - EmailCustomization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/factors/yubikey_token/tokens: + get: + summary: List all YubiKey OTP tokens + description: Lists all YubiKey OTP tokens + operationId: listYubikeyOtpTokens + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/UserFactorYubikeyOtpToken' + examples: + ListYubikeyOptTokensResponse: + $ref: '#/components/examples/ListYubikeyOptTokensResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Upload a YubiKey OTP seed + description: Uploads a seed for a user to enroll a YubiKey OTP + operationId: uploadYubikeyOtpTokenSeed + requestBody: + content: + application/json: + schema: + type: object + properties: + serialNumber: + type: string + description: The unique identifier assigned to each YubiKey device + publicId: + type: string + description: The YubiKey's public ID + privateId: + type: string + description: The YubiKey's private ID + aesKey: + type: string + description: >- + The cryptographic key used in the AES (Advanced Encryption + Standard) algorithm to encrypt and decrypt the YubiKey OTP + examples: + uploadYubikeyOtpSeedRequest: + $ref: '#/components/examples/UploadYubikeyTokenSeedRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactorYubikeyOtpToken' + examples: + yubikeyToken: + $ref: '#/components/examples/UploadYubikeyTokenSeedResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - name: after + in: query + description: Specifies the pagination cursor for the next page of tokens + schema: + type: string + - name: expand + in: query + description: >- + Embeds the [user](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/) + resource if the YubiKey token is assigned to a user and `expand` is + set to `user` + schema: + type: string + - name: filter + in: query + description: The expression used to filter tokens + schema: + type: string + enum: + - profile.email + - profile.serial + - activated + - user.id + - created + - status + - lastVerified + - name: forDownload + in: query + description: >- + Returns tokens in a CSV to download instead of in the response. When + you use this query parameter, the `limit` default changes to 1000. + schema: + type: boolean + default: false + - name: limit + in: query + description: Specifies the number of results per page + schema: + type: integer + default: 20 + maximum: 200 + - name: sortBy + in: query + description: The value of how the tokens are sorted + schema: + type: string + enum: + - profile.email + - profile.serial + - activated + - user.id + - created + - status + - lastVerified + - name: sortOrder + in: query + description: Specifies the sort order, either `ASC` or `DESC` + schema: + type: string + enum: + - ASC + - DESC + /api/v1/org/factors/yubikey_token/tokens/{tokenId}: + get: + summary: Retrieve a YubiKey OTP token + description: Retrieves the specified YubiKey OTP token by `id` + operationId: getYubikeyOtpTokenById + parameters: + - name: tokenId + in: path + required: true + description: The YubiKey OTP token ID + schema: + type: string + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactorYubikeyOtpToken' + examples: + Token: + $ref: '#/components/examples/GetYubikeyOptTokenResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/yubikeyTokenId' + /api/v1/org/logo: + post: + summary: Upload the org logo + description: Uploads and replaces the logo for your organization + operationId: uploadOrgLogo + requestBody: + content: + multipart/form-data: + schema: + type: object + properties: + file: + type: string + format: binary + description: >- + The file must be in PNG, JPG, or GIF format and less than 1 + MB in size. For best results use landscape orientation, a + transparent background, and a minimum size of 420px by 120px + to prevent upscaling. + required: + - file + description: logo file + responses: + '201': + description: Created + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - OrgSettingCustomization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/orgSettings/thirdPartyAdminSetting: + get: + summary: Retrieve the org third-party admin setting + description: >- + Retrieves the third-party admin setting. See [Configure third-party + administrators](https://help.okta.com/okta_help.htm?type=oie&id=csh_admin-third) + in the Okta product documentation. + operationId: getThirdPartyAdminSetting + parameters: [] + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ThirdPartyAdminSetting' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.read + tags: + - OrgSettingAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Update the org third-party admin setting + description: > + Updates the third-party admin setting. + + This setting allows third-party admins to perform administrative actions + in the Admin Console, but they can't do any of the following: + * Receive Okta admin email notifications + * Contact Okta support + * Sign in to the Okta Help Center + + See [Configure third-party + administrators](https://help.okta.com/okta_help.htm?type=oie&id=csh_admin-third) + in the Okta product documentation. + operationId: updateThirdPartyAdminSetting + parameters: [] + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ThirdPartyAdminSetting' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ThirdPartyAdminSetting' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - OrgSettingAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/preferences: + get: + summary: Retrieve the org preferences + description: Retrieves preferences of your Okta org operationId: getOrgPreferences + parameters: [] responses: '200': + description: Success content: application/json: schema: $ref: '#/components/schemas/OrgPreferences' - description: Success + examples: + retrieveOrgPrefEx: + $ref: '#/components/examples/orgShowFooterPrefResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' security: - - api_token: [] - summary: Get org preferences + - apiToken: [] + - oauth2: + - okta.orgs.read tags: - - Org + - OrgSettingCustomization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/preferences/hideEndUserFooter: post: - description: Hide the Okta UI footer for all end users of your organization. - operationId: hideOktaUIFooter + summary: Set the hide dashboard footer preference + description: >- + Sets the preference to hide the Okta End-User Dashboard footer for all + end users of your org + operationId: setOrgHideOktaUIFooter + parameters: [] responses: '200': + description: Success content: application/json: schema: $ref: '#/components/schemas/OrgPreferences' - description: Success + examples: + hideOrgPrefEx: + $ref: '#/components/examples/orgHideFooterPrefResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' security: - - api_token: [] - summary: Show Okta UI Footer + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - Org + - OrgSettingCustomization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/preferences/showEndUserFooter: post: - description: Makes the Okta UI footer visible for all end users of your organization. - operationId: showOktaUIFooter + summary: Set the show dashboard footer preference + description: >- + Sets the preference to show the Okta UI footer for all end users of your + org + operationId: setOrgShowOktaUIFooter + parameters: [] responses: '200': + description: Success content: application/json: schema: $ref: '#/components/schemas/OrgPreferences' + examples: + showOrgPrefEx: + $ref: '#/components/examples/orgShowFooterPrefResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - OrgSettingCustomization + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/privacy/aerial: + get: + x-okta-iam-admin-roles: + - SUPER_ADMIN + summary: Retrieve Okta Aerial consent for your org + description: >- + Retrieves the Okta Aerial consent grant details for your Org. Returns a + 404 Not Found error if no consent has been granted. + operationId: getAerialConsent + parameters: [] + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OrgAerialConsentDetails' + examples: + example-read-grant-response: + $ref: '#/components/examples/AerialConsentDetails' + '400': + description: Can't complete request due to errors + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + example-no-already-present-response: + $ref: '#/components/examples/AerialGrantAlreadyPresentErrorResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: >- + Consent hasn't been given and there are no grants to any Aerial + Accounts + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + example-no-grant-found-response: + $ref: '#/components/examples/AerialGrantNotFoundResponse' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/privacy/aerial/grant: + post: + x-okta-iam-admin-roles: + - SUPER_ADMIN + summary: Grant Okta Aerial access to your org + description: >- + Grants an Okta Aerial account consent to manage your org. If the org is + a child org, consent is taken from the parent org. Grant calls directly + to the child are not allowed. + operationId: grantAerialConsent + parameters: [] + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OrgAerialConsent' + examples: + example-grant-call: + description: >- + Request body to grant an Okta Aerial account access to your + Org + value: + accountId: 0200bs0617vvhv2v675mch1cukp + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OrgAerialConsentDetails' + examples: + example-grant-success-response: + $ref: '#/components/examples/AerialConsentDetails' + '400': + description: Can't complete request due to errors + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + example-invalid-account-id: + $ref: '#/components/examples/AerialConsentInvalidAccountIdResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/privacy/aerial/revoke: + post: + x-okta-iam-admin-roles: + - SUPER_ADMIN + summary: Revoke Okta Aerial access to your org + description: >- + Revokes access of an Okta Aerial account to your Org. The revoke + operation will fail if the org has already been added to an Aerial + account. + operationId: revokeAerialConsent + parameters: [] + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OrgAerialConsent' + examples: + example-revoke-request: + description: Request body for revoking an Okta Aerial account + value: + accountId: 0200bs0617vvhv2v675mch1cukp + responses: + '200': description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OrgAerialConsentRevoked' + '400': + description: Can't complete request due to errors + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + example-org-is-linked: + $ref: '#/components/examples/AerialConsentOrgAlreadyLinkedResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' security: - - api_token: [] - summary: Show Okta UI Footer + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - Org + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/privacy/oktaCommunication: get: - description: Gets Okta Communication Settings of your organization. + summary: Retrieve the Okta communication settings + description: Retrieves Okta Communication Settings of your org operationId: getOktaCommunicationSettings + parameters: [] responses: '200': + description: Success content: application/json: schema: $ref: '#/components/schemas/OrgOktaCommunicationSetting' - description: Success + examples: + retrieveOktaCommSettingsEx: + $ref: '#/components/examples/orgCommunicationOptOutResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' security: - - api_token: [] - summary: Get Okta Communication Settings + - apiToken: [] + - oauth2: + - okta.orgs.read tags: - - Org + - OrgSettingCommunication + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/privacy/oktaCommunication/optIn: post: - description: Opts in all users of this org to Okta Communication emails. + summary: Opt in to Okta user communication emails + description: Opts in all users of this org to Okta communication emails operationId: optInUsersToOktaCommunicationEmails + parameters: [] responses: '200': + description: Success content: application/json: schema: $ref: '#/components/schemas/OrgOktaCommunicationSetting' - description: Success + examples: + optInOktaCommSettingsEx: + $ref: '#/components/examples/orgCommunicationOptInResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' security: - - api_token: [] - summary: Opt in all users to Okta Communication emails + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - Org + - OrgSettingCommunication + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/privacy/oktaCommunication/optOut: post: - description: Opts out all users of this org from Okta Communication emails. + summary: Opt out of Okta user communication emails + description: Opts out all users of this org from Okta communication emails operationId: optOutUsersFromOktaCommunicationEmails + parameters: [] responses: '200': + description: Success content: application/json: schema: $ref: '#/components/schemas/OrgOktaCommunicationSetting' - description: Success + examples: + optOutOktaCommSettingsEx: + $ref: '#/components/examples/orgCommunicationOptOutResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' security: - - api_token: [] - summary: Opt out all users from Okta Communication emails + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - Org + - OrgSettingCommunication + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/privacy/oktaSupport: get: - description: Gets Okta Support Settings of your organization. + x-okta-iam-admin-roles: + - SUPER_ADMIN + summary: Retrieve the Okta Support settings + description: Retrieves Okta Support Settings for your org operationId: getOrgOktaSupportSettings + parameters: [] responses: '200': + description: Success content: application/json: schema: $ref: '#/components/schemas/OrgOktaSupportSettingsObj' - description: Success + examples: + OktaSupportWithCaseNumberEx: + $ref: >- + #/components/examples/orgSupportSettingsWithCaseNumberResponse + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' security: - - api_token: [] - summary: Get Okta Support settings + - apiToken: [] + - oauth2: + - okta.orgs.read tags: - - Org - /api/v1/org/privacy/oktaSupport/extend: - post: - description: Extends the length of time that Okta Support can access your org - by 24 hours. This means that 24 hours are added to the remaining access time. - operationId: extendOktaSupport + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/privacy/oktaSupport/cases: + get: + summary: List all Okta Support cases + description: >- + Lists all Okta Support cases that the requesting principal has + permission to view + operationId: listOktaSupportCases responses: '200': + description: Success content: application/json: schema: - $ref: '#/components/schemas/OrgOktaSupportSettingsObj' + $ref: '#/components/schemas/OktaSupportCases' + examples: + OktaSupportCasesEx: + $ref: '#/components/examples/OktaSupportCases' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.read + tags: + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/privacy/oktaSupport/cases/{caseNumber}: + patch: + x-okta-iam-permissions: + - okta.support.cases.manage + x-okta-iam-admin-roles: + - SUPER_ADMIN + summary: Update an Okta Support case + description: >- + Updates access to the org for an Okta Support case: + + + * You can enable, disable, or extend access to your org for an Okta + Support case. + + + * You can approve Okta Support access to your org for self-assigned + cases. A self-assigned case is created and assigned by the same Okta + Support user. + operationId: updateOktaSupportCase + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OktaSupportCase' + examples: + AllowOktaSupportAccessStatus: + $ref: '#/components/examples/AllowOktaSupportAccessStatusRequest' + ExtendOktaSupportAccessStatus: + $ref: '#/components/examples/ExtendOktaSupportAccessStatusRequest' + RevokeOktaSupportAccessStatus: + $ref: '#/components/examples/RevokeOktaSupportAccessStatusRequest' + AllowSelfAssigned: + $ref: '#/components/examples/AllowSelfAssignedRequest' + responses: + '200': description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OktaSupportCase' + examples: + AllowOktaSupportAccessStatus: + $ref: '#/components/examples/AllowOktaSupportAccessStatus' + ExtendOktaSupportAccessStatus: + $ref: '#/components/examples/ExtendOktaSupportAccessStatus' + RevokeOktaSupportAccessStatus: + $ref: '#/components/examples/RevokeOktaSupportAccessStatus' + AllowSelfAssigned: + $ref: '#/components/examples/AllowSelfAssigned' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' security: - - api_token: [] - summary: Extend Okta Support + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - Org + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/caseNumber' + /api/v1/org/privacy/oktaSupport/extend: + post: + deprecated: true + x-okta-iam-admin-roles: + - SUPER_ADMIN + summary: Extend Okta Support access + description: >- + Extends the length of time that Okta Support can access your org by 24 + hours. This means that 24 hours are added to the remaining access time. + + + > **Note:** This resource is deprecated. Use the [Update an Okta Support + case](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/updateOktaSupportCase) + resource to extend Okta Support access for a support case. + + > For the corresponding Okta Admin Console feature, see [Give access to + Okta + Support](https://help.okta.com/okta_help.htm?type=oie&id=settings-support-access). + operationId: extendOktaSupport + parameters: [] + responses: + '301': + description: Moved Permanently + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/org/privacy/oktaSupport/grant: post: - description: Enables you to temporarily allow Okta Support to access your org - as an administrator for eight hours. + deprecated: true + x-okta-iam-admin-roles: + - SUPER_ADMIN + summary: Grant Okta Support access + description: >- + Grants Okta Support temporary access to your org as an administrator for + eight hours + + + > **Note:** This resource is deprecated. Use the [Update an Okta Support + case](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/updateOktaSupportCase) + resource to grant Okta Support access for a support case. + + > For the corresponding Okta Admin Console feature, see [Give access to + Okta + Support](https://help.okta.com/okta_help.htm?type=oie&id=settings-support-access). operationId: grantOktaSupport + parameters: [] + responses: + '301': + description: Moved Permanently + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/privacy/oktaSupport/revoke: + post: + deprecated: true + x-okta-iam-admin-roles: + - SUPER_ADMIN + summary: Revoke Okta Support access + description: >- + Revokes Okta Support access to your org + + + > **Note:** This resource is deprecated. Use the [Update an Okta Support + case](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/updateOktaSupportCase) + resource to revoke Okta Support access for a support case. + + > For the corresponding Okta Admin Console feature, see [Give access to + Okta + Support](https://help.okta.com/okta_help.htm?type=oie&id=settings-support-access). + operationId: revokeOktaSupport + parameters: [] + responses: + '301': + description: Moved Permanently + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - OrgSettingSupport + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/settings/autoAssignAdminAppSetting: + get: + summary: Retrieve the Okta Admin Console assignment setting + description: >- + Retrieves the org setting to automatically assign the Okta Admin Console + when an admin role is assigned + operationId: getAutoAssignAdminAppSetting + parameters: [] responses: '200': + description: Success content: application/json: schema: - $ref: '#/components/schemas/OrgOktaSupportSettingsObj' - description: Success + $ref: '#/components/schemas/AutoAssignAdminAppSetting' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' security: - - api_token: [] - summary: Grant Okta Support + - apiToken: [] + - oauth2: + - okta.orgs.read tags: - - Org - /api/v1/org/privacy/oktaSupport/revoke: + - OrgSettingAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true post: - description: Revokes Okta Support access to your organization. - operationId: revokeOktaSupport + summary: Update the Okta Admin Console assignment setting + description: >- + Updates the org setting to automatically assign the Okta Admin Console + when an admin role is assigned + + + > **Note:** This setting doesn't apply to the `SUPER_ADMIN` role. + + > When you assign the `SUPER_ADMIN` role to a user, the Admin Console is + always assigned to the user regardless of the + `autoAssignAdminAppSetting` setting. + operationId: updateAutoAssignAdminAppSetting + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AutoAssignAdminAppSetting' responses: '200': + description: Success content: application/json: schema: - $ref: '#/components/schemas/OrgOktaSupportSettingsObj' + $ref: '#/components/schemas/AutoAssignAdminAppSetting' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - OrgSettingAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/org/settings/clientPrivilegesSetting: + get: + summary: Retrieve the default public client app role setting + description: >- + Retrieves the org setting to assign the [Super Admin + role](https://help.okta.com/okta_help.htm?type=oie&id=ext_superadmin) to + new public client apps + operationId: getClientPrivilegesSetting + parameters: [] + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ClientPrivilegesSetting' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.read + tags: + - OrgSettingAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Assign the default public client app role setting + description: >- + Assigns the [Super Admin + role](https://help.okta.com/okta_help.htm?type=oie&id=ext_superadmin) as + the default role for new public client apps + operationId: assignClientPrivilegesSetting + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ClientPrivilegesSetting' + responses: + '200': description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ClientPrivilegesSetting' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' security: - - api_token: [] - summary: Extend Okta Support + - apiToken: [] + - oauth2: + - okta.orgs.manage tags: - - Org + - OrgSettingAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true +components: + schemas: + OrgSetting: + type: object + properties: + address1: + type: string + description: Primary address of the organization associated with the org + address2: + type: string + description: Secondary address of the organization associated with the org + city: + type: string + description: City of the organization associated with the org + companyName: + type: string + description: Name of org + country: + type: string + description: County of the organization associated with the org + created: + format: date-time + readOnly: true + type: string + description: When org was created + endUserSupportHelpURL: + type: string + description: Support link of org + expiresAt: + format: date-time + readOnly: true + type: string + description: Expiration of org + id: + readOnly: true + type: string + description: Org ID + lastUpdated: + format: date-time + readOnly: true + type: string + description: When org was last updated + phoneNumber: + type: string + description: Phone number of the organization associated with the org + postalCode: + type: string + description: Postal code of the organization associated with the org + state: + type: string + description: State of the organization associated with the org + status: + readOnly: true + type: string + description: Status of org + enum: + - ACTIVE + - INACTIVE + subdomain: + readOnly: true + type: string + description: Subdomain of org + supportPhoneNumber: + type: string + description: Support help phone of the organization associated with the org + website: + type: string + description: Website of the organization associated with the org + _links: + $ref: '#/components/schemas/orgGeneralSettingLinks' + OrgCAPTCHASettings: + title: OrgCAPTCHASettings + description: '' + type: object + properties: + captchaId: + description: The unique key of the associated CAPTCHA instance + type: string + enabledPages: + description: An array of pages that have CAPTCHA enabled + type: array + items: + $ref: '#/components/schemas/enabledPagesType' + _links: + type: object + description: Link relations for the CAPTCHA settings object + properties: + self: + $ref: '#/components/schemas/HrefObject' + readOnly: true + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + OrgContactTypeObj: + anyOf: + - $ref: '#/components/schemas/orgBillingContactType' + - $ref: '#/components/schemas/orgTechnicalContactType' + type: object + properties: + contactType: + $ref: '#/components/schemas/OrgContactType' + discriminator: + propertyName: contactType + mapping: + BILLING: '#/components/schemas/orgBillingContactType' + TECHNICAL: '#/components/schemas/orgTechnicalContactType' + OrgContactUser: + type: object + properties: + userId: + type: string + description: Contact user ID + _links: + type: object + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the + contact type user object using the [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification + readOnly: true + properties: + user: + $ref: '#/components/schemas/HrefObjectUserLink' + BouncesRemoveListObj: + type: object + properties: + emailAddresses: + type: array + description: >- + A list of email addresses to remove from the email-service bounce + list + items: + type: string + description: Email address + BouncesRemoveListResult: + type: object + properties: + errors: + type: array + description: >- + A list of emails that wasn't added to the email-bounced remove list + and the error reason + items: + $ref: '#/components/schemas/BouncesRemoveListError' + UserFactorYubikeyOtpToken: + type: object + properties: + created: + description: Timestamp when the token was created + type: string + format: date-time + example: '2022-08-25T00:31:00.000Z' + readOnly: true + id: + description: ID of the token + type: string + example: ykkwcx13nrDq8g4oy0g3 + readOnly: true + lastUpdated: + description: Timestamp when the token was last updated + type: string + format: date-time + example: '2022-08-25T00:31:00.000Z' + readOnly: true + lastVerified: + description: Timestamp when the token was last verified + type: string + format: date-time + example: '2022-08-25T00:31:00.000Z' + readOnly: true + profile: + type: object + description: Specified profile information for token + additionalProperties: + type: object + properties: {} + status: + description: Token status + type: string + enum: + - BLOCKED + - UNASSIGNED + - ACTIVE + - REVOKED + - DELETED + - INACTIVE + _embedded: + type: object + additionalProperties: + type: object + properties: {} + _links: + $ref: '#/components/schemas/UserFactorLinks' + ThirdPartyAdminSetting: + description: The third-party admin setting + type: object + properties: + thirdPartyAdmin: + type: boolean + description: Indicates if the third-party admin functionality is enabled + example: false + OrgPreferences: + type: object + properties: + showEndUserFooter: + type: boolean + description: Indicates if the footer is shown on the End-User Dashboard + readOnly: true + _links: + type: object + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for this + object using the [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification + readOnly: true + properties: + hideEndUserFooter: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to hide the footer in the End-User Dashboard + showEndUserFooter: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to show the footer on the End-User Dashboard + OrgAerialConsentDetails: + type: object + properties: + accountId: + description: The unique ID of the Aerial account + type: string + grantedBy: + type: string + description: Principal ID of the user who granted the permission + example: 00u23ej02I2RLFxS5406 + grantedDate: + type: string + description: Date when grant was created + example: '2024-07-24T16:01:13.000Z' + _links: + $ref: '#/components/schemas/LinksAerialConsentGranted' + required: + - accountId + OrgAerialConsent: + type: object + properties: + accountId: + description: The unique ID of the Aerial account + type: string + required: + - accountId + OrgAerialConsentRevoked: + type: object + properties: + _links: + $ref: '#/components/schemas/LinksAerialConsentRevoked' + OrgOktaCommunicationSetting: + type: object + properties: + optOutEmailUsers: + type: boolean + description: Indicates whether org users receive Okta communication emails + readOnly: true + _links: + type: object + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for this + object using the [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification + readOnly: true + properties: + optIn: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to opt users in to communication emails + optOut: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to opt users out of communication emails + OrgOktaSupportSettingsObj: + type: object + properties: + caseNumber: + type: string + description: Support case number for the Okta Support access grant + readOnly: true + nullable: true + expiration: + format: date-time + type: string + description: Expiration of Okta Support + readOnly: true + nullable: true + support: + $ref: '#/components/schemas/OrgOktaSupportSetting' + _links: + type: object + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the + Okta Support Settings object using the [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification + readOnly: true + properties: + extend: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + Link to [extend Okta Support + Access](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/extendOktaSupport) + revoke: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + Link to [revoke Okta Support + Access](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/revokeOktaSupport) + grant: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + Link to [grant Okta Support + Access](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/grantOktaSupport) + case: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + Link to [update an Okta Support + case](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/updateOktaSupportCase) + cases: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + Link to [List all Okta Support + cases](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/listOktaSupportCases) + OktaSupportCases: + type: object + properties: + supportCases: + type: array + items: + $ref: '#/components/schemas/OktaSupportCase' + OktaSupportCase: + type: object + properties: + caseNumber: + type: string + description: Okta Support case number + readOnly: true + impersonation: + type: object + description: >- + Allows the Okta Support team to sign in to your org as an admin and + troubleshoot issues + properties: + status: + $ref: '#/components/schemas/OktaSupportAccessStatus' + expiration: + format: date-time + type: string + description: Expiration date of Okta Support access + nullable: true + selfAssigned: + type: object + description: >- + Customer allows Okta Support access to self-assigned cases. Support + cases are self-assigned when an Okta Support team member creates and + assigns the case to themselves. + properties: + status: + $ref: '#/components/schemas/SelfAssignedStatus' + subject: + type: string + description: Subject of the support case + readOnly: true + AutoAssignAdminAppSetting: + description: >- + The org setting that automatically assigns the Okta Admin Console when + an admin role is assigned + type: object + properties: + autoAssignAdminAppSetting: + type: boolean + description: >- + Automatically assigns the Okta Admin Console to the user when an + admin role is assigned + ClientPrivilegesSetting: + description: >- + The org setting that assigns the super admin role by default to a public + client app + type: object + properties: + clientPrivilegesSetting: + type: boolean + description: >- + If true, assigns the super admin role by default to new public + client apps + example: true + orgGeneralSettingLinks: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the org + using the [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification + type: object + properties: + contacts: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + Link to the [Org + Contacts](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/OrgSettingContact/) + resource + logo: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the org logo + oktaCommunication: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + Link to the [Org Communication + Settings](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/OrgSettingCommunication/) + resource + oktaSupport: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + Link to the [Org Support + Settings](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/OrgSettingSupport/) + resource + preferences: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + Link to the [Org + Preferences](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/OrgSettingCustomization/#tag/OrgSettingCustomization/operation/getOrgPreferences) + resource + uploadLogo: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + Link to the [Upload Org + Logo](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/OrgSettingCustomization/#tag/OrgSettingCustomization/operation/uploadOrgLogo) + resource + readOnly: true + enabledPagesType: + title: enabledPages + type: string + enum: + - SIGN_IN + - SSPR + - SSR + x-enumDescriptions: + SIGN_IN: User sign-in page + SSPR: Self-service Password Recovery page + SSR: Self-service Registration page + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + ErrorCause: + type: object + properties: + errorSummary: + type: string + orgBillingContactType: + description: Org billing contact + type: object + properties: + contactType: + $ref: '#/components/schemas/OrgContactType' + _links: + type: object + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the + org billing contact type object using the [JSON Hypertext + Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification + readOnly: true + properties: + billing: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + Link to the org billing [contact type + user](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/OrgSettingContact/#tag/OrgSettingContact/operation/getOrgContactUser) + resource + orgTechnicalContactType: + description: Org technical contact + type: object + properties: + contactType: + $ref: '#/components/schemas/OrgContactType' + _links: + type: object + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the + org technical Contact Type object using the [JSON Hypertext + Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification + readOnly: true + properties: + technical: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + Link to the org technical [Contact Type + User](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/OrgSettingContact/#tag/OrgSettingContact/operation/getOrgContactUser) + resource + OrgContactType: + description: Type of contact + type: string + enum: + - BILLING + - TECHNICAL + HrefObjectUserLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the user resource + BouncesRemoveListError: + type: object + properties: + emailAddress: + type: string + description: An email address with a validation error + reason: + type: string + description: Validation error reason + UserFactorLinks: + allOf: + - $ref: '#/components/schemas/LinksActivate' + - $ref: '#/components/schemas/LinksCancel' + - $ref: '#/components/schemas/LinksDeactivate' + - $ref: '#/components/schemas/LinksEnroll' + - $ref: '#/components/schemas/LinksFactor' + - $ref: '#/components/schemas/LinksPoll' + - $ref: '#/components/schemas/LinksQrcode' + - $ref: '#/components/schemas/LinksQuestions' + - $ref: '#/components/schemas/LinksResend' + - $ref: '#/components/schemas/LinksSend' + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksUser' + - $ref: '#/components/schemas/LinksVerify' + readOnly: true + LinksAerialConsentGranted: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + revoke: + $ref: '#/components/schemas/HrefObjectRevokeAerialConsent' + LinksAerialConsentRevoked: + allOf: + - type: object + properties: + grant: + $ref: '#/components/schemas/HrefObjectGrantAerialConsent' + OrgOktaSupportSetting: + description: Status of Okta Support Settings + type: string + enum: + - DISABLED + - ENABLED + OktaSupportAccessStatus: + description: Status of Okta Support access + type: string + enum: + - DISABLED + - ENABLED + - NOT_REQUESTED + - REQUESTED + x-enumDescriptions: + NOT_REQUESTED: Okta Support access not requested + REQUESTED: Okta Support access requested + DISABLED: Okta Support access disabled + ENABLED: Okta Support access enabled + SelfAssignedStatus: + description: Okta Support access approval status for self-assigned cases + type: string + enum: + - APPROVED + - NOT_REQUIRED + - REQUESTED + x-enumDescriptions: + NOT_REQUIRED: >- + Approval isn't required because the case wasn't self-created and + self-assigned by an Okta Support user + REQUESTED: Customer approval for self-assigned case requested + APPROVED: >- + Okta Support access is approved by the customer for the self-assigned + case + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + LinksActivate: + type: object + properties: + activate: + allOf: + - description: >- + Activates an enrolled factor. See [Activate a + factor](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/activateFactor). + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksCancel: + type: object + properties: + cancel: + allOf: + - description: Cancels a `push` factor challenge with a `WAITING` status + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksDeactivate: + type: object + properties: + deactivate: + allOf: + - description: >- + Deactivates the factor. See [Unenroll a + factor](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/unenrollFactor). + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksEnroll: + type: object + properties: + enroll: + allOf: + - description: >- + Enrolls a supported factor. See [Enroll a + factor](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/enrollFactor). + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksFactor: + type: object + properties: + factor: + allOf: + - description: Link to the factor resource + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksPoll: + type: object + properties: + poll: + allOf: + - description: >- + Polls the factor resource for status information. Always use the + `poll` link instead of manually constructing your own URL. + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksQrcode: + type: object + properties: + qrcode: + allOf: + - description: >- + QR code that encodes the push activation code needed for + enrollment on the device + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksQuestions: + type: object + properties: + question: + allOf: + - description: >- + Lists all supported security questions. See [List all supported + security + questions](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/listSupportedSecurityQuestions). + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksResend: + type: object + properties: + resend: + allOf: + - description: >- + Resends the factor enrollment challenge. See [Resend a factor + enrollment](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/resendEnrollFactor). + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksSend: + type: object + properties: + send: + allOf: + - description: >- + Sends an activation link through email or sms for users who + can't scan the QR code + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + LinksUser: + type: object + properties: + user: + allOf: + - description: Returns information on the specified user + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksVerify: + type: object + properties: + verify: + allOf: + - description: >- + Verifies the factor resource. See [Verify a + factor](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/verifyFactor). + - $ref: '#/components/schemas/HrefObject' + readOnly: true + HrefObjectRevokeAerialConsent: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to revoke Okta Aerial consent for your Org + HrefObjectGrantAerialConsent: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to grant Okta Aerial access to your Org + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + pathContactType: + name: contactType + in: path + required: true + schema: + type: string + description: Type of contact + enum: + - BILLING + - TECHNICAL + example: BILLING + yubikeyTokenId: + name: tokenId + description: ID of a YubiKey token + in: path + required: true + schema: + type: string + example: ykkxdtCA1fKVxyu6R0g3 + caseNumber: + name: caseNumber + in: path + required: true + schema: + type: string + description: Okta Support case number + example: '00000144' + examples: + OrgSettingResponse: + summary: Org setting response + value: + address1: 100 1st St + address2: 6th floor + city: San Fransico + companyName: okta + country: United States + endUserSupportHelpURL: support.okta.com + phoneNumber: '+18887227871' + postalCode: '94105' + state: California + supportPhoneNumber: '+18887227871' + website: www.okta.com + id: 00o3qqiw0vSCIwu8I0g7 + created: '2024-01-24T14:15:22Z' + lastUpdated: '2024-07-21T14:15:22Z' + expiresAt: '2024-12-24T14:15:22Z' + status: ACTIVE + subdomain: okta + _links: + preferences: + href: https://{yourOktaDomain}/v1/org/preferences + uploadLogo: + href: https://{yourOktaDomain}/api/v1/org/logo + hints: + allow: + - POST + oktaCommunication: + href: https://{yourOktaDomain}/api/v1/org/privacy/oktaCommunication + logo: null + oktaSupport: + href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport + contacts: + href: https://vantest.oktapreview.com/api/v1/org/contacts + UpdateOrgSettingEx: + summary: Org setting request + value: + address1: 100 1st St + address2: 6th floor + city: San Fransico + companyName: okta + country: United States + endUserSupportHelpURL: support.okta.com + phoneNumber: '+18887227871' + postalCode: '94105' + state: California + supportPhoneNumber: '+18887227871' + website: www.okta.com + OrgCAPTCHASettingsConfigured: + summary: org-wide Captcha settings are configured + value: + captchaId: abcd4567 + enabledPages: + - SSR + - SIGN_IN + _links: + self: + href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567 + hints: + allow: + - GET + - POST + - PUT + - DELETE + OrgCAPTCHASettingsEmpty: + summary: Org-wide Captcha settings aren't configured + value: + captchaId: null + enabledPages: [] + _links: + self: + href: https://your-subdomain.okta.com/api/v1/captchas + hints: + allow: + - GET + - POST + - PUT + - DELETE + OrgCAPTCHASettingsUpdate: + summary: Update org-wide Captcha settings + value: + captchaId: abcd4567 + enabledPages: + - SSR + - SIGN_IN + OrgCAPTCHASettingsDisable: + summary: Disable org-wide Captcha settings + value: + captchaId: 'null' + enabledPages: 'null' + OrgCAPTCHASettingsUpdated: + summary: Updated org-wide Captcha settings + value: + captchaId: abcd4567 + enabledPages: + - SSR + - SIGN_IN + _links: + self: + href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567 + hints: + allow: + - GET + - POST + - PUT + - DELETE + OrgCAPTCHASettingsDisabled: + summary: Disabled org-wide Captcha settings + value: + captchaId: 'null' + enabledPages: '[]' + _links: + self: + href: https://your-subdomain.okta.com/api/v1/captchas/ + hints: + allow: + - GET + - PUT + ErrorCAPTCHAOrgWideSettingNull: + summary: captchaId is null, but enabledPages is defined + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: captchaId' + errorLink: E0000001 + errorId: oae-hk3rssXQmOWDRsaFfxe8A + errorCauses: + errorSummary: >- + captchaId: Invalid CAPTCHA ID. The value of captchaId cannot be + blank when enabledPages is not empty. Please resubmit with an + existing CAPTCHA ID or disable CAPTCHA support on all supported + pages. + orgContactTypeResponse: + summary: Org contact types + value: + - contactType: BILLING + _links: + billing: + href: https://{yourOktaDomain}/api/v1/org/contacts/billing + - contactType: TECHNICAL + _links: + technical: + href: https://{yourOktaDomain}/api/v1/org/contacts/technical + orgContactUserResponse: + summary: Contact user + value: + userId: 00ux3u0ujW1r5AfZC1d7 + _links: + user: + href: https://{yourOktaDomain}/api/v1/users/00ux3u0ujW1r5AfZC1d7 + ListYubikeyOptTokensResponse: + summary: List YubiKey OTP token response + value: + - id: ykkwcx13nrDq8g4oy0g3 + created: '2020-01-14T21:53:09.000Z' + lastVerified: '2020-01-14T21:53:06.000Z' + lastUpdated: '2020-01-14T21:53:09.000Z' + status: UNASSIGNED + profile: + serial: '000003632071' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkwcx13nrDq8g4oy0g3 + hints: + allow: + - GET + - DELETE + - id: ykkxdtCA1fKVxyu6R0g3 + created: '2020-06-09T23:42:05.000Z' + activated: '2020-06-09T23:47:29.000Z' + lastVerified: '2020-06-09T23:47:29.000Z' + lastUpdated: '2020-06-09T23:47:29.000Z' + status: ACTIVE + profile: + serial: '000009508427' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkxdtCA1fKVxyu6R0g3 + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3 + hints: + allow: + - GET + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3/factors/ykfxduQAhl89YyPrV0g3 + hints: + allow: + - DELETE + UploadYubikeyTokenSeedRequest: + summary: YubiKey OTP seed + value: + serialNumber: '7886622' + publicId: ccccccijgibu + privateId: b74be6169486 + aesKey: 1fcc6d8ce39bf1604e0b17f3e0a11067 + UploadYubikeyTokenSeedResponse: + value: + id: ykkut4G6ti62DD8Dy0g3 + created: '2020-01-10T23:04:10.000Z' + lastVerified: '2020-01-10T23:04:10.000Z' + lastUpdated: '2020-01-10T23:04:10.000Z' + status: UNASSIGNED + profile: + serial: '000007886622' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkut4G6ti62DD8Dy0g3 + hints: + allow: + - GET + - DELETE + GetYubikeyOptTokenResponse: + summary: Get YubiKey OTP token response + value: + id: ykkxdtCA1fKVxyu6R0g3 + created: '2020-06-09T23:42:05.000Z' + activated: '2020-06-09T23:47:29.000Z' + lastVerified: '2020-06-09T23:47:29.000Z' + lastUpdated: '2020-06-09T23:47:29.000Z' + status: ACTIVE + profile: + serial: '000009508427' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkxdtCA1fKVxyu6R0g3 + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3 + hints: + allow: + - GET + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3/factors/ykfxduQAhl89YyPrV0g3 + hints: + allow: + - DELETE + orgShowFooterPrefResponse: + summary: Show footer response + value: + showEndUserFooter: true + _links: + hideEndUserFooter: + href: https://{yourOktaDomain}/api/v1/org/preferences/hideEndUserFooter + hints: + allow: + - POST + orgHideFooterPrefResponse: + summary: Hide footer response + value: + showEndUserFooter: false + _links: + showEndUserFooter: + href: https://{yourOktaDomain}/api/v1/org/preferences/showEndUserFooter + hints: + allow: + - POST + AerialConsentDetails: + description: Example response of consent details + value: + accountId: 0200bs0617vvhv2v675mch1cukp + grantDate: '2023-04-06T21:32:33.000Z' + grantedBy: 00uabcdefg1234567890 + AerialGrantAlreadyPresentErrorResponse: + description: Grant is already present + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: account' + errorLink: E0000001 + errorId: oaewjePjfdBT7m71KkPz0Ipaw + errorCauses: + - errorSummary: The org already has a consent grant added to Aerial. + AerialGrantNotFoundResponse: + description: No grant found for org + value: + errorCode: E0000007 + errorSummary: 'Not found: Resource not found: grant (String)' + errorLink: E0000007 + errorId: sampleFYH_dTSSTdpPYIAdHJw + errorCauses: [] + AerialConsentInvalidAccountIdResponse: + description: Aerial account ID is invalid + value: + errorCode: E0000001 + errorSummary: 'API validation failed: account' + errorLink: E0000001 + errorId: oaewjePjfdBT7m71KkPz0Ipaw + errorCauses: + - errorSummary: Invalid aerial account ID. + AerialConsentOrgAlreadyLinkedResponse: + description: The revoke operation isn't possible when the org is already linked + value: + errorCode: E0000001 + errorSummary: 'API validation failed: account' + errorLink: E0000001 + errorId: oae_wheRkaxRT-EFAXwBmBKLg + errorCauses: + - errorSummary: The org is already linked to an Account. + orgCommunicationOptOutResponse: + summary: Opt out of communication emails + value: + optOutEmailUsers: true + _links: + optIn: + href: >- + https://{yourOktaDomain}/api/v1/org/privacy/oktaCommunication/optIn + hints: + allow: + - POST + orgCommunicationOptInResponse: + summary: Opt in to communication emails + value: + optOutEmailUsers: false + _links: + optOut: + href: >- + https://{yourOktaDomain}/api/v1/org/privacy/oktaCommunication/optOut + hints: + allow: + - POST + orgSupportSettingsWithCaseNumberResponse: + summary: Org support settings with impersonation grant for cases + value: + support: ENABLED + expiration: '2024-01-24T11:13:14.000Z' + caseNumber: '20000144' + _links: + case: + href: >- + https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport/case/{caseNumber} + hints: + allow: + - PATCH + cases: + href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport/cases + hints: + allow: + - GET + OktaSupportCases: + summary: Org Support cases + value: + - impersonation: + status: ENABLED + expiration: '2024-01-24T11:13:14.000Z' + selfAssigned: + status: REQUESTED + subject: Reset admin password + caseNumber: '1000001' + - impersonation: + status: REQUESTED + expiration: null + selfAssigned: + status: NOT_REQUIRED + subject: Review IP restriction configuration + caseNumber: '1000002' + AllowOktaSupportAccessStatusRequest: + summary: Allow Okta Support access + value: + impersonation: + status: ENABLED + ExtendOktaSupportAccessStatusRequest: + summary: Extend Okta Support access + value: + impersonation: + expiration: '2024-01-25T11:13:14.000Z' + RevokeOktaSupportAccessStatusRequest: + summary: Revoke Okta Support access + value: + impersonation: + status: DISABLED + AllowSelfAssignedRequest: + summary: Allow self-assigned Okta Support cases + value: + selfAssigned: + status: APPROVED + AllowOktaSupportAccessStatus: + summary: Allow Okta Support access + value: + impersonation: + status: ENABLED + expiration: '2024-01-24T11:13:14.000Z' + caseNumber: '1011001' + ExtendOktaSupportAccessStatus: + summary: Extend Okta Support access + value: + impersonation: + status: ENABLED + expiration: '2024-01-25T11:13:14.000Z' + caseNumber: '1011001' + RevokeOktaSupportAccessStatus: + summary: Revoke Okta Support access + value: + impersonation: + status: DISABLED + expiration: null + caseNumber: '1011001' + AllowSelfAssigned: + summary: Allow self-assigned Okta Support cases + value: + selfAssigned: + status: APPROVED + caseNumber: '1011001' + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + settings: + id: okta.org.settings + name: settings + title: Settings + methods: + get_org_settings: + operation: + $ref: '#/paths/~1api~1v1~1org/get' + response: + mediaType: application/json + openAPIDocKey: '200' + update_org_settings: + operation: + $ref: '#/paths/~1api~1v1~1org/post' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_org_settings: + operation: + $ref: '#/paths/~1api~1v1~1org/put' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: '#/components/x-stackQL-resources/settings/methods/get_org_settings' + insert: [] + update: + - $ref: >- + #/components/x-stackQL-resources/settings/methods/update_org_settings + delete: [] + replace: + - $ref: >- + #/components/x-stackQL-resources/settings/methods/replace_org_settings + captcha_settings: + id: okta.org.captcha_settings + name: captcha_settings + title: Captcha Settings + methods: + get_org_captcha_settings: + operation: + $ref: '#/paths/~1api~1v1~1org~1captcha/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replaces_org_captcha_settings: + operation: + $ref: '#/paths/~1api~1v1~1org~1captcha/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_org_captcha_settings: + operation: + $ref: '#/paths/~1api~1v1~1org~1captcha/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/captcha_settings/methods/get_org_captcha_settings + insert: [] + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/captcha_settings/methods/delete_org_captcha_settings + replace: + - $ref: >- + #/components/x-stackQL-resources/captcha_settings/methods/replaces_org_captcha_settings + contact_types: + id: okta.org.contact_types + name: contact_types + title: Contact Types + methods: + list_org_contact_types: + operation: + $ref: '#/paths/~1api~1v1~1org~1contacts/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/contact_types/methods/list_org_contact_types + insert: [] + update: [] + delete: [] + replace: [] + contacts: + id: okta.org.contacts + name: contacts + title: Contacts + methods: + get_org_contact_user: + operation: + $ref: '#/paths/~1api~1v1~1org~1contacts~1{contactType}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_org_contact_user: + operation: + $ref: '#/paths/~1api~1v1~1org~1contacts~1{contactType}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/contacts/methods/get_org_contact_user + insert: [] + update: [] + delete: [] + replace: + - $ref: >- + #/components/x-stackQL-resources/contacts/methods/replace_org_contact_user + email_customizations: + id: okta.org.email_customizations + name: email_customizations + title: Email Customizations + methods: + bulk_remove_email_address_bounces: + operation: + $ref: '#/paths/~1api~1v1~1org~1email~1bounces~1remove-list/post' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: [] + insert: [] + update: [] + delete: [] + replace: [] + yubikey_otp_tokens: + id: okta.org.yubikey_otp_tokens + name: yubikey_otp_tokens + title: Yubikey Otp Tokens + methods: + list_yubikey_otp_tokens: + operation: + $ref: '#/paths/~1api~1v1~1org~1factors~1yubikey_token~1tokens/get' + response: + mediaType: application/json + openAPIDocKey: '200' + upload_yubikey_otp_token_seed: + operation: + $ref: '#/paths/~1api~1v1~1org~1factors~1yubikey_token~1tokens/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_yubikey_otp_token_by_id: + operation: + $ref: >- + #/paths/~1api~1v1~1org~1factors~1yubikey_token~1tokens~1{tokenId}/get + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/yubikey_otp_tokens/methods/list_yubikey_otp_tokens + - $ref: >- + #/components/x-stackQL-resources/yubikey_otp_tokens/methods/get_yubikey_otp_token_by_id + insert: [] + update: [] + delete: [] + replace: [] + preferences: + id: okta.org.preferences + name: preferences + title: Preferences + methods: + upload_org_logo: + operation: + $ref: '#/paths/~1api~1v1~1org~1logo/post' + response: + mediaType: '' + openAPIDocKey: '201' + get_org_preferences: + operation: + $ref: '#/paths/~1api~1v1~1org~1preferences/get' + response: + mediaType: application/json + openAPIDocKey: '200' + set_org_hide_okta_uifooter: + operation: + $ref: '#/paths/~1api~1v1~1org~1preferences~1hideEndUserFooter/post' + response: + mediaType: application/json + openAPIDocKey: '200' + set_org_show_okta_uifooter: + operation: + $ref: '#/paths/~1api~1v1~1org~1preferences~1showEndUserFooter/post' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/preferences/methods/get_org_preferences + insert: [] + update: [] + delete: [] + replace: [] + third_party_admin_setting: + id: okta.org.third_party_admin_setting + name: third_party_admin_setting + title: Third Party Admin Setting + methods: + get_third_party_admin_setting: + operation: + $ref: '#/paths/~1api~1v1~1org~1orgSettings~1thirdPartyAdminSetting/get' + response: + mediaType: application/json + openAPIDocKey: '200' + update_third_party_admin_setting: + operation: + $ref: '#/paths/~1api~1v1~1org~1orgSettings~1thirdPartyAdminSetting/post' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/third_party_admin_setting/methods/get_third_party_admin_setting + insert: [] + update: + - $ref: >- + #/components/x-stackQL-resources/third_party_admin_setting/methods/update_third_party_admin_setting + delete: [] + replace: [] + support_aerial_consent: + id: okta.org.support_aerial_consent + name: support_aerial_consent + title: Support Aerial Consent + methods: + get_aerial_consent: + operation: + $ref: '#/paths/~1api~1v1~1org~1privacy~1aerial/get' + response: + mediaType: application/json + openAPIDocKey: '200' + grant_aerial_consent: + operation: + $ref: '#/paths/~1api~1v1~1org~1privacy~1aerial~1grant/post' + response: + mediaType: application/json + openAPIDocKey: '200' + revoke_aerial_consent: + operation: + $ref: '#/paths/~1api~1v1~1org~1privacy~1aerial~1revoke/post' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/support_aerial_consent/methods/get_aerial_consent + insert: + - $ref: >- + #/components/x-stackQL-resources/support_aerial_consent/methods/grant_aerial_consent + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/support_aerial_consent/methods/revoke_aerial_consent + replace: [] + communication_settings: + id: okta.org.communication_settings + name: communication_settings + title: Communication Settings + methods: + get_okta_communication_settings: + operation: + $ref: '#/paths/~1api~1v1~1org~1privacy~1oktaCommunication/get' + response: + mediaType: application/json + openAPIDocKey: '200' + opt_in_users_to_okta_communication_emails: + operation: + $ref: '#/paths/~1api~1v1~1org~1privacy~1oktaCommunication~1optIn/post' + response: + mediaType: application/json + openAPIDocKey: '200' + opt_out_users_from_okta_communication_emails: + operation: + $ref: '#/paths/~1api~1v1~1org~1privacy~1oktaCommunication~1optOut/post' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/communication_settings/methods/get_okta_communication_settings + insert: [] + update: [] + delete: [] + replace: [] + support_settings: + id: okta.org.support_settings + name: support_settings + title: Support Settings + methods: + get_org_okta_support_settings: + operation: + $ref: '#/paths/~1api~1v1~1org~1privacy~1oktaSupport/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/support_settings/methods/get_org_okta_support_settings + insert: [] + update: [] + delete: [] + replace: [] + support_cases: + id: okta.org.support_cases + name: support_cases + title: Support Cases + methods: + list_okta_support_cases: + operation: + $ref: '#/paths/~1api~1v1~1org~1privacy~1oktaSupport~1cases/get' + response: + mediaType: application/json + openAPIDocKey: '200' + update_okta_support_case: + operation: + $ref: >- + #/paths/~1api~1v1~1org~1privacy~1oktaSupport~1cases~1{caseNumber}/patch + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/support_cases/methods/list_okta_support_cases + insert: [] + update: + - $ref: >- + #/components/x-stackQL-resources/support_cases/methods/update_okta_support_case + delete: [] + replace: [] + okta_support: + id: okta.org.okta_support + name: okta_support + title: Okta Support + methods: + extend_okta_support: + operation: + $ref: '#/paths/~1api~1v1~1org~1privacy~1oktaSupport~1extend/post' + response: + mediaType: '' + openAPIDocKey: '' + grant_okta_support: + operation: + $ref: '#/paths/~1api~1v1~1org~1privacy~1oktaSupport~1grant/post' + response: + mediaType: '' + openAPIDocKey: '' + revoke_okta_support: + operation: + $ref: '#/paths/~1api~1v1~1org~1privacy~1oktaSupport~1revoke/post' + response: + mediaType: '' + openAPIDocKey: '' + sqlVerbs: + select: [] + insert: + - $ref: >- + #/components/x-stackQL-resources/okta_support/methods/grant_okta_support + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/okta_support/methods/revoke_okta_support + replace: [] + auto_assign_admin_app_setting: + id: okta.org.auto_assign_admin_app_setting + name: auto_assign_admin_app_setting + title: Auto Assign Admin App Setting + methods: + get_auto_assign_admin_app_setting: + operation: + $ref: '#/paths/~1api~1v1~1org~1settings~1autoAssignAdminAppSetting/get' + response: + mediaType: application/json + openAPIDocKey: '200' + update_auto_assign_admin_app_setting: + operation: + $ref: '#/paths/~1api~1v1~1org~1settings~1autoAssignAdminAppSetting/post' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/auto_assign_admin_app_setting/methods/get_auto_assign_admin_app_setting + insert: [] + update: + - $ref: >- + #/components/x-stackQL-resources/auto_assign_admin_app_setting/methods/update_auto_assign_admin_app_setting + delete: [] + replace: [] + client_privileges_setting: + id: okta.org.client_privileges_setting + name: client_privileges_setting + title: Client Privileges Setting + methods: + get_client_privileges_setting: + operation: + $ref: '#/paths/~1api~1v1~1org~1settings~1clientPrivilegesSetting/get' + response: + mediaType: application/json + openAPIDocKey: '200' + assign_client_privileges_setting: + operation: + $ref: '#/paths/~1api~1v1~1org~1settings~1clientPrivilegesSetting/put' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/client_privileges_setting/methods/get_client_privileges_setting + insert: [] + update: [] + delete: [] + replace: + - $ref: >- + #/components/x-stackQL-resources/client_privileges_setting/methods/assign_client_privileges_setting servers: -- url: https://{subdomain}.okta.com/ - variables: - subdomain: - default: my-domain + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/Policy.yaml b/providers/src/okta/v00.00.00000/services/Policy.yaml deleted file mode 100644 index 9835d76a..00000000 --- a/providers/src/okta/v00.00.00000/services/Policy.yaml +++ /dev/null @@ -1,1655 +0,0 @@ -components: - schemas: - AppAndInstanceConditionEvaluatorAppOrInstance: - properties: - id: - readOnly: true - type: string - name: - type: string - type: - enum: - - APP_TYPE - - APP - type: string - type: object - x-okta-tags: - - Policy - AppAndInstancePolicyRuleCondition: - properties: - exclude: - items: - $ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance' - type: array - include: - items: - $ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance' - type: array - type: object - x-okta-tags: - - Policy - AppInstancePolicyRuleCondition: - properties: - exclude: - items: - type: string - type: array - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - BeforeScheduledActionPolicyRuleCondition: - properties: - duration: - $ref: '#/components/schemas/Duration' - lifecycleAction: - $ref: '#/components/schemas/ScheduledUserLifecycleAction' - type: object - x-okta-tags: - - Policy - ClientPolicyCondition: - properties: - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - ContextPolicyRuleCondition: - properties: - expression: - type: string - type: object - x-okta-tags: - - Policy - DevicePolicyRuleCondition: - properties: - migrated: - type: boolean - platform: - $ref: '#/components/schemas/DevicePolicyRuleConditionPlatform' - rooted: - type: boolean - trustLevel: - enum: - - ANY - - TRUSTED - type: string - type: object - x-okta-tags: - - Policy - DevicePolicyRuleConditionPlatform: - properties: - supportedMDMFrameworks: - items: - enum: - - AFW - - SAFE - - NATIVE - type: string - type: array - types: - items: - enum: - - IOS - - ANDROID - - OSX - - WINDOWS - type: string - type: array - type: object - x-okta-tags: - - Policy - Duration: - properties: - number: - type: integer - unit: - type: string - type: object - x-okta-tags: - - Policy - GrantTypePolicyRuleCondition: - properties: - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - GroupCondition: - properties: - exclude: - items: - type: string - type: array - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - GroupPolicyRuleCondition: - properties: - exclude: - items: - type: string - type: array - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - IdentityProviderPolicy: - properties: - accountLink: - $ref: '#/components/schemas/PolicyAccountLink' - maxClockSkew: - type: integer - provisioning: - $ref: '#/components/schemas/Provisioning' - subject: - $ref: '#/components/schemas/PolicySubject' - type: object - x-okta-parent: '#/components/schemas/Policy' - x-okta-tags: - - Policy - IdentityProviderPolicyRuleCondition: - properties: - idpIds: - items: - type: string - type: array - provider: - enum: - - ANY - - OKTA - - SPECIFIC_IDP - type: string - type: object - x-okta-tags: - - Policy - InactivityPolicyRuleCondition: - properties: - number: - type: integer - unit: - type: string - type: object - x-okta-tags: - - Policy - LifecycleExpirationPolicyRuleCondition: - properties: - lifecycleStatus: - type: string - number: - type: integer - unit: - type: string - type: object - x-okta-tags: - - Policy - MDMEnrollmentPolicyRuleCondition: - properties: - blockNonSafeAndroid: - type: boolean - enrollment: - enum: - - OMM - - ANY_OR_NONE - type: string - type: object - x-okta-tags: - - Policy - OAuth2ScopesMediationPolicyRuleCondition: - properties: - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Application - OAuthAuthorizationPolicy: - type: object - x-okta-parent: '#/components/schemas/Policy' - x-okta-tags: - - Policy - OktaSignOnPolicy: - properties: - conditions: - $ref: '#/components/schemas/OktaSignOnPolicyConditions' - type: object - x-okta-parent: '#/components/schemas/Policy' - x-okta-tags: - - Policy - OktaSignOnPolicyConditions: - properties: - people: - $ref: '#/components/schemas/PolicyPeopleCondition' - type: object - x-okta-parent: '#/components/schemas/PolicyRuleConditions' - x-okta-tags: - - Policy - OktaSignOnPolicyRule: - properties: - actions: - $ref: '#/components/schemas/OktaSignOnPolicyRuleActions' - conditions: - $ref: '#/components/schemas/OktaSignOnPolicyRuleConditions' - name: - type: string - type: object - x-okta-parent: '#/components/schemas/PolicyRule' - x-okta-tags: - - Policy - OktaSignOnPolicyRuleActions: - properties: - signon: - $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonActions' - type: object - x-okta-parent: '#/components/schemas/PolicyRuleActions' - x-okta-tags: - - Policy - OktaSignOnPolicyRuleConditions: - properties: - authContext: - $ref: '#/components/schemas/PolicyRuleAuthContextCondition' - network: - $ref: '#/components/schemas/PolicyNetworkCondition' - people: - $ref: '#/components/schemas/PolicyPeopleCondition' - type: object - x-okta-parent: '#/components/schemas/PolicyRuleConditions' - x-okta-tags: - - Policy - OktaSignOnPolicyRuleSignonActions: - properties: - access: - enum: - - ALLOW - - DENY - type: string - factorLifetime: - type: integer - factorPromptMode: - enum: - - ALWAYS - - DEVICE - - SESSION - type: string - rememberDeviceByDefault: - default: false - type: boolean - requireFactor: - default: false - type: boolean - session: - $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonSessionActions' - type: object - x-okta-tags: - - Policy - OktaSignOnPolicyRuleSignonSessionActions: - properties: - maxSessionIdleMinutes: - type: integer - maxSessionLifetimeMinutes: - type: integer - usePersistentCookie: - default: false - type: boolean - type: object - x-okta-tags: - - Policy - PasswordDictionary: - properties: - common: - $ref: '#/components/schemas/PasswordDictionaryCommon' - type: object - x-okta-tags: - - Policy - PasswordDictionaryCommon: - properties: - exclude: - default: false - type: boolean - type: object - x-okta-tags: - - Policy - PasswordExpirationPolicyRuleCondition: - properties: - number: - type: integer - unit: - type: string - type: object - x-okta-tags: - - Policy - PasswordPolicy: - properties: - conditions: - $ref: '#/components/schemas/PasswordPolicyConditions' - settings: - $ref: '#/components/schemas/PasswordPolicySettings' - type: object - x-okta-parent: '#/components/schemas/Policy' - x-okta-tags: - - Policy - PasswordPolicyAuthenticationProviderCondition: - properties: - include: - items: - type: string - type: array - provider: - enum: - - ACTIVE_DIRECTORY - - ANY - - LDAP - - OKTA - type: string - type: object - x-okta-tags: - - Policy - PasswordPolicyConditions: - properties: - authProvider: - $ref: '#/components/schemas/PasswordPolicyAuthenticationProviderCondition' - people: - $ref: '#/components/schemas/PolicyPeopleCondition' - type: object - x-okta-parent: '#/components/schemas/PolicyRuleConditions' - x-okta-tags: - - Policy - PasswordPolicyDelegationSettings: - properties: - options: - $ref: '#/components/schemas/PasswordPolicyDelegationSettingsOptions' - type: object - x-okta-tags: - - Policy - PasswordPolicyDelegationSettingsOptions: - properties: - skipUnlock: - type: boolean - type: object - x-okta-tags: - - Policy - PasswordPolicyPasswordSettings: - properties: - age: - $ref: '#/components/schemas/PasswordPolicyPasswordSettingsAge' - complexity: - $ref: '#/components/schemas/PasswordPolicyPasswordSettingsComplexity' - lockout: - $ref: '#/components/schemas/PasswordPolicyPasswordSettingsLockout' - type: object - x-okta-tags: - - Policy - PasswordPolicyPasswordSettingsAge: - properties: - expireWarnDays: - type: integer - historyCount: - type: integer - maxAgeDays: - type: integer - minAgeMinutes: - type: integer - type: object - x-okta-tags: - - Policy - PasswordPolicyPasswordSettingsComplexity: - properties: - dictionary: - $ref: '#/components/schemas/PasswordDictionary' - excludeAttributes: - items: - type: string - type: array - excludeUsername: - default: true - type: boolean - minLength: - type: integer - minLowerCase: - type: integer - minNumber: - type: integer - minSymbol: - type: integer - minUpperCase: - type: integer - type: object - x-okta-tags: - - Policy - PasswordPolicyPasswordSettingsLockout: - properties: - autoUnlockMinutes: - type: integer - maxAttempts: - type: integer - showLockoutFailures: - type: boolean - userLockoutNotificationChannels: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoveryEmail: - properties: - properties: - $ref: '#/components/schemas/PasswordPolicyRecoveryEmailProperties' - status: - enum: - - ACTIVE - - INACTIVE - readOnly: true - type: string - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoveryEmailProperties: - properties: - recoveryToken: - $ref: '#/components/schemas/PasswordPolicyRecoveryEmailRecoveryToken' - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoveryEmailRecoveryToken: - properties: - tokenLifetimeMinutes: - type: integer - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoveryFactorSettings: - properties: - status: - default: INACTIVE - enum: - - ACTIVE - - INACTIVE - type: string - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoveryFactors: - properties: - okta_call: - $ref: '#/components/schemas/PasswordPolicyRecoveryFactorSettings' - okta_email: - $ref: '#/components/schemas/PasswordPolicyRecoveryEmail' - okta_sms: - $ref: '#/components/schemas/PasswordPolicyRecoveryFactorSettings' - recovery_question: - $ref: '#/components/schemas/PasswordPolicyRecoveryQuestion' - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoveryQuestion: - properties: - properties: - $ref: '#/components/schemas/PasswordPolicyRecoveryQuestionProperties' - status: - enum: - - ACTIVE - - INACTIVE - readOnly: true - type: string - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoveryQuestionComplexity: - properties: - minLength: - readOnly: true - type: integer - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoveryQuestionProperties: - properties: - complexity: - $ref: '#/components/schemas/PasswordPolicyRecoveryQuestionComplexity' - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoverySettings: - properties: - factors: - $ref: '#/components/schemas/PasswordPolicyRecoveryFactors' - type: object - x-okta-tags: - - Policy - PasswordPolicyRule: - properties: - actions: - $ref: '#/components/schemas/PasswordPolicyRuleActions' - conditions: - $ref: '#/components/schemas/PasswordPolicyRuleConditions' - name: - type: string - type: object - x-okta-parent: '#/components/schemas/PolicyRule' - x-okta-tags: - - Policy - PasswordPolicyRuleAction: - properties: - access: - enum: - - ALLOW - - DENY - type: string - type: object - x-okta-tags: - - Policy - PasswordPolicyRuleActions: - properties: - passwordChange: - $ref: '#/components/schemas/PasswordPolicyRuleAction' - selfServicePasswordReset: - $ref: '#/components/schemas/PasswordPolicyRuleAction' - selfServiceUnlock: - $ref: '#/components/schemas/PasswordPolicyRuleAction' - type: object - x-okta-parent: '#/components/schemas/PolicyRuleActions' - x-okta-tags: - - Policy - PasswordPolicyRuleConditions: - properties: - network: - $ref: '#/components/schemas/PolicyNetworkCondition' - people: - $ref: '#/components/schemas/PolicyPeopleCondition' - type: object - x-okta-parent: '#/components/schemas/PolicyRuleConditions' - x-okta-tags: - - Policy - PasswordPolicySettings: - properties: - delegation: - $ref: '#/components/schemas/PasswordPolicyDelegationSettings' - password: - $ref: '#/components/schemas/PasswordPolicyPasswordSettings' - recovery: - $ref: '#/components/schemas/PasswordPolicyRecoverySettings' - type: object - x-okta-tags: - - Policy - PlatformConditionEvaluatorPlatform: - properties: - os: - $ref: '#/components/schemas/PlatformConditionEvaluatorPlatformOperatingSystem' - type: - enum: - - DESKTOP - - MOBILE - - OTHER - - ANY - type: string - type: object - x-okta-tags: - - Policy - PlatformConditionEvaluatorPlatformOperatingSystem: - properties: - expression: - type: string - type: - enum: - - ANDROID - - IOS - - WINDOWS - - OSX - - OTHER - - ANY - type: string - version: - $ref: '#/components/schemas/PlatformConditionEvaluatorPlatformOperatingSystemVersion' - type: object - x-okta-tags: - - Policy - PlatformConditionEvaluatorPlatformOperatingSystemVersion: - properties: - matchType: - enum: - - EXPRESSION - - SEMVER - type: string - value: - type: string - type: object - x-okta-tags: - - Policy - PlatformPolicyRuleCondition: - properties: - exclude: - items: - $ref: '#/components/schemas/PlatformConditionEvaluatorPlatform' - type: array - include: - items: - $ref: '#/components/schemas/PlatformConditionEvaluatorPlatform' - type: array - type: object - x-okta-tags: - - Policy - Policy: - properties: - _embedded: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - conditions: - $ref: '#/components/schemas/PolicyRuleConditions' - created: - format: date-time - readOnly: true - type: string - description: - type: string - id: - readOnly: true - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - name: - type: string - priority: - type: integer - status: - enum: - - ACTIVE - - INACTIVE - type: string - system: - type: boolean - type: - $ref: '#/components/schemas/PolicyType' - type: object - x-okta-crud: - - alias: read - arguments: - - dest: policyId - src: id - operationId: getPolicy - - alias: update - arguments: - - dest: policyId - src: id - - dest: policy - self: true - operationId: updatePolicy - - alias: delete - arguments: - - dest: policyId - src: id - operationId: deletePolicy - x-okta-operations: - - alias: activate - arguments: - - dest: policyId - src: id - operationId: activatePolicy - - alias: deactivate - arguments: - - dest: policyId - src: id - operationId: deactivatePolicy - - alias: listPolicyRules - arguments: - - dest: policyId - src: id - operationId: listPolicyRules - - alias: createRule - arguments: - - dest: policyId - src: id - operationId: createPolicyRule - - alias: getPolicyRule - arguments: - - dest: policyId - src: id - operationId: getPolicyRule - x-okta-tags: - - Policy - x-openapi-v3-discriminator: - mapping: - IDP_DISCOVERY: '#/components/schemas/IdentityProviderPolicy' - OAUTH_AUTHORIZATION_POLICY: '#/components/schemas/OAuthAuthorizationPolicy' - OKTA_SIGN_ON: '#/components/schemas/OktaSignOnPolicy' - PASSWORD: '#/components/schemas/PasswordPolicy' - propertyName: type - PolicyAccountLink: - properties: - action: - enum: - - AUTO - - DISABLED - type: string - filter: - $ref: '#/components/schemas/PolicyAccountLinkFilter' - type: object - x-okta-tags: - - Policy - PolicyAccountLinkFilter: - properties: - groups: - $ref: '#/components/schemas/PolicyAccountLinkFilterGroups' - type: object - x-okta-tags: - - Policy - PolicyAccountLinkFilterGroups: - properties: - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - PolicyNetworkCondition: - properties: - connection: - enum: - - ANYWHERE - - ZONE - type: string - exclude: - items: - type: string - type: array - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - PolicyPeopleCondition: - properties: - groups: - $ref: '#/components/schemas/GroupCondition' - users: - $ref: '#/components/schemas/UserCondition' - type: object - x-okta-tags: - - Policy - PolicyRule: - properties: - actions: - $ref: '#/components/schemas/PolicyRuleActions' - conditions: - $ref: '#/components/schemas/PolicyRuleConditions' - created: - format: date-time - readOnly: true - type: string - id: - readOnly: true - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - name: - type: string - priority: - type: integer - status: - default: ACTIVE - enum: - - ACTIVE - - INACTIVE - type: string - system: - default: false - type: boolean - type: - enum: - - SIGN_ON - - PASSWORD - type: string - type: object - x-okta-crud: - - alias: update - arguments: - - dest: ruleId - src: id - - dest: policyRule - self: true - - dest: policyId - parentSrc: id - operationId: updatePolicyRule - - alias: delete - arguments: - - dest: ruleId - src: id - - dest: policyId - parentSrc: policyId - operationId: deletePolicyRule - x-okta-operations: - - alias: activate - arguments: - - dest: ruleId - src: id - - dest: policyId - parentSrc: policyId - operationId: activatePolicyRule - - alias: deactivate - arguments: - - dest: ruleId - src: id - - dest: policyId - parentSrc: policyId - operationId: deactivatePolicyRule - x-okta-tags: - - Policy - x-openapi-v3-discriminator: - mapping: - PASSWORD: '#/components/schemas/PasswordPolicyRule' - SIGN_ON: '#/components/schemas/OktaSignOnPolicyRule' - propertyName: type - PolicyRuleActions: - properties: - enroll: - $ref: '#/components/schemas/PolicyRuleActionsEnroll' - passwordChange: - $ref: '#/components/schemas/PasswordPolicyRuleAction' - selfServicePasswordReset: - $ref: '#/components/schemas/PasswordPolicyRuleAction' - selfServiceUnlock: - $ref: '#/components/schemas/PasswordPolicyRuleAction' - signon: - $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonActions' - type: object - x-okta-tags: - - Policy - PolicyRuleActionsEnroll: - properties: - self: - $ref: '#/components/schemas/PolicyRuleActionsEnrollSelf' - type: object - x-okta-tags: - - Policy - PolicyRuleActionsEnrollSelf: - enum: - - CHALLENGE - - LOGIN - - NEVER - type: string - x-okta-tags: - - Policy - PolicyRuleAuthContextCondition: - properties: - authType: - enum: - - ANY - - RADIUS - type: string - type: object - x-okta-tags: - - Policy - PolicyRuleConditions: - properties: - app: - $ref: '#/components/schemas/AppAndInstancePolicyRuleCondition' - apps: - $ref: '#/components/schemas/AppInstancePolicyRuleCondition' - authContext: - $ref: '#/components/schemas/PolicyRuleAuthContextCondition' - authProvider: - $ref: '#/components/schemas/PasswordPolicyAuthenticationProviderCondition' - beforeScheduledAction: - $ref: '#/components/schemas/BeforeScheduledActionPolicyRuleCondition' - clients: - $ref: '#/components/schemas/ClientPolicyCondition' - context: - $ref: '#/components/schemas/ContextPolicyRuleCondition' - device: - $ref: '#/components/schemas/DevicePolicyRuleCondition' - grantTypes: - $ref: '#/components/schemas/GrantTypePolicyRuleCondition' - groups: - $ref: '#/components/schemas/GroupPolicyRuleCondition' - identityProvider: - $ref: '#/components/schemas/IdentityProviderPolicyRuleCondition' - mdmEnrollment: - $ref: '#/components/schemas/MDMEnrollmentPolicyRuleCondition' - network: - $ref: '#/components/schemas/PolicyNetworkCondition' - people: - $ref: '#/components/schemas/PolicyPeopleCondition' - platform: - $ref: '#/components/schemas/PlatformPolicyRuleCondition' - risk: - $ref: '#/components/schemas/RiskPolicyRuleCondition' - riskScore: - $ref: '#/components/schemas/RiskScorePolicyRuleCondition' - scopes: - $ref: '#/components/schemas/OAuth2ScopesMediationPolicyRuleCondition' - userIdentifier: - $ref: '#/components/schemas/UserIdentifierPolicyRuleCondition' - userStatus: - $ref: '#/components/schemas/UserStatusPolicyRuleCondition' - users: - $ref: '#/components/schemas/UserPolicyRuleCondition' - type: object - x-okta-tags: - - Policy - PolicySubject: - properties: - filter: - type: string - format: - items: - type: string - type: array - matchAttribute: - type: string - matchType: - $ref: '#/components/schemas/PolicySubjectMatchType' - userNameTemplate: - $ref: '#/components/schemas/PolicyUserNameTemplate' - type: object - x-okta-tags: - - Policy - PolicySubjectMatchType: - enum: - - USERNAME - - EMAIL - - USERNAME_OR_EMAIL - - CUSTOM_ATTRIBUTE - type: string - x-okta-tags: - - Policy - PolicyType: - enum: - - OAUTH_AUTHORIZATION_POLICY - - OKTA_SIGN_ON - - PASSWORD - - IDP_DISCOVERY - type: string - x-okta-tags: - - Policy - PolicyUserNameTemplate: - properties: - template: - type: string - type: object - x-okta-tags: - - Policy - Provisioning: - properties: - action: - enum: - - AUTO - - CALLOUT - - DISABLED - type: string - conditions: - $ref: '#/components/schemas/ProvisioningConditions' - groups: - $ref: '#/components/schemas/ProvisioningGroups' - profileMaster: - type: boolean - type: object - x-okta-tags: - - IdentityProvider - ProvisioningConditions: - properties: - deprovisioned: - $ref: '#/components/schemas/ProvisioningDeprovisionedCondition' - suspended: - $ref: '#/components/schemas/ProvisioningSuspendedCondition' - type: object - x-okta-tags: - - IdentityProvider - ProvisioningDeprovisionedCondition: - properties: - action: - enum: - - NONE - - REACTIVATE - type: string - type: object - x-okta-tags: - - IdentityProvider - ProvisioningGroups: - properties: - action: - enum: - - NONE - - APPEND - - SYNC - - ASSIGN - type: string - assignments: - items: - type: string - type: array - filter: - items: - type: string - type: array - sourceAttributeName: - type: string - type: object - x-okta-tags: - - IdentityProvider - ProvisioningSuspendedCondition: - properties: - action: - enum: - - NONE - - UNSUSPEND - type: string - type: object - x-okta-tags: - - IdentityProvider - RiskPolicyRuleCondition: - properties: - behaviors: - items: - type: string - type: array - uniqueItems: true - type: object - x-okta-tags: - - Policy - RiskScorePolicyRuleCondition: - properties: - level: - type: string - type: object - x-okta-tags: - - Policy - ScheduledUserLifecycleAction: - properties: - status: - enum: - - ACTIVE - - INACTIVE - - PENDING - - DELETED - - EXPIRED_PASSWORD - - ACTIVATING - - SUSPENDED - - DELETING - type: string - type: object - x-okta-tags: - - Policy - UserCondition: - properties: - exclude: - items: - type: string - type: array - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - UserIdentifierConditionEvaluatorPattern: - properties: - matchType: - enum: - - SUFFIX - - EXPRESSION - - STARTS_WITH - - EQUALS - - CONTAINS - type: string - value: - type: string - type: object - x-okta-tags: - - Policy - UserIdentifierPolicyRuleCondition: - properties: - attribute: - type: string - patterns: - items: - $ref: '#/components/schemas/UserIdentifierConditionEvaluatorPattern' - type: array - type: - enum: - - IDENTIFIER - - ATTRIBUTE - type: string - type: object - x-okta-tags: - - Policy - UserIdentityProviderLinkRequest: - properties: - externalId: - type: string - type: object - x-okta-tags: - - Policy - UserLifecycleAttributePolicyRuleCondition: - properties: - attributeName: - type: string - matchingValue: - type: string - type: object - x-okta-tags: - - Policy - UserPolicyRuleCondition: - properties: - exclude: - items: - type: string - type: array - inactivity: - $ref: '#/components/schemas/InactivityPolicyRuleCondition' - include: - items: - type: string - type: array - lifecycleExpiration: - $ref: '#/components/schemas/LifecycleExpirationPolicyRuleCondition' - passwordExpiration: - $ref: '#/components/schemas/PasswordExpirationPolicyRuleCondition' - userLifecycleAttribute: - $ref: '#/components/schemas/UserLifecycleAttributePolicyRuleCondition' - type: object - x-okta-tags: - - Policy - UserStatusPolicyRuleCondition: - properties: - value: - enum: - - ACTIVE - - INACTIVE - - PENDING - - DELETED - - EXPIRED_PASSWORD - - ACTIVATING - - SUSPENDED - - DELETING - type: string - type: object - x-okta-tags: - - Policy - securitySchemes: - api_token: - description: SSWS {API Token} - in: header - name: Authorization - type: apiKey - x-stackQL-resources: - policies: - id: okta.policy.policies - methods: - activate: - operation: - $ref: '#/paths/~1api~1v1~1policies~1{policyId}~1rules~1{ruleId}~1lifecycle~1activate/post' - response: - openAPIDocKey: '200' - deactivate: - operation: - $ref: '#/paths/~1api~1v1~1policies~1{policyId}~1rules~1{ruleId}~1lifecycle~1deactivate/post' - response: - openAPIDocKey: '204' - delete: - operation: - $ref: '#/paths/~1api~1v1~1policies~1{policyId}/delete' - response: - openAPIDocKey: '200' - get: - operation: - $ref: '#/paths/~1api~1v1~1policies~1{policyId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1policies/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1policies/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: policies - title: policies - rules: - id: okta.policy.rules - methods: - activate: - operation: - $ref: '#/paths/~1api~1v1~1policies~1{policyId}~1rules~1{ruleId}~1lifecycle~1activate/post' - response: - openAPIDocKey: '200' - deactivate: - operation: - $ref: '#/paths/~1api~1v1~1policies~1{policyId}~1rules~1{ruleId}~1lifecycle~1deactivate/post' - response: - openAPIDocKey: '204' - delete: - operation: - $ref: '#/paths/~1api~1v1~1policies~1{policyId}~1rules~1{ruleId}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1policies~1{policyId}~1rules~1{ruleId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1policies~1{policyId}~1rules/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1policies/get' - response: - mediaType: application/json - openAPIDocKey: '200' - put: - operation: - $ref: '#/paths/~1api~1v1~1policies~1{policyId}~1rules~1{ruleId}/put' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - name: rules - title: rules -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html -info: - contact: - email: devex-public@okta.com - name: Okta Developer Team - url: https://developer.okta.com/ - description: Allows customers to easily access the Okta API - license: - name: Apache-2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - termsOfService: https://developer.okta.com/terms/ - title: Okta API - version: 2.8.0 -openapi: 3.0.1 -paths: - /api/v1/policies: - get: - description: Gets all policies with the specified type. - operationId: listPolicies - parameters: - - in: query - name: type - required: true - schema: - type: string - - in: query - name: status - schema: - type: string - - in: query - name: expand - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/Policy' - type: array - description: Success - security: - - api_token: [] - tags: - - Policy - post: - description: Creates a policy. - operationId: createPolicy - parameters: - - in: query - name: activate - schema: - default: true - type: boolean - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Policy' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Policy' - description: Success - security: - - api_token: [] - tags: - - Policy - x-codegen-request-body-name: policy - /api/v1/policies/{policyId}: - delete: - description: Removes a policy. - operationId: deletePolicy - parameters: - - in: path - name: policyId - required: true - schema: - type: string - responses: - '200': - content: {} - description: Success - security: - - api_token: [] - tags: - - Policy - get: - description: Gets a policy. - operationId: getPolicy - parameters: - - in: path - name: policyId - required: true - schema: - type: string - - in: query - name: expand - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Policy' - description: Success - security: - - api_token: [] - tags: - - Policy - put: - description: Updates a policy. - operationId: updatePolicy - parameters: - - in: path - name: policyId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Policy' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Policy' - description: Success - security: - - api_token: [] - tags: - - Policy - x-codegen-request-body-name: policy - /api/v1/policies/{policyId}/lifecycle/activate: - post: - description: Activates a policy. - operationId: activatePolicy - parameters: - - in: path - name: policyId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - Policy - /api/v1/policies/{policyId}/lifecycle/deactivate: - post: - description: Deactivates a policy. - operationId: deactivatePolicy - parameters: - - in: path - name: policyId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - Policy - /api/v1/policies/{policyId}/rules: - get: - description: Enumerates all policy rules. - operationId: listPolicyRules - parameters: - - in: path - name: policyId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/PolicyRule' - type: array - description: Success - security: - - api_token: [] - tags: - - Policy - post: - description: Creates a policy rule. - operationId: createPolicyRule - parameters: - - in: path - name: policyId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/PolicyRule' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/PolicyRule' - description: Success - security: - - api_token: [] - tags: - - Policy - x-codegen-request-body-name: policyRule - /api/v1/policies/{policyId}/rules/{ruleId}: - delete: - description: Removes a policy rule. - operationId: deletePolicyRule - parameters: - - in: path - name: policyId - required: true - schema: - type: string - - in: path - name: ruleId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - Policy - get: - description: Gets a policy rule. - operationId: getPolicyRule - parameters: - - in: path - name: policyId - required: true - schema: - type: string - - in: path - name: ruleId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/PolicyRule' - description: Success - security: - - api_token: [] - tags: - - Policy - put: - description: Updates a policy rule. - operationId: updatePolicyRule - parameters: - - in: path - name: policyId - required: true - schema: - type: string - - in: path - name: ruleId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/PolicyRule' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/PolicyRule' - description: Success - security: - - api_token: [] - tags: - - Policy - x-codegen-request-body-name: policyRule - /api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/activate: - post: - description: Activates a policy rule. - operationId: activatePolicyRule - parameters: - - in: path - name: policyId - required: true - schema: - type: string - - in: path - name: ruleId - required: true - schema: - type: string - responses: - '200': - content: {} - description: Success - security: - - api_token: [] - tags: - - Policy - /api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate: - post: - description: Deactivates a policy rule. - operationId: deactivatePolicyRule - parameters: - - in: path - name: policyId - required: true - schema: - type: string - - in: path - name: ruleId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - Policy -servers: -- url: https://{subdomain}.okta.com/ - variables: - subdomain: - default: my-domain diff --git a/providers/src/okta/v00.00.00000/services/ProfileMapping.yaml b/providers/src/okta/v00.00.00000/services/ProfileMapping.yaml deleted file mode 100644 index 36f5b56c..00000000 --- a/providers/src/okta/v00.00.00000/services/ProfileMapping.yaml +++ /dev/null @@ -1,213 +0,0 @@ -components: - schemas: - ProfileMapping: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - id: - readOnly: true - type: string - properties: - additionalProperties: - $ref: '#/components/schemas/ProfileMappingProperty' - readOnly: true - type: object - source: - $ref: '#/components/schemas/ProfileMappingSource' - target: - $ref: '#/components/schemas/ProfileMappingSource' - type: object - x-okta-crud: - - alias: read - arguments: - - dest: mappingId - src: id - operationId: getProfileMapping - - alias: update - arguments: - - dest: mappingId - src: id - operationId: updateProfileMapping - x-okta-tags: - - ProfileMapping - ProfileMappingProperty: - properties: - expression: - type: string - pushStatus: - $ref: '#/components/schemas/ProfileMappingPropertyPushStatus' - type: object - x-okta-tags: - - ProfileMapping - ProfileMappingPropertyPushStatus: - enum: - - PUSH - - DONT_PUSH - type: object - x-okta-tags: - - ProfileMapping - ProfileMappingSource: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - id: - readOnly: true - type: string - name: - readOnly: true - type: string - type: - readOnly: true - type: string - type: object - x-okta-tags: - - ProfileMapping - securitySchemes: - api_token: - description: SSWS {API Token} - in: header - name: Authorization - type: apiKey - x-stackQL-resources: - mappings: - id: okta.profilemapping.mappings - methods: - get: - operation: - $ref: '#/paths/~1api~1v1~1mappings~1{mappingId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1mappings~1{mappingId}/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1mappings/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: mappings - title: mappings -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html -info: - contact: - email: devex-public@okta.com - name: Okta Developer Team - url: https://developer.okta.com/ - description: Allows customers to easily access the Okta API - license: - name: Apache-2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - termsOfService: https://developer.okta.com/terms/ - title: Okta API - version: 2.8.0 -openapi: 3.0.1 -paths: - /api/v1/mappings: - get: - description: Enumerates Profile Mappings in your organization with pagination. - operationId: listProfileMappings - parameters: - - in: query - name: after - schema: - type: string - - in: query - name: limit - schema: - default: -1 - format: int32 - type: integer - - in: query - name: sourceId - schema: - type: string - - in: query - name: targetId - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/ProfileMapping' - type: array - description: Success - security: - - api_token: [] - tags: - - ProfileMapping - /api/v1/mappings/{mappingId}: - get: - description: Fetches a single Profile Mapping referenced by its ID. - operationId: getProfileMapping - parameters: - - in: path - name: mappingId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/ProfileMapping' - description: Success - security: - - api_token: [] - summary: Get Profile Mapping - tags: - - ProfileMapping - post: - description: Updates an existing Profile Mapping by adding, updating, or removing - one or many Property Mappings. - operationId: updateProfileMapping - parameters: - - in: path - name: mappingId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/ProfileMapping' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/ProfileMapping' - description: Success - security: - - api_token: [] - summary: Update Profile Mapping - tags: - - ProfileMapping - x-codegen-request-body-name: profileMapping -servers: -- url: https://{subdomain}.okta.com/ - variables: - subdomain: - default: my-domain diff --git a/providers/src/okta/v00.00.00000/services/Session.yaml b/providers/src/okta/v00.00.00000/services/Session.yaml deleted file mode 100644 index ffc16320..00000000 --- a/providers/src/okta/v00.00.00000/services/Session.yaml +++ /dev/null @@ -1,258 +0,0 @@ -components: - schemas: - CreateSessionRequest: - properties: - sessionToken: - type: string - type: object - x-okta-tags: - - Session - Session: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - amr: - items: - $ref: '#/components/schemas/SessionAuthenticationMethod' - readOnly: true - type: array - createdAt: - format: date-time - readOnly: true - type: string - expiresAt: - format: date-time - readOnly: true - type: string - id: - readOnly: true - type: string - idp: - $ref: '#/components/schemas/SessionIdentityProvider' - lastFactorVerification: - format: date-time - readOnly: true - type: string - lastPasswordVerification: - format: date-time - readOnly: true - type: string - login: - readOnly: true - type: string - status: - $ref: '#/components/schemas/SessionStatus' - userId: - readOnly: true - type: string - type: object - x-okta-crud: - - alias: read - arguments: - - dest: sessionId - src: id - operationId: getSession - - alias: delete - arguments: - - dest: sessionId - src: id - operationId: endSession - x-okta-operations: - - alias: refresh - arguments: - - dest: sessionId - src: id - operationId: refreshSession - x-okta-tags: - - Session - SessionAuthenticationMethod: - enum: - - pwd - - swk - - hwk - - otp - - sms - - tel - - geo - - fpt - - kba - - mfa - type: string - x-okta-tags: - - Session - SessionIdentityProvider: - properties: - id: - readOnly: true - type: string - type: - $ref: '#/components/schemas/SessionIdentityProviderType' - type: object - x-okta-tags: - - Session - SessionIdentityProviderType: - enum: - - ACTIVE_DIRECTORY - - LDAP - - OKTA - - FEDERATION - - SOCIAL - type: string - x-okta-tags: - - Session - SessionStatus: - enum: - - ACTIVE - - MFA_ENROLL - - MFA_REQUIRED - type: string - x-okta-tags: - - Session - securitySchemes: - api_token: - description: SSWS {API Token} - in: header - name: Authorization - type: apiKey - x-stackQL-resources: - sessions: - id: okta.session.sessions - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1sessions~1{sessionId}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1sessions~1{sessionId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1sessions/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - refresh: - operation: - $ref: '#/paths/~1api~1v1~1sessions~1{sessionId}~1lifecycle~1refresh/post' - response: - mediaType: application/json - openAPIDocKey: '200' - name: sessions - title: sessions -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html -info: - contact: - email: devex-public@okta.com - name: Okta Developer Team - url: https://developer.okta.com/ - description: Allows customers to easily access the Okta API - license: - name: Apache-2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - termsOfService: https://developer.okta.com/terms/ - title: Okta API - version: 2.8.0 -openapi: 3.0.1 -paths: - /api/v1/sessions: - post: - description: Creates a new session for a user with a valid session token. Use - this API if, for example, you want to set the session cookie yourself instead - of allowing Okta to set it, or want to hold the session ID in order to delete - a session via the API instead of visiting the logout URL. - operationId: createSession - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/CreateSessionRequest' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Session' - description: Success - security: - - api_token: [] - summary: Create Session with Session Token - tags: - - Session - x-codegen-request-body-name: createSessionRequest - /api/v1/sessions/{sessionId}: - delete: - operationId: endSession - parameters: - - in: path - name: sessionId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - summary: Close Session - tags: - - Session - get: - description: Get details about a session. - operationId: getSession - parameters: - - in: path - name: sessionId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Session' - description: Success - security: - - api_token: [] - tags: - - Session - /api/v1/sessions/{sessionId}/lifecycle/refresh: - post: - operationId: refreshSession - parameters: - - in: path - name: sessionId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Session' - description: Success - security: - - api_token: [] - summary: Refresh Session - tags: - - Session -servers: -- url: https://{subdomain}.okta.com/ - variables: - subdomain: - default: my-domain diff --git a/providers/src/okta/v00.00.00000/services/Template.yaml b/providers/src/okta/v00.00.00000/services/Template.yaml deleted file mode 100644 index d6bdb535..00000000 --- a/providers/src/okta/v00.00.00000/services/Template.yaml +++ /dev/null @@ -1,285 +0,0 @@ -components: - schemas: - SmsTemplate: - properties: - created: - format: date-time - readOnly: true - type: string - id: - readOnly: true - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - name: - type: string - template: - type: string - translations: - $ref: '#/components/schemas/SmsTemplateTranslations' - type: - $ref: '#/components/schemas/SmsTemplateType' - type: object - x-okta-crud: - - alias: create - arguments: - - dest: smsTemplate - self: true - operationId: createSmsTemplate - - alias: read - arguments: [] - operationId: getSmsTemplate - - alias: update - arguments: - - dest: templateId - src: id - - dest: smsTemplate - self: true - operationId: updateSmsTemplate - - alias: delete - arguments: - - dest: templateId - src: id - operationId: deleteSmsTemplate - x-okta-operations: - - alias: partialUpdate - arguments: - - dest: templateId - src: id - - dest: smsTemplate - self: true - operationId: partialUpdateSmsTemplate - x-okta-tags: - - Template - SmsTemplateTranslations: - type: object - x-okta-extensible: true - x-okta-tags: - - Template - SmsTemplateType: - enum: - - SMS_VERIFY_CODE - type: string - x-okta-tags: - - Template - securitySchemes: - api_token: - description: SSWS {API Token} - in: header - name: Authorization - type: apiKey - x-stackQL-resources: - sms: - id: okta.template.sms - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1templates~1sms~1{templateId}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1templates~1sms~1{templateId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1templates~1sms/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1templates~1sms/get' - response: - mediaType: application/json - openAPIDocKey: '200' - partialUpdate: - operation: - $ref: '#/paths/~1api~1v1~1templates~1sms~1{templateId}/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - update: - operation: - $ref: '#/paths/~1api~1v1~1templates~1sms~1{templateId}/put' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - name: sms - title: sms -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html -info: - contact: - email: devex-public@okta.com - name: Okta Developer Team - url: https://developer.okta.com/ - description: Allows customers to easily access the Okta API - license: - name: Apache-2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - termsOfService: https://developer.okta.com/terms/ - title: Okta API - version: 2.8.0 -openapi: 3.0.1 -paths: - /api/v1/templates/sms: - get: - description: Enumerates custom SMS templates in your organization. A subset - of templates can be returned that match a template type. - operationId: listSmsTemplates - parameters: - - in: query - name: templateType - schema: - type: string - x-openapi-v3-schema-ref: '#/components/schemas/SmsTemplateType' - x-openapi-v3-schema-ref: '#/components/schemas/SmsTemplateType' - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/SmsTemplate' - type: array - description: Success - security: - - api_token: [] - summary: List SMS Templates - tags: - - Template - post: - description: Adds a new custom SMS template to your organization. - operationId: createSmsTemplate - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/SmsTemplate' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/SmsTemplate' - description: Success - security: - - api_token: [] - summary: Add SMS Template - tags: - - Template - x-codegen-request-body-name: smsTemplate - /api/v1/templates/sms/{templateId}: - delete: - description: Removes an SMS template. - operationId: deleteSmsTemplate - parameters: - - in: path - name: templateId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - summary: Remove SMS Template - tags: - - Template - get: - description: Fetches a specific template by `id` - operationId: getSmsTemplate - parameters: - - in: path - name: templateId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/SmsTemplate' - description: Success - security: - - api_token: [] - summary: Get SMS Template - tags: - - Template - post: - description: 'Updates only some of the SMS template properties:' - operationId: partialUpdateSmsTemplate - parameters: - - in: path - name: templateId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/SmsTemplate' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/SmsTemplate' - description: Success - security: - - api_token: [] - summary: Partial SMS Template Update - tags: - - Template - x-codegen-request-body-name: smsTemplate - put: - description: Updates the SMS template. - operationId: updateSmsTemplate - parameters: - - in: path - name: templateId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/SmsTemplate' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/SmsTemplate' - description: Success - security: - - api_token: [] - summary: Update SMS Template - tags: - - Template - x-codegen-request-body-name: smsTemplate -servers: -- url: https://{subdomain}.okta.com/ - variables: - subdomain: - default: my-domain diff --git a/providers/src/okta/v00.00.00000/services/ThreatInsight.yaml b/providers/src/okta/v00.00.00000/services/ThreatInsight.yaml deleted file mode 100644 index b3885de7..00000000 --- a/providers/src/okta/v00.00.00000/services/ThreatInsight.yaml +++ /dev/null @@ -1,112 +0,0 @@ -components: - schemas: - ThreatInsightConfiguration: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - action: - type: string - created: - format: date-time - readOnly: true - type: string - excludeZones: - items: - type: string - type: array - lastUpdated: - format: date-time - readOnly: true - type: string - type: object - x-okta-crud: - - alias: read - arguments: [] - operationId: getCurrentConfiguration - - alias: update - arguments: - - dest: threatInsightConfiguration - self: true - operationId: updateConfiguration - x-okta-tags: - - ThreatInsight - securitySchemes: - api_token: - description: SSWS {API Token} - in: header - name: Authorization - type: apiKey - x-stackQL-resources: - configuration: - id: okta.threatinsight.configuration - methods: - get: - operation: - $ref: '#/paths/~1api~1v1~1threats~1configuration/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: configuration - title: configuration -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html -info: - contact: - email: devex-public@okta.com - name: Okta Developer Team - url: https://developer.okta.com/ - description: Allows customers to easily access the Okta API - license: - name: Apache-2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - termsOfService: https://developer.okta.com/terms/ - title: Okta API - version: 2.8.0 -openapi: 3.0.1 -paths: - /api/v1/threats/configuration: - get: - description: Gets current ThreatInsight configuration - operationId: getCurrentConfiguration - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/ThreatInsightConfiguration' - description: Success - security: - - api_token: [] - tags: - - ThreatInsight - post: - description: Updates ThreatInsight configuration - operationId: updateConfiguration - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/ThreatInsightConfiguration' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/ThreatInsightConfiguration' - description: Success - security: - - api_token: [] - tags: - - ThreatInsight - x-codegen-request-body-name: ThreatInsightConfiguration -servers: -- url: https://{subdomain}.okta.com/ - variables: - subdomain: - default: my-domain diff --git a/providers/src/okta/v00.00.00000/services/TrustedOrigin.yaml b/providers/src/okta/v00.00.00000/services/TrustedOrigin.yaml deleted file mode 100644 index dbe1d20b..00000000 --- a/providers/src/okta/v00.00.00000/services/TrustedOrigin.yaml +++ /dev/null @@ -1,318 +0,0 @@ -components: - schemas: - Scope: - properties: - stringValue: - type: string - type: - $ref: '#/components/schemas/ScopeType' - type: object - x-okta-tags: - - Role - ScopeType: - enum: - - CORS - - REDIRECT - type: string - x-okta-tags: - - Role - TrustedOrigin: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - created: - format: date-time - readOnly: true - type: string - createdBy: - type: string - id: - readOnly: true - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - lastUpdatedBy: - type: string - name: - type: string - origin: - type: string - scopes: - items: - $ref: '#/components/schemas/Scope' - type: array - status: - type: string - type: object - x-okta-crud: - - alias: create - arguments: - - dest: trustedOrigin - self: true - operationId: createOrigin - - alias: read - arguments: [] - operationId: getOrigin - - alias: update - arguments: - - dest: trustedOriginId - src: id - - dest: trustedOrigin - self: true - operationId: updateOrigin - - alias: delete - arguments: - - dest: trustedOriginId - src: id - operationId: deleteOrigin - x-okta-tags: - - TrustedOrigin - securitySchemes: - api_token: - description: SSWS {API Token} - in: header - name: Authorization - type: apiKey - x-stackQL-resources: - trustedorigins: - id: okta.trustedorigin.trustedorigins - methods: - activate: - operation: - $ref: '#/paths/~1api~1v1~1trustedOrigins~1{trustedOriginId}~1lifecycle~1activate/post' - response: - mediaType: application/json - openAPIDocKey: '200' - deactivate: - operation: - $ref: '#/paths/~1api~1v1~1trustedOrigins~1{trustedOriginId}~1lifecycle~1deactivate/post' - response: - mediaType: application/json - openAPIDocKey: '200' - delete: - operation: - $ref: '#/paths/~1api~1v1~1trustedOrigins~1{trustedOriginId}/delete' - response: - openAPIDocKey: '200' - get: - operation: - $ref: '#/paths/~1api~1v1~1trustedOrigins~1{trustedOriginId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1trustedOrigins/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1trustedOrigins/get' - response: - mediaType: application/json - openAPIDocKey: '200' - update: - operation: - $ref: '#/paths/~1api~1v1~1trustedOrigins~1{trustedOriginId}/put' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - name: trustedorigins - title: trustedorigins -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html -info: - contact: - email: devex-public@okta.com - name: Okta Developer Team - url: https://developer.okta.com/ - description: Allows customers to easily access the Okta API - license: - name: Apache-2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - termsOfService: https://developer.okta.com/terms/ - title: Okta API - version: 2.8.0 -openapi: 3.0.1 -paths: - /api/v1/trustedOrigins: - get: - description: Success - operationId: listOrigins - parameters: - - in: query - name: q - schema: - type: string - - in: query - name: filter - schema: - type: string - - in: query - name: after - schema: - type: string - - in: query - name: limit - schema: - default: -1 - format: int32 - type: integer - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/TrustedOrigin' - type: array - description: Success - security: - - api_token: [] - tags: - - TrustedOrigin - post: - description: Success - operationId: createOrigin - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/TrustedOrigin' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/TrustedOrigin' - description: Success - security: - - api_token: [] - tags: - - TrustedOrigin - x-codegen-request-body-name: trustedOrigin - /api/v1/trustedOrigins/{trustedOriginId}: - delete: - description: Success - operationId: deleteOrigin - parameters: - - in: path - name: trustedOriginId - required: true - schema: - type: string - responses: - '200': - content: {} - description: Success - security: - - api_token: [] - tags: - - TrustedOrigin - get: - description: Success - operationId: getOrigin - parameters: - - in: path - name: trustedOriginId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/TrustedOrigin' - description: Success - security: - - api_token: [] - tags: - - TrustedOrigin - put: - description: Success - operationId: updateOrigin - parameters: - - in: path - name: trustedOriginId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/TrustedOrigin' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/TrustedOrigin' - description: Success - security: - - api_token: [] - tags: - - TrustedOrigin - x-codegen-request-body-name: trustedOrigin - /api/v1/trustedOrigins/{trustedOriginId}/lifecycle/activate: - post: - description: Success - operationId: activateOrigin - parameters: - - in: path - name: trustedOriginId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/TrustedOrigin' - description: Success - security: - - api_token: [] - tags: - - TrustedOrigin - /api/v1/trustedOrigins/{trustedOriginId}/lifecycle/deactivate: - post: - description: Success - operationId: deactivateOrigin - parameters: - - in: path - name: trustedOriginId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/TrustedOrigin' - description: Success - security: - - api_token: [] - tags: - - TrustedOrigin -servers: -- url: https://{subdomain}.okta.com/ - variables: - subdomain: - default: my-domain diff --git a/providers/src/okta/v00.00.00000/services/User.yaml b/providers/src/okta/v00.00.00000/services/User.yaml deleted file mode 100644 index 8bf84c93..00000000 --- a/providers/src/okta/v00.00.00000/services/User.yaml +++ /dev/null @@ -1,4191 +0,0 @@ -components: - schemas: - AppAndInstanceConditionEvaluatorAppOrInstance: - properties: - id: - readOnly: true - type: string - name: - type: string - type: - enum: - - APP_TYPE - - APP - type: string - type: object - x-okta-tags: - - Policy - AppAndInstancePolicyRuleCondition: - properties: - exclude: - items: - $ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance' - type: array - include: - items: - $ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance' - type: array - type: object - x-okta-tags: - - Policy - AppInstancePolicyRuleCondition: - properties: - exclude: - items: - type: string - type: array - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - AppLink: - properties: - appAssignmentId: - readOnly: true - type: string - appInstanceId: - readOnly: true - type: string - appName: - readOnly: true - type: string - credentialsSetup: - readOnly: true - type: boolean - hidden: - readOnly: true - type: boolean - id: - readOnly: true - type: string - label: - readOnly: true - type: string - linkUrl: - readOnly: true - type: string - logoUrl: - readOnly: true - type: string - sortOrder: - readOnly: true - type: integer - type: object - x-okta-tags: - - User - AssignRoleRequest: - properties: - type: - $ref: '#/components/schemas/RoleType' - type: object - x-okta-tags: - - Role - AuthenticationProvider: - properties: - name: - type: string - type: - $ref: '#/components/schemas/AuthenticationProviderType' - type: object - x-okta-tags: - - User - AuthenticationProviderType: - enum: - - ACTIVE_DIRECTORY - - FEDERATION - - LDAP - - OKTA - - SOCIAL - - IMPORT - type: string - x-okta-tags: - - User - BeforeScheduledActionPolicyRuleCondition: - properties: - duration: - $ref: '#/components/schemas/Duration' - lifecycleAction: - $ref: '#/components/schemas/ScheduledUserLifecycleAction' - type: object - x-okta-tags: - - Policy - CatalogApplication: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - category: - type: string - description: - type: string - displayName: - type: string - features: - items: - type: string - type: array - id: - readOnly: true - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - name: - type: string - signOnModes: - items: - type: string - type: array - status: - $ref: '#/components/schemas/CatalogApplicationStatus' - verificationStatus: - type: string - website: - type: string - type: object - x-okta-tags: - - Role - CatalogApplicationStatus: - enum: - - ACTIVE - - INACTIVE - type: string - x-okta-tags: - - Role - ChangePasswordRequest: - properties: - newPassword: - $ref: '#/components/schemas/PasswordCredential' - oldPassword: - $ref: '#/components/schemas/PasswordCredential' - type: object - x-okta-tags: - - User - ClientPolicyCondition: - properties: - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - ContextPolicyRuleCondition: - properties: - expression: - type: string - type: object - x-okta-tags: - - Policy - CreateUserRequest: - properties: - credentials: - $ref: '#/components/schemas/UserCredentials' - groupIds: - items: - type: string - type: array - profile: - $ref: '#/components/schemas/UserProfile' - type: - $ref: '#/components/schemas/UserType' - type: object - x-okta-tags: - - User - DevicePolicyRuleCondition: - properties: - migrated: - type: boolean - platform: - $ref: '#/components/schemas/DevicePolicyRuleConditionPlatform' - rooted: - type: boolean - trustLevel: - enum: - - ANY - - TRUSTED - type: string - type: object - x-okta-tags: - - Policy - DevicePolicyRuleConditionPlatform: - properties: - supportedMDMFrameworks: - items: - enum: - - AFW - - SAFE - - NATIVE - type: string - type: array - types: - items: - enum: - - IOS - - ANDROID - - OSX - - WINDOWS - type: string - type: array - type: object - x-okta-tags: - - Policy - Duration: - properties: - number: - type: integer - unit: - type: string - type: object - x-okta-tags: - - Policy - ForgotPasswordResponse: - properties: - resetPasswordUrl: - readOnly: true - type: string - type: object - x-okta-tags: - - User - GrantTypePolicyRuleCondition: - properties: - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - Group: - properties: - _embedded: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - created: - format: date-time - readOnly: true - type: string - id: - readOnly: true - type: string - lastMembershipUpdated: - format: date-time - readOnly: true - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - objectClass: - items: - type: string - readOnly: true - type: array - profile: - $ref: '#/components/schemas/GroupProfile' - type: - $ref: '#/components/schemas/GroupType' - type: object - x-okta-crud: - - alias: update - arguments: - - dest: groupId - src: id - - dest: group - self: true - operationId: updateGroup - - alias: delete - arguments: - - dest: groupId - src: id - operationId: deleteGroup - x-okta-operations: - - alias: removeUser - arguments: - - dest: groupId - src: id - operationId: removeUserFromGroup - - alias: listUsers - arguments: - - dest: groupId - src: id - operationId: listGroupUsers - - alias: listApplications - arguments: - - dest: groupId - src: id - operationId: listAssignedApplicationsForGroup - - alias: assignRole - arguments: - - dest: groupId - src: id - operationId: assignRoleToGroup - x-okta-tags: - - Group - GroupCondition: - properties: - exclude: - items: - type: string - type: array - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - GroupPolicyRuleCondition: - properties: - exclude: - items: - type: string - type: array - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - GroupProfile: - properties: - description: - type: string - name: - type: string - type: object - x-okta-extensible: true - x-okta-tags: - - Group - GroupType: - enum: - - OKTA_GROUP - - APP_GROUP - - BUILT_IN - type: string - x-okta-tags: - - Group - IdentityProvider: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - created: - format: date-time - readOnly: true - type: string - id: - readOnly: true - type: string - issuerMode: - enum: - - ORG_URL - - CUSTOM_URL - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - name: - type: string - policy: - $ref: '#/components/schemas/IdentityProviderPolicy' - protocol: - $ref: '#/components/schemas/Protocol' - status: - enum: - - ACTIVE - - INACTIVE - type: string - type: - enum: - - SAML2 - - GOOGLE - - FACEBOOK - - LINKEDIN - - MICROSOFT - - OIDC - - OKTA - - IWA - - AgentlessDSSO - - X509 - type: string - type: object - x-okta-crud: - - alias: create - arguments: - - dest: idpTrust - self: true - operationId: createIdentityProvider - - alias: read - arguments: [] - operationId: getIdentityProvider - - alias: update - arguments: - - dest: idpId - src: id - - dest: idpTrust - self: true - operationId: updateIdentityProvider - - alias: delete - arguments: - - dest: idpId - src: id - operationId: deleteIdentityProvider - x-okta-operations: - - alias: listSigningCsrs - arguments: - - dest: idpId - src: id - operationId: listCsrsForIdentityProvider - - alias: generateCsr - arguments: - - dest: idpId - src: id - operationId: generateCsrForIdentityProvider - - alias: deleteSigningCsr - arguments: - - dest: idpId - src: id - operationId: revokeCsrForIdentityProvider - - alias: getSigningCsr - arguments: - - dest: idpId - src: id - operationId: getCsrForIdentityProvider - - alias: listSigningKeys - arguments: - - dest: idpId - src: id - operationId: listIdentityProviderSigningKeys - - alias: generateSigningKey - arguments: - - dest: idpId - src: id - operationId: generateIdentityProviderSigningKey - - alias: getSigningKey - arguments: - - dest: idpId - src: id - operationId: getIdentityProviderSigningKey - - alias: cloneKey - arguments: - - dest: idpId - src: id - operationId: cloneIdentityProviderKey - - alias: activate - arguments: - - dest: idpId - src: id - operationId: activateIdentityProvider - - alias: deactivate - arguments: - - dest: idpId - src: id - operationId: deactivateIdentityProvider - - alias: listUsers - arguments: - - dest: idpId - src: id - operationId: listIdentityProviderApplicationUsers - - alias: unlinkUser - arguments: - - dest: idpId - src: id - operationId: unlinkUserFromIdentityProvider - - alias: getUser - arguments: - - dest: idpId - src: id - operationId: getIdentityProviderApplicationUser - - alias: linkUser - arguments: - - dest: idpId - src: id - operationId: linkUserToIdentityProvider - - alias: listSocialAuthTokens - arguments: - - dest: idpId - src: id - operationId: listSocialAuthTokens - x-okta-tags: - - IdentityProvider - IdentityProviderCredentials: - properties: - client: - $ref: '#/components/schemas/IdentityProviderCredentialsClient' - signing: - $ref: '#/components/schemas/IdentityProviderCredentialsSigning' - trust: - $ref: '#/components/schemas/IdentityProviderCredentialsTrust' - type: object - x-okta-tags: - - IdentityProvider - IdentityProviderCredentialsClient: - properties: - client_id: - type: string - client_secret: - type: string - type: object - x-okta-tags: - - IdentityProvider - IdentityProviderCredentialsSigning: - properties: - kid: - type: string - type: object - x-okta-tags: - - IdentityProvider - IdentityProviderCredentialsTrust: - properties: - audience: - type: string - issuer: - type: string - kid: - type: string - revocation: - enum: - - CRL - - DELTA_CRL - - OCSP - type: string - revocationCacheLifetime: - type: integer - type: object - x-okta-tags: - - IdentityProvider - IdentityProviderPolicy: - properties: - accountLink: - $ref: '#/components/schemas/PolicyAccountLink' - maxClockSkew: - type: integer - provisioning: - $ref: '#/components/schemas/Provisioning' - subject: - $ref: '#/components/schemas/PolicySubject' - type: object - x-okta-parent: '#/components/schemas/Policy' - x-okta-tags: - - Policy - IdentityProviderPolicyRuleCondition: - properties: - idpIds: - items: - type: string - type: array - provider: - enum: - - ANY - - OKTA - - SPECIFIC_IDP - type: string - type: object - x-okta-tags: - - Policy - InactivityPolicyRuleCondition: - properties: - number: - type: integer - unit: - type: string - type: object - x-okta-tags: - - Policy - LifecycleExpirationPolicyRuleCondition: - properties: - lifecycleStatus: - type: string - number: - type: integer - unit: - type: string - type: object - x-okta-tags: - - Policy - MDMEnrollmentPolicyRuleCondition: - properties: - blockNonSafeAndroid: - type: boolean - enrollment: - enum: - - OMM - - ANY_OR_NONE - type: string - type: object - x-okta-tags: - - Policy - OAuth2Actor: - properties: - id: - readOnly: true - type: string - type: - type: string - type: object - x-okta-tags: - - Application - OAuth2Client: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - client_id: - readOnly: true - type: string - client_name: - readOnly: true - type: string - client_uri: - readOnly: true - type: string - logo_uri: - readOnly: true - type: string - type: object - x-okta-tags: - - Application - OAuth2RefreshToken: - properties: - _embedded: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - clientId: - type: string - created: - format: date-time - readOnly: true - type: string - createdBy: - $ref: '#/components/schemas/OAuth2Actor' - expiresAt: - format: date-time - readOnly: true - type: string - id: - readOnly: true - type: string - issuer: - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - scopes: - items: - type: string - type: array - status: - enum: - - ACTIVE - - REVOKED - type: string - userId: - type: string - type: object - x-okta-tags: - - Application - OAuth2ScopeConsentGrant: - properties: - _embedded: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - clientId: - type: string - created: - format: date-time - readOnly: true - type: string - createdBy: - $ref: '#/components/schemas/OAuth2Actor' - id: - readOnly: true - type: string - issuer: - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - scopeId: - type: string - source: - $ref: '#/components/schemas/OAuth2ScopeConsentGrantSource' - status: - $ref: '#/components/schemas/OAuth2ScopeConsentGrantStatus' - userId: - type: string - type: object - x-okta-tags: - - Application - OAuth2ScopeConsentGrantSource: - enum: - - END_USER - - ADMIN - type: string - x-okta-tags: - - Application - OAuth2ScopeConsentGrantStatus: - enum: - - ACTIVE - - REVOKED - type: string - x-okta-tags: - - Application - OAuth2ScopesMediationPolicyRuleCondition: - properties: - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Application - OAuthAuthorizationPolicy: - type: object - x-okta-parent: '#/components/schemas/Policy' - x-okta-tags: - - Policy - OktaSignOnPolicy: - properties: - conditions: - $ref: '#/components/schemas/OktaSignOnPolicyConditions' - type: object - x-okta-parent: '#/components/schemas/Policy' - x-okta-tags: - - Policy - OktaSignOnPolicyConditions: - properties: - people: - $ref: '#/components/schemas/PolicyPeopleCondition' - type: object - x-okta-parent: '#/components/schemas/PolicyRuleConditions' - x-okta-tags: - - Policy - PasswordCredential: - properties: - hash: - $ref: '#/components/schemas/PasswordCredentialHash' - hook: - $ref: '#/components/schemas/PasswordCredentialHook' - value: - format: password - type: string - type: object - x-okta-tags: - - User - PasswordCredentialHash: - properties: - algorithm: - $ref: '#/components/schemas/PasswordCredentialHashAlgorithm' - salt: - type: string - saltOrder: - type: string - value: - type: string - workFactor: - type: integer - type: object - x-okta-tags: - - User - PasswordCredentialHashAlgorithm: - enum: - - BCRYPT - - SHA-512 - - SHA-256 - - SHA-1 - - MD5 - type: string - x-okta-tags: - - User - PasswordCredentialHook: - properties: - type: - type: string - type: object - x-okta-tags: - - User - PasswordDictionary: - properties: - common: - $ref: '#/components/schemas/PasswordDictionaryCommon' - type: object - x-okta-tags: - - Policy - PasswordDictionaryCommon: - properties: - exclude: - default: false - type: boolean - type: object - x-okta-tags: - - Policy - PasswordExpirationPolicyRuleCondition: - properties: - number: - type: integer - unit: - type: string - type: object - x-okta-tags: - - Policy - PasswordPolicy: - properties: - conditions: - $ref: '#/components/schemas/PasswordPolicyConditions' - settings: - $ref: '#/components/schemas/PasswordPolicySettings' - type: object - x-okta-parent: '#/components/schemas/Policy' - x-okta-tags: - - Policy - PasswordPolicyAuthenticationProviderCondition: - properties: - include: - items: - type: string - type: array - provider: - enum: - - ACTIVE_DIRECTORY - - ANY - - LDAP - - OKTA - type: string - type: object - x-okta-tags: - - Policy - PasswordPolicyConditions: - properties: - authProvider: - $ref: '#/components/schemas/PasswordPolicyAuthenticationProviderCondition' - people: - $ref: '#/components/schemas/PolicyPeopleCondition' - type: object - x-okta-parent: '#/components/schemas/PolicyRuleConditions' - x-okta-tags: - - Policy - PasswordPolicyDelegationSettings: - properties: - options: - $ref: '#/components/schemas/PasswordPolicyDelegationSettingsOptions' - type: object - x-okta-tags: - - Policy - PasswordPolicyDelegationSettingsOptions: - properties: - skipUnlock: - type: boolean - type: object - x-okta-tags: - - Policy - PasswordPolicyPasswordSettings: - properties: - age: - $ref: '#/components/schemas/PasswordPolicyPasswordSettingsAge' - complexity: - $ref: '#/components/schemas/PasswordPolicyPasswordSettingsComplexity' - lockout: - $ref: '#/components/schemas/PasswordPolicyPasswordSettingsLockout' - type: object - x-okta-tags: - - Policy - PasswordPolicyPasswordSettingsAge: - properties: - expireWarnDays: - type: integer - historyCount: - type: integer - maxAgeDays: - type: integer - minAgeMinutes: - type: integer - type: object - x-okta-tags: - - Policy - PasswordPolicyPasswordSettingsComplexity: - properties: - dictionary: - $ref: '#/components/schemas/PasswordDictionary' - excludeAttributes: - items: - type: string - type: array - excludeUsername: - default: true - type: boolean - minLength: - type: integer - minLowerCase: - type: integer - minNumber: - type: integer - minSymbol: - type: integer - minUpperCase: - type: integer - type: object - x-okta-tags: - - Policy - PasswordPolicyPasswordSettingsLockout: - properties: - autoUnlockMinutes: - type: integer - maxAttempts: - type: integer - showLockoutFailures: - type: boolean - userLockoutNotificationChannels: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoveryEmail: - properties: - properties: - $ref: '#/components/schemas/PasswordPolicyRecoveryEmailProperties' - status: - enum: - - ACTIVE - - INACTIVE - readOnly: true - type: string - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoveryEmailProperties: - properties: - recoveryToken: - $ref: '#/components/schemas/PasswordPolicyRecoveryEmailRecoveryToken' - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoveryEmailRecoveryToken: - properties: - tokenLifetimeMinutes: - type: integer - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoveryFactorSettings: - properties: - status: - default: INACTIVE - enum: - - ACTIVE - - INACTIVE - type: string - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoveryFactors: - properties: - okta_call: - $ref: '#/components/schemas/PasswordPolicyRecoveryFactorSettings' - okta_email: - $ref: '#/components/schemas/PasswordPolicyRecoveryEmail' - okta_sms: - $ref: '#/components/schemas/PasswordPolicyRecoveryFactorSettings' - recovery_question: - $ref: '#/components/schemas/PasswordPolicyRecoveryQuestion' - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoveryQuestion: - properties: - properties: - $ref: '#/components/schemas/PasswordPolicyRecoveryQuestionProperties' - status: - enum: - - ACTIVE - - INACTIVE - readOnly: true - type: string - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoveryQuestionComplexity: - properties: - minLength: - readOnly: true - type: integer - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoveryQuestionProperties: - properties: - complexity: - $ref: '#/components/schemas/PasswordPolicyRecoveryQuestionComplexity' - type: object - x-okta-tags: - - Policy - PasswordPolicyRecoverySettings: - properties: - factors: - $ref: '#/components/schemas/PasswordPolicyRecoveryFactors' - type: object - x-okta-tags: - - Policy - PasswordPolicySettings: - properties: - delegation: - $ref: '#/components/schemas/PasswordPolicyDelegationSettings' - password: - $ref: '#/components/schemas/PasswordPolicyPasswordSettings' - recovery: - $ref: '#/components/schemas/PasswordPolicyRecoverySettings' - type: object - x-okta-tags: - - Policy - PlatformConditionEvaluatorPlatform: - properties: - os: - $ref: '#/components/schemas/PlatformConditionEvaluatorPlatformOperatingSystem' - type: - enum: - - DESKTOP - - MOBILE - - OTHER - - ANY - type: string - type: object - x-okta-tags: - - Policy - PlatformConditionEvaluatorPlatformOperatingSystem: - properties: - expression: - type: string - type: - enum: - - ANDROID - - IOS - - WINDOWS - - OSX - - OTHER - - ANY - type: string - version: - $ref: '#/components/schemas/PlatformConditionEvaluatorPlatformOperatingSystemVersion' - type: object - x-okta-tags: - - Policy - PlatformConditionEvaluatorPlatformOperatingSystemVersion: - properties: - matchType: - enum: - - EXPRESSION - - SEMVER - type: string - value: - type: string - type: object - x-okta-tags: - - Policy - PlatformPolicyRuleCondition: - properties: - exclude: - items: - $ref: '#/components/schemas/PlatformConditionEvaluatorPlatform' - type: array - include: - items: - $ref: '#/components/schemas/PlatformConditionEvaluatorPlatform' - type: array - type: object - x-okta-tags: - - Policy - Policy: - properties: - _embedded: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - conditions: - $ref: '#/components/schemas/PolicyRuleConditions' - created: - format: date-time - readOnly: true - type: string - description: - type: string - id: - readOnly: true - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - name: - type: string - priority: - type: integer - status: - enum: - - ACTIVE - - INACTIVE - type: string - system: - type: boolean - type: - $ref: '#/components/schemas/PolicyType' - type: object - x-okta-crud: - - alias: read - arguments: - - dest: policyId - src: id - operationId: getPolicy - - alias: update - arguments: - - dest: policyId - src: id - - dest: policy - self: true - operationId: updatePolicy - - alias: delete - arguments: - - dest: policyId - src: id - operationId: deletePolicy - x-okta-operations: - - alias: activate - arguments: - - dest: policyId - src: id - operationId: activatePolicy - - alias: deactivate - arguments: - - dest: policyId - src: id - operationId: deactivatePolicy - - alias: listPolicyRules - arguments: - - dest: policyId - src: id - operationId: listPolicyRules - - alias: createRule - arguments: - - dest: policyId - src: id - operationId: createPolicyRule - - alias: getPolicyRule - arguments: - - dest: policyId - src: id - operationId: getPolicyRule - x-okta-tags: - - Policy - x-openapi-v3-discriminator: - mapping: - IDP_DISCOVERY: '#/components/schemas/IdentityProviderPolicy' - OAUTH_AUTHORIZATION_POLICY: '#/components/schemas/OAuthAuthorizationPolicy' - OKTA_SIGN_ON: '#/components/schemas/OktaSignOnPolicy' - PASSWORD: '#/components/schemas/PasswordPolicy' - propertyName: type - PolicyAccountLink: - properties: - action: - enum: - - AUTO - - DISABLED - type: string - filter: - $ref: '#/components/schemas/PolicyAccountLinkFilter' - type: object - x-okta-tags: - - Policy - PolicyAccountLinkFilter: - properties: - groups: - $ref: '#/components/schemas/PolicyAccountLinkFilterGroups' - type: object - x-okta-tags: - - Policy - PolicyAccountLinkFilterGroups: - properties: - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - PolicyNetworkCondition: - properties: - connection: - enum: - - ANYWHERE - - ZONE - type: string - exclude: - items: - type: string - type: array - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - PolicyPeopleCondition: - properties: - groups: - $ref: '#/components/schemas/GroupCondition' - users: - $ref: '#/components/schemas/UserCondition' - type: object - x-okta-tags: - - Policy - PolicyRuleAuthContextCondition: - properties: - authType: - enum: - - ANY - - RADIUS - type: string - type: object - x-okta-tags: - - Policy - PolicyRuleConditions: - properties: - app: - $ref: '#/components/schemas/AppAndInstancePolicyRuleCondition' - apps: - $ref: '#/components/schemas/AppInstancePolicyRuleCondition' - authContext: - $ref: '#/components/schemas/PolicyRuleAuthContextCondition' - authProvider: - $ref: '#/components/schemas/PasswordPolicyAuthenticationProviderCondition' - beforeScheduledAction: - $ref: '#/components/schemas/BeforeScheduledActionPolicyRuleCondition' - clients: - $ref: '#/components/schemas/ClientPolicyCondition' - context: - $ref: '#/components/schemas/ContextPolicyRuleCondition' - device: - $ref: '#/components/schemas/DevicePolicyRuleCondition' - grantTypes: - $ref: '#/components/schemas/GrantTypePolicyRuleCondition' - groups: - $ref: '#/components/schemas/GroupPolicyRuleCondition' - identityProvider: - $ref: '#/components/schemas/IdentityProviderPolicyRuleCondition' - mdmEnrollment: - $ref: '#/components/schemas/MDMEnrollmentPolicyRuleCondition' - network: - $ref: '#/components/schemas/PolicyNetworkCondition' - people: - $ref: '#/components/schemas/PolicyPeopleCondition' - platform: - $ref: '#/components/schemas/PlatformPolicyRuleCondition' - risk: - $ref: '#/components/schemas/RiskPolicyRuleCondition' - riskScore: - $ref: '#/components/schemas/RiskScorePolicyRuleCondition' - scopes: - $ref: '#/components/schemas/OAuth2ScopesMediationPolicyRuleCondition' - userIdentifier: - $ref: '#/components/schemas/UserIdentifierPolicyRuleCondition' - userStatus: - $ref: '#/components/schemas/UserStatusPolicyRuleCondition' - users: - $ref: '#/components/schemas/UserPolicyRuleCondition' - type: object - x-okta-tags: - - Policy - PolicySubject: - properties: - filter: - type: string - format: - items: - type: string - type: array - matchAttribute: - type: string - matchType: - $ref: '#/components/schemas/PolicySubjectMatchType' - userNameTemplate: - $ref: '#/components/schemas/PolicyUserNameTemplate' - type: object - x-okta-tags: - - Policy - PolicySubjectMatchType: - enum: - - USERNAME - - EMAIL - - USERNAME_OR_EMAIL - - CUSTOM_ATTRIBUTE - type: string - x-okta-tags: - - Policy - PolicyType: - enum: - - OAUTH_AUTHORIZATION_POLICY - - OKTA_SIGN_ON - - PASSWORD - - IDP_DISCOVERY - type: string - x-okta-tags: - - Policy - PolicyUserNameTemplate: - properties: - template: - type: string - type: object - x-okta-tags: - - Policy - Protocol: - properties: - algorithms: - $ref: '#/components/schemas/ProtocolAlgorithms' - credentials: - $ref: '#/components/schemas/IdentityProviderCredentials' - endpoints: - $ref: '#/components/schemas/ProtocolEndpoints' - issuer: - $ref: '#/components/schemas/ProtocolEndpoint' - relayState: - $ref: '#/components/schemas/ProtocolRelayState' - scopes: - items: - type: string - type: array - settings: - $ref: '#/components/schemas/ProtocolSettings' - type: - enum: - - SAML2 - - OIDC - - OAUTH2 - - MTLS - type: string - type: object - x-okta-tags: - - IdentityProvider - ProtocolAlgorithmType: - properties: - signature: - $ref: '#/components/schemas/ProtocolAlgorithmTypeSignature' - type: object - x-okta-tags: - - IdentityProvider - ProtocolAlgorithmTypeSignature: - properties: - algorithm: - type: string - scope: - enum: - - RESPONSE - - TOKEN - - ANY - - REQUEST - - NONE - type: string - type: object - x-okta-tags: - - IdentityProvider - ProtocolAlgorithms: - properties: - request: - $ref: '#/components/schemas/ProtocolAlgorithmType' - response: - $ref: '#/components/schemas/ProtocolAlgorithmType' - type: object - x-okta-tags: - - IdentityProvider - ProtocolEndpoint: - properties: - binding: - enum: - - HTTP-POST - - HTTP-REDIRECT - type: string - destination: - type: string - type: - enum: - - INSTANCE - - ORG - type: string - url: - type: string - type: object - x-okta-tags: - - IdentityProvider - ProtocolEndpoints: - properties: - acs: - $ref: '#/components/schemas/ProtocolEndpoint' - authorization: - $ref: '#/components/schemas/ProtocolEndpoint' - jwks: - $ref: '#/components/schemas/ProtocolEndpoint' - metadata: - $ref: '#/components/schemas/ProtocolEndpoint' - slo: - $ref: '#/components/schemas/ProtocolEndpoint' - sso: - $ref: '#/components/schemas/ProtocolEndpoint' - token: - $ref: '#/components/schemas/ProtocolEndpoint' - userInfo: - $ref: '#/components/schemas/ProtocolEndpoint' - type: object - x-okta-tags: - - IdentityProvider - ProtocolRelayState: - properties: - format: - $ref: '#/components/schemas/ProtocolRelayStateFormat' - type: object - x-okta-tags: - - IdentityProvider - ProtocolRelayStateFormat: - enum: - - OPAQUE - - FROM_URL - type: string - x-okta-tags: - - IdentityProvider - ProtocolSettings: - properties: - nameFormat: - type: string - type: object - x-okta-tags: - - IdentityProvider - Provisioning: - properties: - action: - enum: - - AUTO - - CALLOUT - - DISABLED - type: string - conditions: - $ref: '#/components/schemas/ProvisioningConditions' - groups: - $ref: '#/components/schemas/ProvisioningGroups' - profileMaster: - type: boolean - type: object - x-okta-tags: - - IdentityProvider - ProvisioningConditions: - properties: - deprovisioned: - $ref: '#/components/schemas/ProvisioningDeprovisionedCondition' - suspended: - $ref: '#/components/schemas/ProvisioningSuspendedCondition' - type: object - x-okta-tags: - - IdentityProvider - ProvisioningDeprovisionedCondition: - properties: - action: - enum: - - NONE - - REACTIVATE - type: string - type: object - x-okta-tags: - - IdentityProvider - ProvisioningGroups: - properties: - action: - enum: - - NONE - - APPEND - - SYNC - - ASSIGN - type: string - assignments: - items: - type: string - type: array - filter: - items: - type: string - type: array - sourceAttributeName: - type: string - type: object - x-okta-tags: - - IdentityProvider - ProvisioningSuspendedCondition: - properties: - action: - enum: - - NONE - - UNSUSPEND - type: string - type: object - x-okta-tags: - - IdentityProvider - RecoveryQuestionCredential: - properties: - answer: - type: string - question: - type: string - type: object - x-okta-tags: - - User - ResetPasswordToken: - properties: - resetPasswordUrl: - readOnly: true - type: string - type: object - x-okta-tags: - - User - ResponseLinks: - type: object - x-okta-tags: - - User - RiskPolicyRuleCondition: - properties: - behaviors: - items: - type: string - type: array - uniqueItems: true - type: object - x-okta-tags: - - Policy - RiskScorePolicyRuleCondition: - properties: - level: - type: string - type: object - x-okta-tags: - - Policy - Role: - properties: - _embedded: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - assignmentType: - $ref: '#/components/schemas/RoleAssignmentType' - created: - format: date-time - readOnly: true - type: string - description: - type: string - id: - readOnly: true - type: string - label: - readOnly: true - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - status: - $ref: '#/components/schemas/RoleStatus' - type: - $ref: '#/components/schemas/RoleType' - type: object - x-okta-operations: - - alias: addAdminGroupTarget - arguments: - - dest: roleId - src: id - - dest: groupId - parentSrc: id - operationId: addGroupTargetToGroupAdministratorRoleForGroup - - alias: addAppInstanceTargetToAdminRole - arguments: - - dest: roleId - src: id - - dest: groupId - parentSrc: id - operationId: addApplicationInstanceTargetToAppAdminRoleGivenToGroup - - alias: addAppTargetToAdminRole - arguments: - - dest: roleId - src: id - - dest: groupId - parentSrc: id - operationId: addApplicationTargetToAdminRoleGivenToGroup - - alias: addAllAppsAsTargetToRole - arguments: - - dest: roleId - src: id - - dest: userId - parentSrc: id - operationId: addAllAppsAsTargetToRole - - alias: addAppTargetToAppAdminRoleForUser - arguments: - - dest: roleId - src: id - - dest: userId - parentSrc: id - operationId: addApplicationTargetToAppAdminRoleForUser - - alias: addAppTargetToAdminRoleForUser - arguments: - - dest: roleId - src: id - - dest: userId - parentSrc: id - operationId: addApplicationTargetToAdminRoleForUser - x-okta-tags: - - User - RoleAssignmentType: - enum: - - GROUP - - USER - type: string - x-okta-tags: - - Role - RoleStatus: - enum: - - ACTIVE - - INACTIVE - type: string - x-okta-tags: - - User - RoleType: - enum: - - SUPER_ADMIN - - ORG_ADMIN - - APP_ADMIN - - USER_ADMIN - - HELP_DESK_ADMIN - - READ_ONLY_ADMIN - - MOBILE_ADMIN - - API_ACCESS_MANAGEMENT_ADMIN - - REPORT_ADMIN - - GROUP_MEMBERSHIP_ADMIN - type: string - x-okta-tags: - - Role - ScheduledUserLifecycleAction: - properties: - status: - enum: - - ACTIVE - - INACTIVE - - PENDING - - DELETED - - EXPIRED_PASSWORD - - ACTIVATING - - SUSPENDED - - DELETING - type: string - type: object - x-okta-tags: - - Policy - TempPassword: - properties: - tempPassword: - readOnly: true - type: string - type: object - x-okta-tags: - - User - User: - properties: - _embedded: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - activated: - format: date-time - readOnly: true - type: string - created: - format: date-time - readOnly: true - type: string - credentials: - $ref: '#/components/schemas/UserCredentials' - id: - readOnly: true - type: string - lastLogin: - format: date-time - readOnly: true - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - passwordChanged: - format: date-time - readOnly: true - type: string - profile: - $ref: '#/components/schemas/UserProfile' - status: - $ref: '#/components/schemas/UserStatus' - statusChanged: - format: date-time - readOnly: true - type: string - transitioningToStatus: - $ref: '#/components/schemas/UserStatus' - type: - $ref: '#/components/schemas/UserType' - type: object - x-okta-crud: - - alias: create - arguments: - - dest: user - self: true - operationId: createUser - - alias: read - arguments: [] - operationId: getUser - - alias: update - arguments: - - dest: userId - src: id - - dest: user - self: true - operationId: updateUser - - alias: delete - arguments: - - dest: userId - src: id - - dest: user - self: true - operationId: deactivateOrDeleteUser - x-okta-operations: - - alias: listAppLinks - arguments: - - dest: userId - src: id - operationId: listAppLinks - - alias: changePassword - arguments: - - dest: userId - src: id - operationId: changePassword - - alias: changeRecoveryQuestion - arguments: - - dest: userId - src: id - operationId: changeRecoveryQuestion - - alias: forgotPasswordSetNewPassword - arguments: - - dest: userId - src: id - operationId: forgotPasswordSetNewPassword - - alias: forgotPasswordGenerateOneTimeToken - arguments: - - dest: userId - src: id - operationId: forgotPasswordGenerateOneTimeToken - - alias: assignRole - arguments: - - dest: userId - src: id - operationId: assignRoleToUser - - alias: getRole - arguments: - - dest: userId - src: id - operationId: getUserRole - - alias: removeRole - arguments: - - dest: userId - src: id - operationId: removeRoleFromUser - - alias: listGroupTargets - arguments: - - dest: userId - src: id - operationId: listGroupTargetsForRole - - alias: removeGroupTarget - arguments: - - dest: userId - src: id - operationId: removeGroupTargetFromRole - - alias: addGroupTarget - arguments: - - dest: userId - src: id - operationId: addGroupTargetToRole - - alias: listAssignedRoles - arguments: - - dest: userId - src: id - operationId: listAssignedRolesForUser - - alias: addAllAppsAsTarget - arguments: - - dest: userId - src: id - operationId: addAllAppsAsTargetToRole - - alias: listGroups - arguments: - - dest: userId - src: id - operationId: listUserGroups - - alias: listGrants - arguments: - - dest: userId - src: id - operationId: listUserGrants - - alias: revokeGrants - arguments: - - dest: userId - src: id - operationId: revokeUserGrants - - alias: revokeGrant - arguments: - - dest: userId - src: id - operationId: revokeUserGrant - - alias: revokeGrantsForUserAndClient - arguments: - - dest: userId - src: id - operationId: revokeGrantsForUserAndClient - - alias: listRefreshTokensForUserAndClient - arguments: - - dest: userId - src: id - operationId: listRefreshTokensForUserAndClient - - alias: revokeTokenForUserAndClient - arguments: - - dest: userId - src: id - operationId: revokeTokenForUserAndClient - - alias: getRefreshTokenForUserAndClient - arguments: - - dest: userId - src: id - operationId: getRefreshTokenForUserAndClient - - alias: revokeTokensForUserAndClient - arguments: - - dest: userId - src: id - operationId: revokeTokensForUserAndClient - - alias: listClients - arguments: - - dest: userId - src: id - operationId: listUserClients - - alias: activate - arguments: - - dest: userId - src: id - operationId: activateUser - - alias: reactivate - arguments: - - dest: userId - src: id - operationId: reactivateUser - - alias: deactivate - arguments: - - dest: userId - src: id - operationId: deactivateUser - - alias: suspend - arguments: - - dest: userId - src: id - operationId: suspendUser - - alias: unsuspend - arguments: - - dest: userId - src: id - operationId: unsuspendUser - - alias: resetPassword - arguments: - - dest: userId - src: id - operationId: resetPassword - - alias: expirePassword - arguments: - - dest: userId - src: id - operationId: expirePassword - - alias: expirePasswordAndGetTemporaryPassword - arguments: - - dest: userId - src: id - operationId: expirePasswordAndGetTemporaryPassword - - alias: unlock - arguments: - - dest: userId - src: id - operationId: unlockUser - - alias: resetFactors - arguments: - - dest: userId - src: id - operationId: resetFactors - - alias: deleteFactor - arguments: - - dest: userId - src: id - operationId: deleteFactor - - alias: addToGroup - arguments: - - dest: userId - src: id - description: Adds a user to a group with 'OKTA_GROUP' type - operationId: addUserToGroup - - alias: enrollFactor - arguments: - - dest: userId - src: id - operationId: enrollFactor - - alias: listSupportedFactors - arguments: - - dest: userId - src: id - operationId: listSupportedFactors - - alias: listFactors - arguments: - - dest: userId - src: id - operationId: listFactors - - alias: listSupportedSecurityQuestions - arguments: - - dest: userId - src: id - operationId: listSupportedSecurityQuestions - - alias: getFactor - arguments: - - dest: userId - src: id - operationId: getFactor - - alias: setLinkedObject - arguments: - - dest: associatedUserId - src: id - operationId: setLinkedObjectForUser - - alias: listIdentityProviders - arguments: - - dest: userId - src: id - operationId: listUserIdentityProviders - - alias: getLinkedObjects - arguments: - - dest: userId - src: id - operationId: getLinkedObjectsForUser - - alias: clearSessions - arguments: - - dest: userId - src: id - operationId: clearUserSessions - - alias: removeLinkedObject - arguments: - - dest: userId - src: id - operationId: removeLinkedObjectForUser - x-okta-tags: - - User - UserActivationToken: - properties: - activationToken: - readOnly: true - type: string - activationUrl: - readOnly: true - type: string - type: object - x-okta-tags: - - User - UserCondition: - properties: - exclude: - items: - type: string - type: array - include: - items: - type: string - type: array - type: object - x-okta-tags: - - Policy - UserCredentials: - properties: - password: - $ref: '#/components/schemas/PasswordCredential' - provider: - $ref: '#/components/schemas/AuthenticationProvider' - recovery_question: - $ref: '#/components/schemas/RecoveryQuestionCredential' - type: object - x-okta-tags: - - User - UserIdentifierConditionEvaluatorPattern: - properties: - matchType: - enum: - - SUFFIX - - EXPRESSION - - STARTS_WITH - - EQUALS - - CONTAINS - type: string - value: - type: string - type: object - x-okta-tags: - - Policy - UserIdentifierPolicyRuleCondition: - properties: - attribute: - type: string - patterns: - items: - $ref: '#/components/schemas/UserIdentifierConditionEvaluatorPattern' - type: array - type: - enum: - - IDENTIFIER - - ATTRIBUTE - type: string - type: object - x-okta-tags: - - Policy - UserLifecycleAttributePolicyRuleCondition: - properties: - attributeName: - type: string - matchingValue: - type: string - type: object - x-okta-tags: - - Policy - UserNextLogin: - enum: - - changePassword - type: string - x-okta-tags: - - User - UserPolicyRuleCondition: - properties: - exclude: - items: - type: string - type: array - inactivity: - $ref: '#/components/schemas/InactivityPolicyRuleCondition' - include: - items: - type: string - type: array - lifecycleExpiration: - $ref: '#/components/schemas/LifecycleExpirationPolicyRuleCondition' - passwordExpiration: - $ref: '#/components/schemas/PasswordExpirationPolicyRuleCondition' - userLifecycleAttribute: - $ref: '#/components/schemas/UserLifecycleAttributePolicyRuleCondition' - type: object - x-okta-tags: - - Policy - UserProfile: - properties: - city: - type: string - costCenter: - type: string - countryCode: - type: string - department: - type: string - displayName: - type: string - division: - type: string - email: - type: string - employeeNumber: - type: string - firstName: - type: string - honorificPrefix: - type: string - honorificSuffix: - type: string - lastName: - type: string - locale: - type: string - login: - type: string - manager: - type: string - managerId: - type: string - middleName: - type: string - mobilePhone: - type: string - nickName: - type: string - organization: - type: string - postalAddress: - type: string - preferredLanguage: - type: string - primaryPhone: - type: string - profileUrl: - type: string - secondEmail: - type: string - state: - type: string - streetAddress: - type: string - timezone: - type: string - title: - type: string - userType: - type: string - zipCode: - type: string - type: object - x-okta-extensible: true - x-okta-tags: - - User - UserStatus: - enum: - - ACTIVE - - DEPROVISIONED - - LOCKED_OUT - - PASSWORD_EXPIRED - - PROVISIONED - - RECOVERY - - STAGED - - SUSPENDED - type: string - x-okta-tags: - - User - UserStatusPolicyRuleCondition: - properties: - value: - enum: - - ACTIVE - - INACTIVE - - PENDING - - DELETED - - EXPIRED_PASSWORD - - ACTIVATING - - SUSPENDED - - DELETING - type: string - type: object - x-okta-tags: - - Policy - UserType: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - created: - format: date-time - readOnly: true - type: string - createdBy: - readOnly: true - type: string - default: - readOnly: true - type: boolean - description: - type: string - displayName: - type: string - id: - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - lastUpdatedBy: - readOnly: true - type: string - name: - type: string - type: object - x-okta-crud: - - alias: create - arguments: - - dest: userType - self: true - operationId: createUserType - - alias: update - arguments: - - dest: typeId - src: id - - dest: userType - self: true - operationId: updateUserType - - alias: read - arguments: - - dest: typeId - src: id - operationId: getUserType - - alias: delete - arguments: - - dest: typeId - src: id - operationId: deleteUserType - x-okta-operations: - - alias: replaceUserType - arguments: - - dest: roleId - src: id - operationId: replaceUserType - x-okta-tags: - - UserType - securitySchemes: - api_token: - description: SSWS {API Token} - in: header - name: Authorization - type: apiKey - x-stackQL-resources: - appadmintargets: - id: okta.user.appadmintargets - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1roles~1{roleId}~1targets~1catalog~1apps~1{appName}~1{applicationId}/delete' - response: - openAPIDocKey: '204' - insert: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1roles~1{roleId}~1targets~1catalog~1apps~1{appName}~1{applicationId}/put' - response: - openAPIDocKey: '204' - list: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1roles~1{roleId}~1targets~1catalog~1apps/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: appadmintargets - title: appadmintargets - appadmintargetsall: - id: okta.user.appadmintargetsall - methods: - insert: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1roles~1{roleId}~1targets~1catalog~1apps/put' - response: - openAPIDocKey: '200' - name: appadmintargetsall - title: appadmintargetsall - appinstanceadmintargets: - id: okta.user.appinstanceadmintargets - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1roles~1{roleId}~1targets~1catalog~1apps~1{appName}~1{applicationId}/delete' - response: - openAPIDocKey: '204' - insert: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1roles~1{roleId}~1targets~1catalog~1apps~1{appName}~1{applicationId}/put' - response: - openAPIDocKey: '204' - name: appinstanceadmintargets - title: appinstanceadmintargets - applinks: - id: okta.user.applinks - methods: - list: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1appLinks/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: applinks - title: applinks - clientgrants: - id: okta.user.clientgrants - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1clients~1{clientId}~1grants/delete' - response: - openAPIDocKey: '204' - list: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1clients~1{clientId}~1grants/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: clientgrants - title: clientgrants - clients: - id: okta.user.clients - methods: - list: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1clients/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: clients - title: clients - clienttokens: - id: okta.user.clienttokens - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1clients~1{clientId}~1tokens~1{tokenId}/delete' - response: - openAPIDocKey: '204' - deleteAll: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1clients~1{clientId}~1tokens/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1clients~1{clientId}~1tokens~1{tokenId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1clients~1{clientId}~1tokens/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: clienttokens - title: clienttokens - grants: - id: okta.user.grants - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1grants~1{grantId}/delete' - response: - openAPIDocKey: '204' - deleteAll: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1grants/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1grants~1{grantId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1grants/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: grants - title: grants - grouptargets: - id: okta.user.grouptargets - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1roles~1{roleId}~1targets~1groups~1{groupId}/put' - response: - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1roles~1{roleId}~1targets~1groups~1{groupId}/put' - response: - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1roles~1{roleId}~1targets~1groups/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: grouptargets - title: grouptargets - idps: - id: okta.user.idps - methods: - list: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1idps/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: idps - title: idps - linkedobject: - id: okta.user.linkedobject - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1linkedObjects~1{relationshipName}/delete' - response: - openAPIDocKey: '204' - # list: - # operation: - # $ref: '#/paths/~1api~1v1~1users~1{userId}~1linkedObjects~1{relationshipName}/get' - # response: - # mediaType: application/json - # openAPIDocKey: '200' - update: - operation: - $ref: '#/paths/~1api~1v1~1users~1{associatedUserId}~1linkedObjects~1{primaryRelationshipName}~1{primaryUserId}/put' - response: - openAPIDocKey: '204' - name: linkedobject - title: linkedobject - sqlVerbs: - select: [] - insert: [] - update: [] - delete: - - $ref: '#/components/x-stackQL-resources/linkedobject/methods/delete' - roles: - id: okta.user.roles - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1roles~1{roleId}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1roles~1{roleId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1roles/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '201' - list: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1roles/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: roles - title: roles - sessions: - id: okta.user.sessions - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1sessions/delete' - response: - openAPIDocKey: '204' - name: sessions - title: sessions - users: - id: okta.user.users - methods: - activate: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1lifecycle~1activate/post' - response: - mediaType: application/json - openAPIDocKey: '200' - changePassword: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1credentials~1change_password/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - changeRecoveryQuestion: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1credentials~1change_recovery_question/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - deactivate: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1lifecycle~1deactivate/post' - response: - openAPIDocKey: '200' - delete: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}/delete' - response: - openAPIDocKey: '202' - expirePassword: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1lifecycle~1expire_password?tempPassword=false/post' - response: - mediaType: application/json - openAPIDocKey: '200' - expirePasswordTemp: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1lifecycle~1expire_password?tempPassword=true/post' - response: - mediaType: application/json - openAPIDocKey: '200' - forgotPassword: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1credentials~1forgot_password/post' - response: - mediaType: application/json - openAPIDocKey: '200' - get: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1users/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1users/get' - response: - mediaType: application/json - openAPIDocKey: '200' - reactivate: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1lifecycle~1reactivate/post' - response: - mediaType: application/json - openAPIDocKey: '200' - resetFactors: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1lifecycle~1reset_factors/post' - response: - openAPIDocKey: '200' - resetPassword: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1lifecycle~1reset_password/post' - response: - mediaType: application/json - openAPIDocKey: '200' - suspend: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1lifecycle~1suspend/post' - response: - openAPIDocKey: '200' - unlock: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1lifecycle~1unlock/post' - response: - openAPIDocKey: '200' - unsuspend: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1lifecycle~1unsuspend/post' - response: - openAPIDocKey: '200' - update: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}/put' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - name: users - title: users -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html -info: - contact: - email: devex-public@okta.com - name: Okta Developer Team - url: https://developer.okta.com/ - description: Allows customers to easily access the Okta API - license: - name: Apache-2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - termsOfService: https://developer.okta.com/terms/ - title: Okta API - version: 2.8.0 -openapi: 3.0.1 -paths: - /api/v1/users: - get: - description: Lists users in your organization with pagination in most cases. A - subset of users can be returned that match a supported filter expression or - search criteria. - operationId: listUsers - parameters: - - description: Finds a user that matches firstName, lastName, and email properties - in: query - name: q - schema: - type: string - - description: Specifies the pagination cursor for the next page of users - in: query - name: after - schema: - type: string - - description: Specifies the number of results returned - in: query - name: limit - schema: - default: 10 - format: int32 - type: integer - - description: Filters users with a supported expression for a subset of properties - in: query - name: filter - schema: - type: string - - description: Searches for users with a supported filtering expression for - most properties - in: query - name: search - schema: - type: string - - in: query - name: sortBy - schema: - type: string - - in: query - name: sortOrder - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/User' - type: array - description: Success - security: - - api_token: [] - summary: List Users - tags: - - User - post: - description: Creates a new user in your Okta organization with or without credentials. - operationId: createUser - parameters: - - description: Executes activation lifecycle operation when creating the user - in: query - name: activate - schema: - default: true - type: boolean - - description: Indicates whether to create a user with a specified authentication - provider - in: query - name: provider - schema: - default: false - type: boolean - - description: With activate=true, set nextLogin to "changePassword" to have - the password be EXPIRED, so user must change it the next time they log in. - in: query - name: nextLogin - schema: - type: string - x-okta-added-version: 0.14.0 - x-openapi-v3-schema-ref: '#/components/schemas/UserNextLogin' - x-okta-added-version: 0.14.0 - x-openapi-v3-schema-ref: '#/components/schemas/UserNextLogin' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/CreateUserRequest' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/User' - description: Success - security: - - api_token: [] - summary: Create User - tags: - - User - x-codegen-request-body-name: body - /api/v1/users/{associatedUserId}/linkedObjects/{primaryRelationshipName}/{primaryUserId}: - put: - operationId: setLinkedObjectForUser - parameters: - - in: path - name: associatedUserId - required: true - schema: - type: string - - in: path - name: primaryRelationshipName - required: true - schema: - type: string - - in: path - name: primaryUserId - required: true - schema: - type: string - responses: - '204': - content: {} - description: Success - security: - - api_token: [] - tags: - - User - /api/v1/users/{userId}: - delete: - description: Deletes a user permanently. This operation can only be performed - on users that have a `DEPROVISIONED` status. **This action cannot be recovered!** - operationId: deactivateOrDeleteUser - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: query - name: sendEmail - schema: - default: false - type: boolean - x-okta-added-version: 1.5.0 - x-okta-added-version: 1.5.0 - responses: - '202': - content: {} - description: ACCEPTED - security: - - api_token: [] - summary: Delete User - tags: - - User - get: - description: Fetches a user from your Okta organization. - operationId: getUser - parameters: - - in: path - name: userId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/User' - description: Success - security: - - api_token: [] - summary: Get User - tags: - - User - post: - description: Fetch a user by `id`, `login`, or `login shortname` if the short - name is unambiguous. - operationId: partialUpdateUser - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: query - name: strict - schema: - type: boolean - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/User' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/User' - description: Success - security: - - api_token: [] - tags: - - User - x-codegen-request-body-name: user - put: - description: Update a user's profile and/or credentials using strict-update - semantics. - operationId: updateUser - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: query - name: strict - schema: - type: boolean - x-okta-added-version: 1.10.0 - x-okta-added-version: 1.10.0 - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/User' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/User' - description: Success - security: - - api_token: [] - summary: Update User - tags: - - User - x-codegen-request-body-name: user - /api/v1/users/{userId}/appLinks: - get: - description: Fetches appLinks for all direct or indirect (via group membership) - assigned applications. - operationId: listAppLinks - parameters: - - in: path - name: userId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/AppLink' - type: array - description: Success - security: - - api_token: [] - summary: Get Assigned App Links - tags: - - User - /api/v1/users/{userId}/clients: - get: - description: Lists all client resources for which the specified user has grants - or tokens. - operationId: listUserClients - parameters: - - in: path - name: userId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/OAuth2Client' - type: array - description: Success - security: - - api_token: [] - tags: - - User - /api/v1/users/{userId}/clients/{clientId}/grants: - delete: - description: Revokes all grants for the specified user and client - operationId: revokeGrantsForUserAndClient - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: clientId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - User - get: - description: Lists all grants for a specified user and client - operationId: listGrantsForUserAndClient - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: clientId - required: true - schema: - type: string - - in: query - name: expand - schema: - type: string - - in: query - name: after - schema: - type: string - - in: query - name: limit - schema: - default: 20 - format: int32 - type: integer - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/OAuth2ScopeConsentGrant' - type: array - description: Success - security: - - api_token: [] - tags: - - User - /api/v1/users/{userId}/clients/{clientId}/tokens: - delete: - description: Revokes all refresh tokens issued for the specified User and Client. - operationId: revokeTokensForUserAndClient - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: clientId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - User - get: - description: Lists all refresh tokens issued for the specified User and Client. - operationId: listRefreshTokensForUserAndClient - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: clientId - required: true - schema: - type: string - - in: query - name: expand - schema: - type: string - - in: query - name: after - schema: - type: string - - in: query - name: limit - schema: - default: 20 - format: int32 - type: integer - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/OAuth2RefreshToken' - type: array - description: Success - security: - - api_token: [] - tags: - - User - /api/v1/users/{userId}/clients/{clientId}/tokens/{tokenId}: - delete: - description: Revokes the specified refresh token. - operationId: revokeTokenForUserAndClient - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: clientId - required: true - schema: - type: string - - in: path - name: tokenId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - User - get: - description: Gets a refresh token issued for the specified User and Client. - operationId: getRefreshTokenForUserAndClient - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: clientId - required: true - schema: - type: string - - in: path - name: tokenId - required: true - schema: - type: string - - in: query - name: expand - schema: - type: string - - in: query - name: limit - schema: - default: 20 - type: integer - - in: query - name: after - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/OAuth2RefreshToken' - description: Success - security: - - api_token: [] - tags: - - User - /api/v1/users/{userId}/credentials/change_password: - post: - description: Changes a user's password by validating the user's current password. - This operation can only be performed on users in `STAGED`, `ACTIVE`, `PASSWORD_EXPIRED`, - or `RECOVERY` status that have a valid password credential - operationId: changePassword - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: query - name: strict - schema: - type: boolean - x-okta-added-version: 1.10.0 - x-okta-added-version: 1.10.0 - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/ChangePasswordRequest' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/UserCredentials' - description: Success - security: - - api_token: [] - summary: Change Password - tags: - - User - x-codegen-request-body-name: changePasswordRequest - /api/v1/users/{userId}/credentials/change_recovery_question: - post: - description: Changes a user's recovery question & answer credential by validating - the user's current password. This operation can only be performed on users - in **STAGED**, **ACTIVE** or **RECOVERY** `status` that have a valid password - credential - operationId: changeRecoveryQuestion - parameters: - - in: path - name: userId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/UserCredentials' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/UserCredentials' - description: Success - security: - - api_token: [] - summary: Change Recovery Question - tags: - - User - x-codegen-request-body-name: userCredentials - /api/v1/users/{userId}/credentials/forgot_password: - post: - parameters: - - in: path - name: userId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/ForgotPasswordResponse' - description: Success - security: - - api_token: [] - summary: Forgot Password - tags: - - User - x-okta-multi-operation: - - description: Generates a one-time token (OTT) that can be used to reset a - user's password - operationId: forgotPasswordGenerateOneTimeToken - parameters: - - default: true - in: query - name: sendEmail - type: boolean - - description: Sets a new password for a user by validating the user's answer - to their current recovery question - operationId: forgotPasswordSetNewPassword - parameters: - - in: body - name: user - required: true - schema: - $ref: '#/components/schemas/UserCredentials' - - default: true - in: query - name: sendEmail - type: boolean - /api/v1/users/{userId}/grants: - delete: - description: Revokes all grants for a specified user - operationId: revokeUserGrants - parameters: - - in: path - name: userId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - User - get: - description: Lists all grants for the specified user - operationId: listUserGrants - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: query - name: scopeId - schema: - type: string - - in: query - name: expand - schema: - type: string - - in: query - name: after - schema: - type: string - - in: query - name: limit - schema: - default: 20 - format: int32 - type: integer - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/OAuth2ScopeConsentGrant' - type: array - description: Success - security: - - api_token: [] - tags: - - User - /api/v1/users/{userId}/grants/{grantId}: - delete: - description: Revokes one grant for a specified user - operationId: revokeUserGrant - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: grantId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - User - get: - description: Gets a grant for the specified user - operationId: getUserGrant - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: grantId - required: true - schema: - type: string - - in: query - name: expand - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/OAuth2ScopeConsentGrant' - description: Success - security: - - api_token: [] - tags: - - User - /api/v1/users/{userId}/groups: - get: - description: Fetches the groups of which the user is a member. - operationId: listUserGroups - parameters: - - in: path - name: userId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/Group' - type: array - description: Success - security: - - api_token: [] - summary: Get Member Groups - tags: - - User - /api/v1/users/{userId}/idps: - get: - description: Lists the IdPs associated with the user. - operationId: listUserIdentityProviders - parameters: - - in: path - name: userId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/IdentityProvider' - type: array - description: Success - security: - - api_token: [] - summary: Listing IdPs associated with a user - tags: - - User - /api/v1/users/{userId}/lifecycle/activate: - post: - description: Activates a user. This operation can only be performed on users - with a `STAGED` status. Activation of a user is an asynchronous operation. - The user will have the `transitioningToStatus` property with a value of `ACTIVE` - during activation to indicate that the user hasn't completed the asynchronous - operation. The user will have a status of `ACTIVE` when the activation process - is complete. - operationId: activateUser - parameters: - - in: path - name: userId - required: true - schema: - type: string - - description: Sends an activation email to the user if true - in: query - name: sendEmail - required: true - schema: - default: true - type: boolean - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/UserActivationToken' - description: Success - security: - - api_token: [] - summary: Activate User - tags: - - User - /api/v1/users/{userId}/lifecycle/deactivate: - post: - description: Deactivates a user. This operation can only be performed on users - that do not have a `DEPROVISIONED` status. Deactivation of a user is an asynchronous - operation. The user will have the `transitioningToStatus` property with a - value of `DEPROVISIONED` during deactivation to indicate that the user hasn't - completed the asynchronous operation. The user will have a status of `DEPROVISIONED` - when the deactivation process is complete. - operationId: deactivateUser - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: query - name: sendEmail - schema: - default: false - type: boolean - x-okta-added-version: 1.5.0 - x-okta-added-version: 1.5.0 - responses: - '200': - content: {} - description: OK - security: - - api_token: [] - summary: Deactivate User - tags: - - User - /api/v1/users/{userId}/lifecycle/expire_password?tempPassword=false: - post: - description: This operation transitions the user to the status of `PASSWORD_EXPIRED` - so that the user is required to change their password at their next login. - operationId: expirePassword - parameters: - - in: path - name: userId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/User' - description: Success - security: - - api_token: [] - summary: Expire Password - tags: - - User - /api/v1/users/{userId}/lifecycle/expire_password?tempPassword=true: - post: - description: This operation transitions the user to the status of `PASSWORD_EXPIRED` - and the user's password is reset to a temporary password that is returned. - operationId: expirePasswordAndGetTemporaryPassword - parameters: - - in: path - name: userId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/TempPassword' - description: Success - security: - - api_token: [] - summary: Expire Password - tags: - - User - /api/v1/users/{userId}/lifecycle/reactivate: - post: - description: Reactivates a user. This operation can only be performed on users - with a `PROVISIONED` status. This operation restarts the activation workflow - if for some reason the user activation was not completed when using the activationToken - from [Activate User](#activate-user). - operationId: reactivateUser - parameters: - - in: path - name: userId - required: true - schema: - type: string - - description: Sends an activation email to the user if true - in: query - name: sendEmail - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/UserActivationToken' - description: Success - security: - - api_token: [] - summary: Reactivate User - tags: - - User - /api/v1/users/{userId}/lifecycle/reset_factors: - post: - description: This operation resets all factors for the specified user. All MFA - factor enrollments returned to the unenrolled state. The user's status remains - ACTIVE. This link is present only if the user is currently enrolled in one - or more MFA factors. - operationId: resetFactors - parameters: - - in: path - name: userId - required: true - schema: - type: string - responses: - '200': - content: {} - description: OK - security: - - api_token: [] - summary: Reset Factors - tags: - - User - /api/v1/users/{userId}/lifecycle/reset_password: - post: - description: Generates a one-time token (OTT) that can be used to reset a user's - password. The OTT link can be automatically emailed to the user or returned - to the API caller and distributed using a custom flow. - operationId: resetPassword - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: query - name: sendEmail - required: true - schema: - type: boolean - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/ResetPasswordToken' - description: Success - security: - - api_token: [] - summary: Reset Password - tags: - - User - /api/v1/users/{userId}/lifecycle/suspend: - post: - description: Suspends a user. This operation can only be performed on users - with an `ACTIVE` status. The user will have a status of `SUSPENDED` when - the process is complete. - operationId: suspendUser - parameters: - - in: path - name: userId - required: true - schema: - type: string - responses: - '200': - content: {} - description: OK - security: - - api_token: [] - summary: Suspend User - tags: - - User - /api/v1/users/{userId}/lifecycle/unlock: - post: - description: Unlocks a user with a `LOCKED_OUT` status and returns them to `ACTIVE` - status. Users will be able to login with their current password. - operationId: unlockUser - parameters: - - in: path - name: userId - required: true - schema: - type: string - responses: - '200': - content: {} - description: Success - security: - - api_token: [] - summary: Unlock User - tags: - - User - /api/v1/users/{userId}/lifecycle/unsuspend: - post: - description: Unsuspends a user and returns them to the `ACTIVE` state. This - operation can only be performed on users that have a `SUSPENDED` status. - operationId: unsuspendUser - parameters: - - in: path - name: userId - required: true - schema: - type: string - responses: - '200': - content: {} - description: Success - security: - - api_token: [] - summary: Unsuspend User - tags: - - User - /api/v1/users/{userId}/linkedObjects/{relationshipName}: - delete: - description: Delete linked objects for a user, relationshipName can be ONLY - a primary relationship name - operationId: removeLinkedObjectForUser - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: relationshipName - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - User - get: - description: Get linked objects for a user, relationshipName can be a primary - or associated relationship name - operationId: getLinkedObjectsForUser - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: relationshipName - required: true - schema: - type: string - - in: query - name: after - schema: - type: string - - in: query - name: limit - schema: - default: -1 - format: int32 - type: integer - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/ResponseLinks' - type: array - description: Success - security: - - api_token: [] - tags: - - User - /api/v1/users/{userId}/roles: - get: - description: Lists all roles assigned to a user. - operationId: listAssignedRolesForUser - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: query - name: expand - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/Role' - type: array - description: Success - security: - - api_token: [] - tags: - - User - post: - description: Assigns a role to a user. - operationId: assignRoleToUser - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: query - name: disableNotifications - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/AssignRoleRequest' - required: true - responses: - '201': - content: - application/json: - schema: - $ref: '#/components/schemas/Role' - description: Created - security: - - api_token: [] - tags: - - User - x-codegen-request-body-name: assignRoleRequest - /api/v1/users/{userId}/roles/{roleId}: - delete: - description: Unassigns a role from a user. - operationId: removeRoleFromUser - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: roleId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - User - get: - description: Gets role that is assigne to user. - operationId: getUserRole - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: roleId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Role' - description: Success - security: - - api_token: [] - tags: - - User - /api/v1/users/{userId}/roles/{roleId}/targets/catalog/apps: - get: - description: Lists all App targets for an `APP_ADMIN` Role assigned to a User. - This methods return list may include full Applications or Instances. The response - for an instance will have an `ID` value, while Application will not have an - ID. - operationId: listApplicationTargetsForApplicationAdministratorRoleForUser - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: roleId - required: true - schema: - type: string - - in: query - name: after - schema: - type: string - - in: query - name: limit - schema: - default: 20 - format: int32 - type: integer - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/CatalogApplication' - type: array - description: Success - security: - - api_token: [] - tags: - - User - put: - description: Success - operationId: addAllAppsAsTargetToRole - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: roleId - required: true - schema: - type: string - responses: - '200': - content: {} - description: Success - security: - - api_token: [] - tags: - - User - /api/v1/users/{userId}/roles/{roleId}/targets/catalog/apps/{appName}: - delete: - description: Success - operationId: removeApplicationTargetFromApplicationAdministratorRoleForUser - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: roleId - required: true - schema: - type: string - - in: path - name: appName - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - User - put: - description: Success - operationId: addApplicationTargetToAdminRoleForUser - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: roleId - required: true - schema: - type: string - - in: path - name: appName - required: true - schema: - type: string - responses: - '200': - content: {} - description: Success - security: - - api_token: [] - tags: - - User - /api/v1/users/{userId}/roles/{roleId}/targets/catalog/apps/{appName}/{applicationId}: - delete: - description: Remove App Instance Target to App Administrator Role given to a - User - operationId: removeApplicationTargetFromAdministratorRoleForUser - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: roleId - required: true - schema: - type: string - - in: path - name: appName - required: true - schema: - type: string - - in: path - name: applicationId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - summary: Remove App Instance Target to App Administrator Role given to a User - tags: - - User - put: - description: Add App Instance Target to App Administrator Role given to a User - operationId: addApplicationTargetToAppAdminRoleForUser - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: roleId - required: true - schema: - type: string - - in: path - name: appName - required: true - schema: - type: string - - in: path - name: applicationId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - summary: Add App Instance Target to App Administrator Role given to a User - tags: - - User - /api/v1/users/{userId}/roles/{roleId}/targets/groups: - get: - description: Success - operationId: listGroupTargetsForRole - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: roleId - required: true - schema: - type: string - - in: query - name: after - schema: - type: string - - in: query - name: limit - schema: - default: 20 - format: int32 - type: integer - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/Group' - type: array - description: Success - security: - - api_token: [] - tags: - - User - /api/v1/users/{userId}/roles/{roleId}/targets/groups/{groupId}: - delete: - description: Success - operationId: removeGroupTargetFromRole - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: roleId - required: true - schema: - type: string - - in: path - name: groupId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - User - put: - description: Success - operationId: addGroupTargetToRole - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: roleId - required: true - schema: - type: string - - in: path - name: groupId - required: true - schema: - type: string - responses: - '200': - content: {} - description: Success - security: - - api_token: [] - tags: - - User - /api/v1/users/{userId}/sessions: - delete: - description: Removes all active identity provider sessions. This forces the - user to authenticate on the next operation. Optionally revokes OpenID Connect - and OAuth refresh and access tokens issued to the user. - operationId: clearUserSessions - parameters: - - in: path - name: userId - required: true - schema: - type: string - - description: Revoke issued OpenID Connect and OAuth refresh and access tokens - in: query - name: oauthTokens - schema: - default: false - type: boolean - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - User -servers: -- url: https://{subdomain}.okta.com/ - variables: - subdomain: - default: my-domain diff --git a/providers/src/okta/v00.00.00000/services/UserFactor.yaml b/providers/src/okta/v00.00.00000/services/UserFactor.yaml deleted file mode 100644 index bffa9eb0..00000000 --- a/providers/src/okta/v00.00.00000/services/UserFactor.yaml +++ /dev/null @@ -1,833 +0,0 @@ -components: - schemas: - ActivateFactorRequest: - properties: - attestation: - type: string - clientData: - type: string - passCode: - type: string - registrationData: - type: string - stateToken: - type: string - type: object - x-okta-tags: - - UserFactor - CallUserFactor: - properties: - profile: - $ref: '#/components/schemas/CallUserFactorProfile' - type: object - x-okta-parent: '#/components/schemas/UserFactor' - x-okta-tags: - - UserFactor - CallUserFactorProfile: - properties: - phoneExtension: - type: string - phoneNumber: - type: string - type: object - x-okta-tags: - - UserFactor - CustomHotpUserFactor: - properties: - factorProfileId: - type: string - profile: - $ref: '#/components/schemas/CustomHotpUserFactorProfile' - type: object - x-okta-parent: '#/components/schemas/UserFactor' - x-okta-tags: - - UserFactor - CustomHotpUserFactorProfile: - properties: - sharedSecret: - type: string - type: object - x-okta-tags: - - UserFactor - EmailUserFactor: - properties: - profile: - $ref: '#/components/schemas/EmailUserFactorProfile' - type: object - x-okta-parent: '#/components/schemas/UserFactor' - x-okta-tags: - - UserFactor - EmailUserFactorProfile: - properties: - email: - type: string - type: object - x-okta-tags: - - UserFactor - FactorProvider: - enum: - - OKTA - - RSA - - FIDO - - GOOGLE - - SYMANTEC - - DUO - - YUBICO - - CUSTOM - type: string - x-okta-tags: - - UserFactor - FactorResultType: - enum: - - SUCCESS - - CHALLENGE - - WAITING - - FAILED - - REJECTED - - TIMEOUT - - TIME_WINDOW_EXCEEDED - - PASSCODE_REPLAYED - - ERROR - - CANCELLED - type: string - x-okta-tags: - - UserFactor - FactorStatus: - enum: - - PENDING_ACTIVATION - - ACTIVE - - INACTIVE - - NOT_SETUP - - ENROLLED - - DISABLED - - EXPIRED - type: string - x-okta-tags: - - UserFactor - FactorType: - enum: - - call - - email - - hotp - - push - - question - - sms - - token:hardware - - token:hotp - - token:software:totp - - token - - u2f - - web - - webauthn - type: string - x-okta-tags: - - UserFactor - HardwareUserFactor: - properties: - profile: - $ref: '#/components/schemas/HardwareUserFactorProfile' - type: object - x-okta-parent: '#/components/schemas/UserFactor' - x-okta-tags: - - UserFactor - HardwareUserFactorProfile: - properties: - credentialId: - type: string - type: object - x-okta-tags: - - UserFactor - PushUserFactor: - properties: - expiresAt: - format: date-time - type: string - factorResult: - $ref: '#/components/schemas/FactorResultType' - profile: - $ref: '#/components/schemas/PushUserFactorProfile' - type: object - x-okta-parent: '#/components/schemas/UserFactor' - x-okta-tags: - - UserFactor - PushUserFactorProfile: - properties: - credentialId: - type: string - deviceToken: - type: string - deviceType: - type: string - name: - type: string - platform: - type: string - version: - type: string - type: object - x-okta-tags: - - UserFactor - SecurityQuestion: - properties: - answer: - type: string - question: - type: string - questionText: - type: string - type: object - x-okta-tags: - - UserFactor - SecurityQuestionUserFactor: - properties: - profile: - $ref: '#/components/schemas/SecurityQuestionUserFactorProfile' - type: object - x-okta-parent: '#/components/schemas/UserFactor' - x-okta-tags: - - UserFactor - SecurityQuestionUserFactorProfile: - properties: - answer: - type: string - question: - type: string - questionText: - type: string - type: object - x-okta-tags: - - UserFactor - SmsUserFactor: - properties: - profile: - $ref: '#/components/schemas/SmsUserFactorProfile' - type: object - x-okta-parent: '#/components/schemas/UserFactor' - x-okta-tags: - - UserFactor - SmsUserFactorProfile: - properties: - phoneNumber: - type: string - type: object - x-okta-tags: - - UserFactor - TokenUserFactor: - properties: - profile: - $ref: '#/components/schemas/TokenUserFactorProfile' - type: object - x-okta-parent: '#/components/schemas/UserFactor' - x-okta-tags: - - UserFactor - TokenUserFactorProfile: - properties: - credentialId: - type: string - type: object - x-okta-tags: - - UserFactor - TotpUserFactor: - properties: - profile: - $ref: '#/components/schemas/TotpUserFactorProfile' - type: object - x-okta-parent: '#/components/schemas/UserFactor' - x-okta-tags: - - UserFactor - TotpUserFactorProfile: - properties: - credentialId: - type: string - type: object - x-okta-tags: - - UserFactor - U2fUserFactor: - properties: - profile: - $ref: '#/components/schemas/U2fUserFactorProfile' - type: object - x-okta-parent: '#/components/schemas/UserFactor' - x-okta-tags: - - UserFactor - U2fUserFactorProfile: - properties: - credentialId: - type: string - type: object - x-okta-tags: - - UserFactor - UserFactor: - properties: - _embedded: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - created: - format: date-time - readOnly: true - type: string - factorType: - $ref: '#/components/schemas/FactorType' - id: - readOnly: true - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - provider: - $ref: '#/components/schemas/FactorProvider' - status: - $ref: '#/components/schemas/FactorStatus' - verify: - $ref: '#/components/schemas/VerifyFactorRequest' - type: object - x-okta-crud: - - alias: delete - arguments: - - dest: factorId - src: id - - dest: userId - parentSrc: id - operationId: deleteFactor - x-okta-operations: - - alias: activate - arguments: - - dest: factorId - src: id - - dest: userId - parentSrc: id - operationId: activateFactor - - alias: verify - arguments: - - dest: factorId - src: id - - dest: userId - parentSrc: id - operationId: verifyFactor - x-okta-tags: - - UserFactor - x-openapi-v3-discriminator: - mapping: - call: '#/components/schemas/CallUserFactor' - email: '#/components/schemas/EmailUserFactor' - hotp: '#/components/schemas/CustomHotpUserFactor' - push: '#/components/schemas/PushUserFactor' - question: '#/components/schemas/SecurityQuestionUserFactor' - sms: '#/components/schemas/SmsUserFactor' - token: '#/components/schemas/TokenUserFactor' - token:hardware: '#/components/schemas/HardwareUserFactor' - token:hotp: '#/components/schemas/CustomHotpUserFactor' - token:software:totp: '#/components/schemas/TotpUserFactor' - u2f: '#/components/schemas/U2fUserFactor' - web: '#/components/schemas/WebUserFactor' - webauthn: '#/components/schemas/WebAuthnUserFactor' - propertyName: factorType - VerifyFactorRequest: - properties: - activationToken: - type: string - answer: - type: string - attestation: - type: string - clientData: - type: string - nextPassCode: - type: string - passCode: - type: string - registrationData: - type: string - stateToken: - type: string - type: object - x-okta-tags: - - UserFactor - VerifyUserFactorResponse: - properties: - _embedded: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - expiresAt: - format: date-time - readOnly: true - type: string - factorResult: - enum: - - SUCCESS - - EXPIRED - - CHALLENGE - - WAITING - - FAILED - - REJECTED - - TIMEOUT - - TIME_WINDOW_EXCEEDED - - PASSCODE_REPLAYED - - ERROR - type: string - factorResultMessage: - type: string - type: object - x-okta-tags: - - UserFactor - WebAuthnUserFactor: - properties: - profile: - $ref: '#/components/schemas/WebAuthnUserFactorProfile' - type: object - x-okta-parent: '#/components/schemas/UserFactor' - x-okta-tags: - - UserFactor - WebAuthnUserFactorProfile: - properties: - authenticatorName: - type: string - credentialId: - type: string - type: object - x-okta-tags: - - UserFactor - WebUserFactor: - properties: - profile: - $ref: '#/components/schemas/WebUserFactorProfile' - type: object - x-okta-parent: '#/components/schemas/UserFactor' - x-okta-tags: - - UserFactor - WebUserFactorProfile: - properties: - credentialId: - type: string - type: object - x-okta-tags: - - UserFactor - securitySchemes: - api_token: - description: SSWS {API Token} - in: header - name: Authorization - type: apiKey - x-stackQL-resources: - catalog: - id: okta.userfactor.catalog - methods: - list: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1factors~1catalog/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: catalog - title: catalog - factors: - id: okta.userfactor.factors - methods: - activate: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1factors~1{factorId}~1lifecycle~1activate/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - delete: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1factors~1{factorId}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1factors~1{factorId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1factors/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1factors/get' - response: - mediaType: application/json - openAPIDocKey: '200' - verify: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1factors~1{factorId}~1verify/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - name: factors - title: factors - questions: - id: okta.userfactor.questions - methods: - list: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1factors~1questions/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: questions - title: questions - transactions: - id: okta.userfactor.transactions - methods: - get: - operation: - $ref: '#/paths/~1api~1v1~1users~1{userId}~1factors~1{factorId}~1transactions~1{transactionId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: transactions - title: transactions -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html -info: - contact: - email: devex-public@okta.com - name: Okta Developer Team - url: https://developer.okta.com/ - description: Allows customers to easily access the Okta API - license: - name: Apache-2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - termsOfService: https://developer.okta.com/terms/ - title: Okta API - version: 2.8.0 -openapi: 3.0.1 -paths: - /api/v1/users/{userId}/factors: - get: - description: Enumerates all the enrolled factors for the specified user - operationId: listFactors - parameters: - - in: path - name: userId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/UserFactor' - type: array - description: Success - security: - - api_token: [] - tags: - - UserFactor - post: - description: Enrolls a user with a supported factor. - operationId: enrollFactor - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: query - name: updatePhone - schema: - default: false - type: boolean - - description: id of SMS template (only for SMS factor) - in: query - name: templateId - schema: - type: string - - in: query - name: tokenLifetimeSeconds - schema: - default: 300 - format: int32 - type: integer - x-okta-added-version: 1.3.0 - x-okta-added-version: 1.3.0 - - in: query - name: activate - schema: - default: false - type: boolean - x-okta-added-version: 1.3.0 - x-okta-added-version: 1.3.0 - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/UserFactor' - description: Factor - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/UserFactor' - description: Success - security: - - api_token: [] - summary: Enroll Factor - tags: - - UserFactor - x-codegen-request-body-name: body - /api/v1/users/{userId}/factors/catalog: - get: - description: Enumerates all the supported factors that can be enrolled for the - specified user - operationId: listSupportedFactors - parameters: - - in: path - name: userId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/UserFactor' - type: array - description: Success - security: - - api_token: [] - tags: - - UserFactor - /api/v1/users/{userId}/factors/questions: - get: - description: Enumerates all available security questions for a user's `question` - factor - operationId: listSupportedSecurityQuestions - parameters: - - in: path - name: userId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/SecurityQuestion' - type: array - description: Success - security: - - api_token: [] - tags: - - UserFactor - /api/v1/users/{userId}/factors/{factorId}: - delete: - description: Unenrolls an existing factor for the specified user, allowing the - user to enroll a new factor. - operationId: deleteFactor - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: factorId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - UserFactor - get: - description: Fetches a factor for the specified user - operationId: getFactor - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: factorId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/UserFactor' - description: Success - security: - - api_token: [] - tags: - - UserFactor - /api/v1/users/{userId}/factors/{factorId}/lifecycle/activate: - post: - description: The `sms` and `token:software:totp` factor types require activation - to complete the enrollment process. - operationId: activateFactor - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: factorId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/ActivateFactorRequest' - required: false - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/UserFactor' - description: Success - security: - - api_token: [] - summary: Activate Factor - tags: - - UserFactor - x-codegen-request-body-name: body - /api/v1/users/{userId}/factors/{factorId}/transactions/{transactionId}: - get: - description: Polls factors verification transaction for status. - operationId: getFactorTransactionStatus - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: factorId - required: true - schema: - type: string - - in: path - name: transactionId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/VerifyUserFactorResponse' - description: Success - security: - - api_token: [] - tags: - - UserFactor - /api/v1/users/{userId}/factors/{factorId}/verify: - post: - description: Verifies an OTP for a `token` or `token:hardware` factor - operationId: verifyFactor - parameters: - - in: path - name: userId - required: true - schema: - type: string - - in: path - name: factorId - required: true - schema: - type: string - - in: query - name: templateId - schema: - type: string - - in: query - name: tokenLifetimeSeconds - schema: - default: 300 - format: int32 - type: integer - x-okta-added-version: 1.3.0 - x-okta-added-version: 1.3.0 - - in: header - name: X-Forwarded-For - schema: - type: string - x-okta-added-version: 1.11.0 - x-okta-added-version: 1.11.0 - - in: header - name: User-Agent - schema: - type: string - x-okta-added-version: 1.11.0 - x-okta-added-version: 1.11.0 - - in: header - name: Accept-Language - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/VerifyFactorRequest' - required: false - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/VerifyUserFactorResponse' - description: Success - security: - - api_token: [] - summary: Verify MFA Factor - tags: - - UserFactor - x-codegen-request-body-name: body -servers: -- url: https://{subdomain}.okta.com/ - variables: - subdomain: - default: my-domain diff --git a/providers/src/okta/v00.00.00000/services/UserSchema.yaml b/providers/src/okta/v00.00.00000/services/UserSchema.yaml deleted file mode 100644 index c731648e..00000000 --- a/providers/src/okta/v00.00.00000/services/UserSchema.yaml +++ /dev/null @@ -1,470 +0,0 @@ -components: - schemas: - UserSchema: - properties: - $schema: - readOnly: true - type: string - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - created: - readOnly: true - type: string - definitions: - $ref: '#/components/schemas/UserSchemaDefinitions' - id: - readOnly: true - type: string - lastUpdated: - readOnly: true - type: string - name: - readOnly: true - type: string - properties: - $ref: '#/components/schemas/UserSchemaProperties' - title: - type: string - type: - readOnly: true - type: string - type: object - x-okta-tags: - - UserSchema - UserSchemaAttribute: - properties: - description: - type: string - enum: - items: - type: string - type: array - externalName: - type: string - externalNamespace: - type: string - items: - $ref: '#/components/schemas/UserSchemaAttributeItems' - master: - $ref: '#/components/schemas/UserSchemaAttributeMaster' - maxLength: - type: integer - minLength: - type: integer - mutability: - type: string - oneOf: - items: - $ref: '#/components/schemas/UserSchemaAttributeEnum' - type: array - pattern: - type: string - permissions: - items: - $ref: '#/components/schemas/UserSchemaAttributePermission' - type: array - required: - type: boolean - scope: - $ref: '#/components/schemas/UserSchemaAttributeScope' - title: - type: string - type: - $ref: '#/components/schemas/UserSchemaAttributeType' - union: - $ref: '#/components/schemas/UserSchemaAttributeUnion' - unique: - type: string - type: object - x-okta-tags: - - UserSchema - UserSchemaAttributeEnum: - properties: - const: - type: string - title: - type: string - type: object - x-okta-tags: - - UserSchema - UserSchemaAttributeItems: - properties: - enum: - items: - type: string - type: array - oneOf: - items: - $ref: '#/components/schemas/UserSchemaAttributeEnum' - type: array - type: - type: string - type: object - x-okta-tags: - - UserSchema - UserSchemaAttributeMaster: - properties: - priority: - items: - $ref: '#/components/schemas/UserSchemaAttributeMasterPriority' - type: array - type: - $ref: '#/components/schemas/UserSchemaAttributeMasterType' - type: object - x-okta-tags: - - UserSchema - UserSchemaAttributeMasterPriority: - properties: - type: - type: string - value: - type: string - type: object - x-okta-tags: - - UserSchema - UserSchemaAttributeMasterType: - enum: - - PROFILE_MASTER - - OKTA - - OVERRIDE - type: string - x-okta-tags: - - UserSchema - UserSchemaAttributePermission: - properties: - action: - type: string - principal: - type: string - type: object - x-okta-tags: - - UserSchema - UserSchemaAttributeScope: - enum: - - SELF - - NONE - type: object - x-okta-tags: - - UserSchema - UserSchemaAttributeType: - enum: - - string - - boolean - - number - - integer - - array - type: string - x-okta-tags: - - UserSchema - UserSchemaAttributeUnion: - enum: - - DISABLE - - ENABLE - type: object - x-okta-tags: - - UserSchema - UserSchemaBase: - properties: - id: - readOnly: true - type: string - properties: - $ref: '#/components/schemas/UserSchemaBaseProperties' - required: - items: - type: string - type: array - type: - type: string - type: object - x-okta-tags: - - UserSchema - UserSchemaBaseProperties: - properties: - city: - $ref: '#/components/schemas/UserSchemaAttribute' - costCenter: - $ref: '#/components/schemas/UserSchemaAttribute' - countryCode: - $ref: '#/components/schemas/UserSchemaAttribute' - department: - $ref: '#/components/schemas/UserSchemaAttribute' - displayName: - $ref: '#/components/schemas/UserSchemaAttribute' - division: - $ref: '#/components/schemas/UserSchemaAttribute' - email: - $ref: '#/components/schemas/UserSchemaAttribute' - employeeNumber: - $ref: '#/components/schemas/UserSchemaAttribute' - firstName: - $ref: '#/components/schemas/UserSchemaAttribute' - honorificPrefix: - $ref: '#/components/schemas/UserSchemaAttribute' - honorificSuffix: - $ref: '#/components/schemas/UserSchemaAttribute' - lastName: - $ref: '#/components/schemas/UserSchemaAttribute' - locale: - $ref: '#/components/schemas/UserSchemaAttribute' - login: - $ref: '#/components/schemas/UserSchemaAttribute' - manager: - $ref: '#/components/schemas/UserSchemaAttribute' - managerId: - $ref: '#/components/schemas/UserSchemaAttribute' - middleName: - $ref: '#/components/schemas/UserSchemaAttribute' - mobilePhone: - $ref: '#/components/schemas/UserSchemaAttribute' - nickName: - $ref: '#/components/schemas/UserSchemaAttribute' - organization: - $ref: '#/components/schemas/UserSchemaAttribute' - postalAddress: - $ref: '#/components/schemas/UserSchemaAttribute' - preferredLanguage: - $ref: '#/components/schemas/UserSchemaAttribute' - primaryPhone: - $ref: '#/components/schemas/UserSchemaAttribute' - profileUrl: - $ref: '#/components/schemas/UserSchemaAttribute' - secondEmail: - $ref: '#/components/schemas/UserSchemaAttribute' - state: - $ref: '#/components/schemas/UserSchemaAttribute' - streetAddress: - $ref: '#/components/schemas/UserSchemaAttribute' - timezone: - $ref: '#/components/schemas/UserSchemaAttribute' - title: - $ref: '#/components/schemas/UserSchemaAttribute' - userType: - $ref: '#/components/schemas/UserSchemaAttribute' - zipCode: - $ref: '#/components/schemas/UserSchemaAttribute' - type: object - x-okta-tags: - - UserSchema - UserSchemaDefinitions: - properties: - base: - $ref: '#/components/schemas/UserSchemaBase' - custom: - $ref: '#/components/schemas/UserSchemaPublic' - type: object - x-okta-tags: - - UserSchema - UserSchemaProperties: - properties: - profile: - $ref: '#/components/schemas/UserSchemaPropertiesProfile' - type: object - x-okta-tags: - - UserSchema - UserSchemaPropertiesProfile: - properties: - allOf: - items: - $ref: '#/components/schemas/UserSchemaPropertiesProfileItem' - type: array - type: object - x-okta-tags: - - UserSchema - UserSchemaPropertiesProfileItem: - properties: - $ref: - type: string - type: object - x-okta-tags: - - UserSchema - UserSchemaPublic: - properties: - id: - readOnly: true - type: string - properties: - additionalProperties: - $ref: '#/components/schemas/UserSchemaAttribute' - type: object - required: - items: - type: string - type: array - type: - type: string - type: object - x-okta-tags: - - UserSchema - securitySchemes: - api_token: - description: SSWS {API Token} - in: header - name: Authorization - type: apiKey - x-stackQL-resources: - default: - id: okta.userschema.default - methods: - insert: - operation: - $ref: '#/paths/~1api~1v1~1meta~1schemas~1apps~1{appInstanceId}~1default/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1meta~1schemas~1apps~1{appInstanceId}~1default/get' - response: - mediaType: application/json - openAPIDocKey: '200' - name: default - title: default - schemas: - id: okta.userschema.schemas - methods: - get: - operation: - $ref: '#/paths/~1api~1v1~1meta~1schemas~1user~1{schemaId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - partialUpdate: - operation: - $ref: '#/paths/~1api~1v1~1meta~1schemas~1user~1{schemaId}/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - name: schemas - title: schemas -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html -info: - contact: - email: devex-public@okta.com - name: Okta Developer Team - url: https://developer.okta.com/ - description: Allows customers to easily access the Okta API - license: - name: Apache-2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - termsOfService: https://developer.okta.com/terms/ - title: Okta API - version: 2.8.0 -openapi: 3.0.1 -paths: - /api/v1/meta/schemas/apps/{appInstanceId}/default: - get: - description: Fetches the Schema for an App User - operationId: getApplicationUserSchema - parameters: - - in: path - name: appInstanceId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/UserSchema' - description: successful operation - security: - - api_token: [] - summary: Fetches the Schema for an App User - tags: - - UserSchema - post: - description: Partial updates on the User Profile properties of the Application - User Schema. - operationId: updateApplicationUserProfile - parameters: - - in: path - name: appInstanceId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/UserSchema' - required: false - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/UserSchema' - description: successful operation - security: - - api_token: [] - summary: Partial updates on the User Profile properties of the Application User - Schema. - tags: - - UserSchema - x-codegen-request-body-name: body - /api/v1/meta/schemas/user/{schemaId}: - get: - description: Fetches the schema for a Schema Id. - operationId: getUserSchema - parameters: - - in: path - name: schemaId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/UserSchema' - description: Success - security: - - api_token: [] - summary: Fetches the schema for a Schema Id. - tags: - - UserSchema - post: - description: Partial updates on the User Profile properties of the user schema. - operationId: updateUserProfile - parameters: - - in: path - name: schemaId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/UserSchema' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/UserSchema' - description: Success - security: - - api_token: [] - tags: - - UserSchema - x-codegen-request-body-name: userSchema -servers: -- url: https://{subdomain}.okta.com/ - variables: - subdomain: - default: my-domain diff --git a/providers/src/okta/v00.00.00000/services/UserType.yaml b/providers/src/okta/v00.00.00000/services/UserType.yaml deleted file mode 100644 index 276248c4..00000000 --- a/providers/src/okta/v00.00.00000/services/UserType.yaml +++ /dev/null @@ -1,276 +0,0 @@ -components: - schemas: - UserType: - properties: - _links: - additionalProperties: - properties: {} - type: object - readOnly: true - type: object - created: - format: date-time - readOnly: true - type: string - createdBy: - readOnly: true - type: string - default: - readOnly: true - type: boolean - description: - type: string - displayName: - type: string - id: - type: string - lastUpdated: - format: date-time - readOnly: true - type: string - lastUpdatedBy: - readOnly: true - type: string - name: - type: string - type: object - x-okta-crud: - - alias: create - arguments: - - dest: userType - self: true - operationId: createUserType - - alias: update - arguments: - - dest: typeId - src: id - - dest: userType - self: true - operationId: updateUserType - - alias: read - arguments: - - dest: typeId - src: id - operationId: getUserType - - alias: delete - arguments: - - dest: typeId - src: id - operationId: deleteUserType - x-okta-operations: - - alias: replaceUserType - arguments: - - dest: roleId - src: id - operationId: replaceUserType - x-okta-tags: - - UserType - securitySchemes: - api_token: - description: SSWS {API Token} - in: header - name: Authorization - type: apiKey - x-stackQL-resources: - user: - id: okta.usertype.user - methods: - delete: - operation: - $ref: '#/paths/~1api~1v1~1meta~1types~1user~1{typeId}/delete' - response: - openAPIDocKey: '204' - get: - operation: - $ref: '#/paths/~1api~1v1~1meta~1types~1user~1{typeId}/get' - response: - mediaType: application/json - openAPIDocKey: '200' - insert: - operation: - $ref: '#/paths/~1api~1v1~1meta~1types~1user/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - list: - operation: - $ref: '#/paths/~1api~1v1~1meta~1types~1user/get' - response: - mediaType: application/json - openAPIDocKey: '200' - partialUpdate: - operation: - $ref: '#/paths/~1api~1v1~1meta~1types~1user~1{typeId}/post' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - update: - operation: - $ref: '#/paths/~1api~1v1~1meta~1types~1user~1{typeId}/put' - request: - mediaType: application/json - response: - mediaType: application/json - openAPIDocKey: '200' - name: user - title: user -externalDocs: - description: Find more info here - url: https://developer.okta.com/docs/api/getting_started/design_principles.html -info: - contact: - email: devex-public@okta.com - name: Okta Developer Team - url: https://developer.okta.com/ - description: Allows customers to easily access the Okta API - license: - name: Apache-2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - termsOfService: https://developer.okta.com/terms/ - title: Okta API - version: 2.8.0 -openapi: 3.0.1 -paths: - /api/v1/meta/types/user: - get: - description: Fetches all User Types in your org - operationId: listUserTypes - responses: - '200': - content: - application/json: - schema: - items: - $ref: '#/components/schemas/UserType' - type: array - description: Success - security: - - api_token: [] - tags: - - UserType - post: - description: Creates a new User Type. A default User Type is automatically created - along with your org, and you may add another 9 User Types for a maximum of - 10. - operationId: createUserType - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/UserType' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/UserType' - description: Success - security: - - api_token: [] - tags: - - UserType - x-codegen-request-body-name: userType - /api/v1/meta/types/user/{typeId}: - delete: - description: Deletes a User Type permanently. This operation is not permitted - for the default type, nor for any User Type that has existing users - operationId: deleteUserType - parameters: - - in: path - name: typeId - required: true - schema: - type: string - responses: - '204': - content: {} - description: No Content - security: - - api_token: [] - tags: - - UserType - get: - description: Fetches a User Type by ID. The special identifier `default` may - be used to fetch the default User Type. - operationId: getUserType - parameters: - - in: path - name: typeId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/UserType' - description: Success - security: - - api_token: [] - tags: - - UserType - post: - description: Updates an existing User Type - operationId: updateUserType - parameters: - - in: path - name: typeId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/UserType' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/UserType' - description: Success - security: - - api_token: [] - tags: - - UserType - x-codegen-request-body-name: userType - put: - description: Replace an existing User Type - operationId: replaceUserType - parameters: - - in: path - name: typeId - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/UserType' - required: true - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/UserType' - description: Success - security: - - api_token: [] - tags: - - UserType - x-codegen-request-body-name: userType -servers: -- url: https://{subdomain}.okta.com/ - variables: - subdomain: - default: my-domain diff --git a/providers/src/okta/v00.00.00000/services/agentpools.yaml b/providers/src/okta/v00.00.00000/services/agentpools.yaml new file mode 100644 index 00000000..ceb6463c --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/agentpools.yaml @@ -0,0 +1,1084 @@ +openapi: 3.0.3 +info: + title: agentpools API + description: okta agentpools API + version: 5.1.0 +paths: + /api/v1/agentPools: + get: + summary: List all agent pools + description: Lists all agent pools with pagination support + operationId: listAgentPools + parameters: + - $ref: '#/components/parameters/queryLimitPerPoolType' + - $ref: '#/components/parameters/queryPoolType' + - $ref: '#/components/parameters/queryAfter' + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/AgentPool' + examples: + ListAllAgentPoolsResponse: + $ref: '#/components/examples/ListAllAgentPoolsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.agentPools.read + tags: + - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/agentPools/{poolId}/updates: + get: + summary: List all agent pool updates + description: Lists all agent pool updates + operationId: listAgentPoolsUpdates + parameters: + - $ref: '#/components/parameters/queryScheduled' + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/AgentPoolUpdate' + examples: + ListAllAgentPoolUpdatesResponse: + $ref: '#/components/examples/ListAllAgentPoolUpdatesResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.agentPools.read + tags: + - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create an agent pool update + description: Creates an agent pool update + operationId: createAgentPoolsUpdate + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AgentPoolUpdate' + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/AgentPoolUpdate' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.agentPools.manage + tags: + - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathPoolId' + /api/v1/agentPools/{poolId}/updates/settings: + get: + summary: Retrieve an agent pool update's settings + description: Retrieves the current state of the agent pool update instance settings + operationId: getAgentPoolsUpdateSettings + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/AgentPoolUpdateSetting' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.agentPools.read + tags: + - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Update an agent pool update settings + description: Updates an agent pool update instance settings + operationId: updateAgentPoolsUpdateSettings + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AgentPoolUpdateSetting' + required: true + responses: + '201': + description: Updated + content: + application/json: + schema: + $ref: '#/components/schemas/AgentPoolUpdateSetting' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.agentPools.manage + tags: + - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathPoolId' + /api/v1/agentPools/{poolId}/updates/{updateId}: + get: + summary: Retrieve an agent pool update by ID + description: Retrieves an agent pool update by its `updateId` + operationId: getAgentPoolsUpdateInstance + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/AgentPoolUpdate' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.agentPools.read + tags: + - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Update an agent pool update by ID + description: >- + Updates an agent pool update instance and returns the latest agent pool + update + operationId: updateAgentPoolsUpdate + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AgentPoolUpdate' + required: true + responses: + '201': + description: Updated + content: + application/json: + schema: + $ref: '#/components/schemas/AgentPoolUpdate' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.agentPools.manage + tags: + - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete an agent pool update + description: Deletes agent pool update + operationId: deleteAgentPoolsUpdate + responses: + '204': + description: Deleted + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.agentPools.manage + tags: + - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathPoolId' + - $ref: '#/components/parameters/pathUpdateId' + /api/v1/agentPools/{poolId}/updates/{updateId}/activate: + post: + summary: Activate an agent pool update + description: Activates a scheduled agent pool update + operationId: activateAgentPoolsUpdate + responses: + '201': + description: Activated + content: + application/json: + schema: + $ref: '#/components/schemas/AgentPoolUpdate' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.agentPools.manage + tags: + - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathPoolId' + - $ref: '#/components/parameters/pathUpdateId' + /api/v1/agentPools/{poolId}/updates/{updateId}/deactivate: + post: + summary: Deactivate an agent pool update + description: Deactivates scheduled agent pool update + operationId: deactivateAgentPoolsUpdate + responses: + '201': + description: Deactivated + content: + application/json: + schema: + $ref: '#/components/schemas/AgentPoolUpdate' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.agentPools.manage + tags: + - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathPoolId' + - $ref: '#/components/parameters/pathUpdateId' + /api/v1/agentPools/{poolId}/updates/{updateId}/pause: + post: + summary: Pause an agent pool update + description: Pauses a running or queued agent pool update + operationId: pauseAgentPoolsUpdate + responses: + '201': + description: Paused + content: + application/json: + schema: + $ref: '#/components/schemas/AgentPoolUpdate' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.agentPools.manage + tags: + - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathPoolId' + - $ref: '#/components/parameters/pathUpdateId' + /api/v1/agentPools/{poolId}/updates/{updateId}/resume: + post: + summary: Resume an agent pool update + description: Resumes a running or queued agent pool update + operationId: resumeAgentPoolsUpdate + responses: + '201': + description: Resumed + content: + application/json: + schema: + $ref: '#/components/schemas/AgentPoolUpdate' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.agentPools.manage + tags: + - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathPoolId' + - $ref: '#/components/parameters/pathUpdateId' + /api/v1/agentPools/{poolId}/updates/{updateId}/retry: + post: + summary: Retry an agent pool update + description: >- + Retries an agent pool update if the update is unsuccessful or + communication with Okta was interrupted during an agent auto-update + operationId: retryAgentPoolsUpdate + responses: + '201': + description: Retried + content: + application/json: + schema: + $ref: '#/components/schemas/AgentPoolUpdate' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.agentPools.manage + tags: + - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathPoolId' + - $ref: '#/components/parameters/pathUpdateId' + /api/v1/agentPools/{poolId}/updates/{updateId}/stop: + post: + summary: Stop an agent pool update + description: Stops an agent pool update + operationId: stopAgentPoolsUpdate + responses: + '201': + description: Stopped + content: + application/json: + schema: + $ref: '#/components/schemas/AgentPoolUpdate' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.agentPools.manage + tags: + - AgentPools + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathPoolId' + - $ref: '#/components/parameters/pathUpdateId' +components: + schemas: + AgentPool: + description: >- + An agent pool is a collection of agents that serve a common purpose. An + agent pool has a unique ID within an org, and contains a collection of + agents disjoint to every other agent pool, meaning that no two agent + pools share an agent. + type: object + properties: + agents: + type: array + items: + $ref: '#/components/schemas/Agent' + disruptedAgents: + description: Number of agents in the pool that are in a disrupted state + type: integer + id: + type: string + readOnly: true + description: Agent pool ID + inactiveAgents: + description: Number of agents in the pool that are in an inactive state + type: integer + name: + type: string + description: Agent pool name + operationalStatus: + $ref: '#/components/schemas/OperationalStatus' + type: + $ref: '#/components/schemas/AgentType' + _links: + $ref: '#/components/schemas/LinksSelf' + AgentPoolUpdate: + description: Various information about agent auto-update configuration + type: object + properties: + agents: + type: array + items: + $ref: '#/components/schemas/Agent' + agentType: + $ref: '#/components/schemas/AgentType' + enabled: + type: boolean + description: Indicates if auto-update is enabled for the agent pool + id: + type: string + readOnly: true + description: ID of the agent pool update + name: + type: string + description: Name of the agent pool update + example: region1A.dc + notifyAdmin: + type: boolean + description: Indicates if the admin is notified about the update + reason: + description: Reason for the update + type: string + example: Update failed. + schedule: + $ref: '#/components/schemas/AutoUpdateSchedule' + sortOrder: + description: Specifies the sort order + type: integer + status: + $ref: '#/components/schemas/AgentUpdateJobStatus' + targetVersion: + type: string + description: The agent version to update to + example: 3.20.0 + _links: + $ref: '#/components/schemas/LinksSelf' + AgentPoolUpdateSetting: + description: Setting for auto-update + type: object + properties: + agentType: + $ref: '#/components/schemas/AgentType' + continueOnError: + type: boolean + description: Continues the update even if some agents fail to update + latestVersion: + type: string + description: Latest version of the agent + example: 3.20.0 + minimalSupportedVersion: + type: string + description: Minimal version of the agent + example: 3.19.0 + poolId: + type: string + readOnly: true + description: ID of the agent pool that the settings apply to + example: 0oa3eu7ekG8tjbD9J5s6 + poolName: + type: string + description: Pool name + example: iwa.dc + releaseChannel: + $ref: '#/components/schemas/ReleaseChannel' + AgentType: + description: Agent types that are being monitored + type: string + enum: + - AD + - IWA + - LDAP + - MFA + - OPP + - RUM + - Radius + Agent: + description: Agent details + type: object + properties: + id: + type: string + readOnly: true + description: Unique identifier for the agent that's generated during installation + example: ajd3fxzltQKQ2VeLu5s6 + isHidden: + type: boolean + description: Determines if an agent is hidden from the Admin Console + isLatestGAedVersion: + type: boolean + description: Determines if the agent is on the latest generally available version + lastConnection: + type: string + format: date-time + description: Timestamp when the agent last connected to Okta + name: + type: string + description: Agent name + example: WIN-region1A-dc + operationalStatus: + $ref: '#/components/schemas/OperationalStatus' + poolId: + type: string + description: Pool ID + example: 0oa3eu7ekG8tjbD9J5s6 + type: + $ref: '#/components/schemas/AgentType' + updateMessage: + type: string + description: Status message of the agent + example: Queued for update. + updateStatus: + $ref: '#/components/schemas/AgentUpdateInstanceStatus' + version: + type: string + description: Agent version number + example: 3.19.0 + _links: + $ref: '#/components/schemas/LinksSelf' + OperationalStatus: + description: Operational status of a given agent + type: string + enum: + - DEGRADED + - DISRUPTED + - INACTIVE + - OPERATIONAL + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + AutoUpdateSchedule: + description: The schedule of auto-update configured by the admin + type: object + properties: + cron: + type: string + description: >- + The schedule of the update in cron format. The cron settings are + limited to only the day of the month or the nth-day-of-the-week + configurations. For example, `0 8 ? * 6#3` indicates every third + Saturday at 8:00 AM. + example: 0 8 ? * 6#3 + delay: + description: Delay in days + type: integer + duration: + description: Duration in minutes + type: integer + example: 120 + lastUpdated: + description: >- + Timestamp when the update finished (only for a successful or failed + update, not for a cancelled update). Null is returned if the job + hasn't finished once yet. + type: string + format: date-time + timezone: + type: string + description: Timezone of where the scheduled job takes place + example: America/New_York + AgentUpdateJobStatus: + description: Overall state for the auto-update job from the admin perspective + type: string + enum: + - Cancelled + - Failed + - InProgress + - Paused + - Scheduled + - Success + ReleaseChannel: + description: Release channel for auto-update + type: string + enum: + - BETA + - EA + - GA + - TEST + AgentUpdateInstanceStatus: + description: Status for one agent regarding the status to auto-update that agent + type: string + enum: + - Cancelled + - Failed + - InProgress + - PendingCompletion + - Scheduled + - Success + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + ErrorCause: + type: object + properties: + errorSummary: + type: string + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + parameters: + queryLimitPerPoolType: + name: limitPerPoolType + in: query + schema: + type: integer + default: 5 + required: false + description: Maximum number of agent pools returned + queryPoolType: + name: poolType + in: query + schema: + $ref: '#/components/schemas/AgentType' + required: false + description: Agent type to search for + queryAfter: + name: after + in: query + schema: + type: string + description: >- + The cursor to use for pagination. It is an opaque string that specifies + your current location in the list and is obtained from the `Link` + response header. See + [Pagination](https://developer.okta.com/docs/api/#pagination). + pathPoolId: + name: poolId + in: path + description: ID of the agent pool for which the settings apply to + schema: + type: string + required: true + queryScheduled: + name: scheduled + in: query + description: >- + Return only scheduled or ad-hoc updates. If this parameter isn't + provided, Okta returns the entire list of updates. + schema: + type: boolean + required: false + pathUpdateId: + name: updateId + in: path + description: ID of the update + schema: + type: string + required: true + examples: + ListAllAgentPoolsResponse: + summary: List all agent pools + value: + - disruptedAgents: 0 + inactiveAgents: 1 + operationalStatus: OPERATIONAL + id: poolId1 + name: region1A.dc + type: AD + agents: + id: agentId1 + state: ACTIVE + message: Agent connection is live + indicator: green + name: WIN-region1A-dc + version: 3.18.0 + upgradeRequired: false + active: true + supportAutoUpdate: true + errorState: true + isHidden: false + isLatestGAedVersion: false + lastConnection: 1628263766000 + operationalStatus: OPERATIONAL + poolId: poolId1 + updateMessage: Queued for update. + _links: + self: + href: /api/v1/agentPools/poolId1 + ListAllAgentPoolUpdatesResponse: + summary: List all agent pool updates + value: + - id: poolId1 + name: testSchedule + agentType: AD + agents: + latestGAedVersion: true + id: a533eu8npxdZ60Mvf5s6 + type: AD + operationalStatus: OPERATIONAL + updateStatus: Scheduled + updateMessage: Queued for update. + version: 3.20.0 + lastConnection: 1750462090000 + isLatestGAedVersion: true + poolId: 0oa3eu7ekG8tjbD9J5s6 + name: N079-H069 + isHidden: false + enabled: true + schedule: + cron: 0 1 * * THU + timezone: America/Los_Angeles + duration: 420 + notifyAdmin: true + status: Scheduled + targetVersion: 3.20.0 + _links: + self: + href: /api/v1/agentPools/poolId1/updates + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + x-stackQL-resources: + agent_pools: + id: okta.agentpools.agent_pools + name: agent_pools + title: Agent Pools + methods: + list_agent_pools: + operation: + $ref: '#/paths/~1api~1v1~1agentPools/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/agent_pools/methods/list_agent_pools + insert: [] + update: [] + delete: [] + replace: [] + agent_pool_updates: + id: okta.agentpools.agent_pool_updates + name: agent_pool_updates + title: Agent Pool Updates + methods: + list_agent_pools_updates: + operation: + $ref: '#/paths/~1api~1v1~1agentPools~1{poolId}~1updates/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_agent_pools_update: + operation: + $ref: '#/paths/~1api~1v1~1agentPools~1{poolId}~1updates/post' + response: + mediaType: application/json + openAPIDocKey: '201' + get_agent_pools_update_instance: + operation: + $ref: '#/paths/~1api~1v1~1agentPools~1{poolId}~1updates~1{updateId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + update_agent_pools_update: + operation: + $ref: '#/paths/~1api~1v1~1agentPools~1{poolId}~1updates~1{updateId}/post' + response: + mediaType: application/json + openAPIDocKey: '201' + delete_agent_pools_update: + operation: + $ref: >- + #/paths/~1api~1v1~1agentPools~1{poolId}~1updates~1{updateId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + activate_agent_pools_update: + operation: + $ref: >- + #/paths/~1api~1v1~1agentPools~1{poolId}~1updates~1{updateId}~1activate/post + response: + mediaType: application/json + openAPIDocKey: '201' + deactivate_agent_pools_update: + operation: + $ref: >- + #/paths/~1api~1v1~1agentPools~1{poolId}~1updates~1{updateId}~1deactivate/post + response: + mediaType: application/json + openAPIDocKey: '201' + pause_agent_pools_update: + operation: + $ref: >- + #/paths/~1api~1v1~1agentPools~1{poolId}~1updates~1{updateId}~1pause/post + response: + mediaType: application/json + openAPIDocKey: '201' + resume_agent_pools_update: + operation: + $ref: >- + #/paths/~1api~1v1~1agentPools~1{poolId}~1updates~1{updateId}~1resume/post + response: + mediaType: application/json + openAPIDocKey: '201' + retry_agent_pools_update: + operation: + $ref: >- + #/paths/~1api~1v1~1agentPools~1{poolId}~1updates~1{updateId}~1retry/post + response: + mediaType: application/json + openAPIDocKey: '201' + stop_agent_pools_update: + operation: + $ref: >- + #/paths/~1api~1v1~1agentPools~1{poolId}~1updates~1{updateId}~1stop/post + response: + mediaType: application/json + openAPIDocKey: '201' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/agent_pool_updates/methods/list_agent_pools_updates + - $ref: >- + #/components/x-stackQL-resources/agent_pool_updates/methods/get_agent_pools_update_instance + insert: + - $ref: >- + #/components/x-stackQL-resources/agent_pool_updates/methods/create_agent_pools_update + update: + - $ref: >- + #/components/x-stackQL-resources/agent_pool_updates/methods/update_agent_pools_update + delete: + - $ref: >- + #/components/x-stackQL-resources/agent_pool_updates/methods/delete_agent_pools_update + replace: [] + agent_pool_update_settings: + id: okta.agentpools.agent_pool_update_settings + name: agent_pool_update_settings + title: Agent Pool Update Settings + methods: + get_agent_pools_update_settings: + operation: + $ref: '#/paths/~1api~1v1~1agentPools~1{poolId}~1updates~1settings/get' + response: + mediaType: application/json + openAPIDocKey: '200' + update_agent_pools_update_settings: + operation: + $ref: '#/paths/~1api~1v1~1agentPools~1{poolId}~1updates~1settings/post' + response: + mediaType: application/json + openAPIDocKey: '201' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/agent_pool_update_settings/methods/get_agent_pools_update_settings + insert: [] + update: + - $ref: >- + #/components/x-stackQL-resources/agent_pool_update_settings/methods/update_agent_pools_update_settings + delete: [] + replace: [] +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/api_tokens.yaml b/providers/src/okta/v00.00.00000/services/api_tokens.yaml new file mode 100644 index 00000000..c4dc03c0 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/api_tokens.yaml @@ -0,0 +1,551 @@ +openapi: 3.0.3 +info: + title: api_tokens API + description: okta api_tokens API + version: 5.1.0 +paths: + /api/v1/api-tokens: + get: + summary: List all API token metadata + description: Lists all the metadata of the active API tokens + operationId: listApiTokens + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/ApiToken' + examples: + List Tokens: + $ref: '#/components/examples/ApiTokenListMetadataResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apiTokens.read + tags: + - ApiToken + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/api-tokens/current: + delete: + summary: Revoke the current API token + description: Revokes the API token provided in the Authorization header + operationId: revokeCurrentApiToken + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + tags: + - ApiToken + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/api-tokens/{apiTokenId}: + get: + summary: Retrieve an API token's metadata + description: Retrieves the metadata for an active API token by `apiTokenId` + operationId: getApiToken + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/ApiToken' + examples: + HCaptcha: + $ref: '#/components/examples/ApiTokenMetadataResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apiTokens.read + tags: + - ApiToken + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Upsert an API token network condition + description: Upserts an API Token Network Condition by `apiTokenId` + operationId: upsertApiToken + requestBody: + content: + application/json: + example: + name: api_token_name + clientName: client_name + userId: 00uabcdefg1234567890 + network: + connection: ANYWHERE + created: '2021-11-09T20:38:10.000Z' + schema: + $ref: '#/components/schemas/ApiTokenUpdate' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/ApiToken' + examples: + HCaptcha: + $ref: '#/components/examples/ApiTokenMetadataResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apiTokens.manage + tags: + - ApiToken + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Revoke an API token + description: Revokes an API token by `apiTokenId` + operationId: revokeApiToken + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apiTokens.manage + tags: + - ApiToken + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathApiTokenId' +components: + schemas: + ApiToken: + title: API Token + description: >- + An API token for an Okta User. This token is NOT scoped any further and + can be used for any API the user has permissions to call. + type: object + properties: + clientName: + type: string + readOnly: true + created: + type: string + format: date-time + readOnly: true + expiresAt: + type: string + format: date-time + readOnly: true + id: + type: string + readOnly: true + lastUpdated: + type: string + format: date-time + readOnly: true + name: + type: string + network: + type: object + description: The Network Condition of the API Token + properties: + connection: + type: string + description: The connection type of the Network Condition + include: + type: array + description: List of included IP network zones + items: + type: string + exclude: + type: array + description: List of excluded IP network zones + items: + type: string + tokenWindow: + $ref: '#/components/schemas/TimeDuration' + userId: + type: string + _link: + $ref: '#/components/schemas/LinksSelf' + required: + - name + ApiTokenUpdate: + title: API Token Update + description: >- + An API Token Update Object for an Okta user. This token is NOT scoped + any further and can be used for any API that the user has permissions to + call. + type: object + properties: + clientName: + type: string + description: The client name associated with the API Token + readOnly: true + created: + type: string + description: The creation date of the API Token + format: date-time + readOnly: true + name: + type: string + description: The name associated with the API Token + network: + type: object + description: The Network Condition of the API Token + properties: + connection: + type: string + description: The connection type of the Network Condition + include: + type: array + description: List of included IP network zones + items: + type: string + exclude: + type: array + description: List of excluded IP network zones + items: + type: string + userId: + type: string + description: The userId of the user who created the API Token + TimeDuration: + description: >- + A time duration specified as an [ISO 8601 + duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). + type: string + pattern: ^P(?:$)(\d+Y)?(\d+M)?(\d+W)?(\d+D)?(T(?:\d)(\d+H)?(\d+M)?(\d+S)?)?$ + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + ErrorCause: + type: object + properties: + errorSummary: + type: string + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + parameters: + pathApiTokenId: + name: apiTokenId + in: path + schema: + type: string + example: 00Tabcdefg1234567890 + required: true + description: id of the API Token + examples: + ApiTokenListMetadataResponse: + value: + - name: My API Token + userId: 00uabcdefg1234567890 + tokenWindow: P30D + network: + connection: ANYWHERE + id: 00Tabcdefg1234567890 + clientName: Okta API + expiresAt: '2021-12-11T20:38:10.000Z' + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/api-tokens/00Tabcdefg1234567890 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00uabcdefg1234567890 + hints: + allow: + - GET + - name: Another API Token + userId: 00uabcdefg1234567890 + tokenWindow: PT5M + id: 00T1234567890abcdefg + clientName: Okta API + expiresAt: '2021-11-11T20:43:10.000Z' + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/api-tokens/00T1234567890abcdefg + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00uabcdefg1234567890 + hints: + allow: + - GET + ApiTokenMetadataResponse: + value: + name: My API Token + userId: 00uXXXXXXXXXXXXXXXXX + tokenWindow: P30D + network: + connection: ANYWHERE + id: 00Tabcdefg1234567890 + clientName: Okta API + expiresAt: '2021-12-11T20:38:10.000Z' + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/api-tokens/00Tabcdefg1234567890 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00uXXXXXXXXXXXXXXXXX + hints: + allow: + - GET + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + x-stackQL-resources: + api_tokens: + id: okta.api_tokens.api_tokens + name: api_tokens + title: Api Tokens + methods: + list_api_tokens: + operation: + $ref: '#/paths/~1api~1v1~1api-tokens/get' + response: + mediaType: application/json + openAPIDocKey: '200' + revoke_current_api_token: + operation: + $ref: '#/paths/~1api~1v1~1api-tokens~1current/delete' + response: + mediaType: '' + openAPIDocKey: '204' + get_api_token: + operation: + $ref: '#/paths/~1api~1v1~1api-tokens~1{apiTokenId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + upsert_api_token: + operation: + $ref: '#/paths/~1api~1v1~1api-tokens~1{apiTokenId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + revoke_api_token: + operation: + $ref: '#/paths/~1api~1v1~1api-tokens~1{apiTokenId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/api_tokens/methods/list_api_tokens + - $ref: '#/components/x-stackQL-resources/api_tokens/methods/get_api_token' + insert: [] + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/api_tokens/methods/revoke_current_api_token + - $ref: >- + #/components/x-stackQL-resources/api_tokens/methods/revoke_api_token + replace: + - $ref: >- + #/components/x-stackQL-resources/api_tokens/methods/upsert_api_token +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/apps.yaml b/providers/src/okta/v00.00.00000/services/apps.yaml new file mode 100644 index 00000000..04682164 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/apps.yaml @@ -0,0 +1,11615 @@ +openapi: 3.0.3 +info: + title: apps API + description: okta apps API + version: 5.1.0 +paths: + /api/v1/apps: + get: + summary: List all applications + description: >- + Lists all apps in the org with pagination. A subset of apps can be + returned that match a supported filter expression or query. The results + are [paginated]https://developer.okta.com/docs/api#pagination according to the `limit` parameter. If + there are multiple pages of results, the header contains a `next` link. + Treat the link as an opaque value (follow it, don't parse it). + + + > **Note:** To list all of a member's assigned app links, use the [List + all assigned app links endpoint in the User Resources + API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserResources/#tag/UserResources/operation/listAppLinks). + operationId: listApplications + parameters: + - name: q + in: query + description: >- + Searches for apps with `name` or `label` properties that starts with + the `q` value using the `startsWith` operation + schema: + type: string + example: Okta + - name: after + in: query + description: >- + Specifies the [pagination]https://developer.okta.com/docs/api#pagination cursor for the next page of + results. Treat this as an opaque value obtained through the `next` + link relationship. + schema: + type: string + example: 16278919418571 + - name: useOptimization + in: query + description: >- + Specifies whether to use query optimization. If you specify + `useOptimization=true` in the request query, the response contains a + subset of app instance properties. + schema: + type: boolean + default: false + - name: limit + in: query + description: Specifies the number of results per page + schema: + type: integer + format: int32 + default: -1 + maximum: 200 + - name: filter + in: query + description: >- + Filters apps by `status`, `user.id`, `group.id`, + `credentials.signing.kid` or `name` expression that supports the + `eq` operator + schema: + type: string + examples: + ActiveStatusEx: + value: status%20eq%20%22ACTIVE%22 + summary: Filter for active apps + NameFilterEx: + value: name%20eq%20%22okta_org2org%22 + summary: Filter for apps with `okta_org2org` name + CredKidEx: + value: >- + credentials.signing.kid%20eq%20%22SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-F1bm4%22 + summary: Filter for apps using a specific key + - $ref: '#/components/parameters/queryAppsExpand' + - name: includeNonDeleted + description: >- + Specifies whether to include non-active, but not deleted apps in the + results + in: query + schema: + type: boolean + default: false + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/Application' + examples: + ResponseExample1: + $ref: '#/components/examples/GetApplicationsByUserResponseEx' + ResponseExample2: + $ref: '#/components/examples/GetApplicationsByGroupResponseEx' + ResponseExample3: + $ref: '#/components/examples/GetApplicationsByKeyResponseEx' + ResponseExample4: + $ref: '#/components/examples/GetApplicationsByNameResponseEx' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create an application + description: > + Creates an app instance in your Okta org. + + + You can either create an OIN app instance or a custom app instance: + + * OIN app instances have prescribed `name` (key app definition) and + `signOnMode` options. See the [OIN + schemas](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/schema/GoogleApplication) + for the request body. + + * For custom app instances, select the + [signOnMode](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=0/signOnMode&t=request) + that pertains to your app and specify the required parameters in the + request body. + operationId: createApplication + parameters: + - name: activate + in: query + description: Executes activation lifecycle operation when creating the app + schema: + type: boolean + default: true + - name: OktaAccessGateway-Agent + in: header + schema: + type: string + x-codegen-request-body-name: application + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Application' + examples: + BOOKMARK: + $ref: '#/components/examples/BookmarkEx' + AUTO_LOGIN: + $ref: '#/components/examples/AutoLoginEx' + BASIC_AUTH: + $ref: '#/components/examples/BasicAuthEx' + SECURE_PASSWORD_STORE: + $ref: '#/components/examples/SecurePasswordStoreEx' + WS_FEDERATION: + $ref: '#/components/examples/WSFederationEx' + BROWSER_PLUGIN: + $ref: '#/components/examples/BrowserPluginEx' + BROWSER_PLUGIN_SWA_3FIELD: + $ref: '#/components/examples/BrowserPluginSwa3FieldEx' + SAML_2_0: + $ref: '#/components/examples/Saml2.0Ex' + OPENID_CONNECT: + $ref: '#/components/examples/OpenidConnectEx' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Application' + examples: + BOOKMARK: + $ref: '#/components/examples/BookmarkAppResponseEx' + AUTO_LOGIN: + $ref: '#/components/examples/AutoLoginAppResponseEx' + BASIC_AUTH: + $ref: '#/components/examples/BasicAuthResponseEx' + SECURE_PASSWORD_STORE: + $ref: '#/components/examples/SecurePasswordStoreResponseEx' + WS_FEDERATION: + $ref: '#/components/examples/WSFederationResponseEx' + BROWSER_PLUGIN: + $ref: '#/components/examples/BrowserPluginResponseEx' + BROWSER_PLUGIN_SWA_3FIELD: + $ref: '#/components/examples/BrowserPluginSwa3FieldResponseEx' + SAML_2_0: + $ref: '#/components/examples/Saml2.0ResponseEx' + OPENID_CONNECT: + $ref: '#/components/examples/OpenidConnectResponseEx' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/apps/{appId}: + get: + summary: Retrieve an application + description: Retrieves an application from your Okta organization by `id` + operationId: getApplication + parameters: + - name: expand + in: query + description: >- + An optional query parameter to return the specified [Application + User](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/) in + the `_embedded` property. + + Valid value: `expand=user/{userId}` + schema: + type: string + example: user/0oa1gjh63g214q0Hq0g4 + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Application' + examples: + RetrieveEx1: + $ref: '#/components/examples/GetApplicationsResponseEx' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace an application + description: > + Replaces properties for an application + + > **Notes:** + + > * All required properties must be specified in the request body + + > * You can't modify system-assigned properties, such as `id`, `name`, + `status`, `created`, and `lastUpdated`. The values for these properties + in the PUT request body are ignored. + operationId: replaceApplication + x-codegen-request-body-name: application + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Application' + examples: + BOOKMARK: + $ref: '#/components/examples/BookmarkPutEx' + AUTO_LOGIN: + $ref: '#/components/examples/AutoLoginPutEx' + BASIC_AUTH: + $ref: '#/components/examples/BasicAuthPutEx' + SECURE_PASSWORD_STORE: + $ref: '#/components/examples/SecurePasswordStorePutEx' + WS_FEDERATION: + $ref: '#/components/examples/WSFederationPutEx' + BROWSER_PLUGIN: + $ref: '#/components/examples/BrowserPluginPutEx' + BROWSER_PLUGIN_SWA_3FIELD: + $ref: '#/components/examples/BrowserPluginSwa3FieldPutEx' + SAML_2_0: + $ref: '#/components/examples/Saml2.0PutEx' + OPENID_CONNECT: + $ref: '#/components/examples/OpenidConnectPutEx' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Application' + examples: + BOOKMARK: + $ref: '#/components/examples/BookmarkPutResponseEx' + AUTO_LOGIN: + $ref: '#/components/examples/AutoLoginPutResponseEx' + BASIC_AUTH: + $ref: '#/components/examples/BasicAuthPutResponseEx' + SECURE_PASSWORD_STORE: + $ref: '#/components/examples/SecurePasswordStorePutResponseEx' + WS_FEDERATION: + $ref: '#/components/examples/WSFederationPutResponseEx' + BROWSER_PLUGIN: + $ref: '#/components/examples/BrowserPluginPutResponseEx' + BROWSER_PLUGIN_SWA_3FIELD: + $ref: '#/components/examples/BrowserPluginSwa3FieldPutResponseEx' + SAML_2_0: + $ref: '#/components/examples/Saml2.0PutResponseEx' + OPENID_CONNECT: + $ref: '#/components/examples/OpenidConnectPutResponseEx' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete an application + description: Deletes an inactive application + operationId: deleteApplication + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/apps/{appId}/connections/default: + get: + summary: Retrieve the default provisioning connection + description: Retrieves the default provisioning connection for an app + operationId: getDefaultProvisioningConnectionForApplication + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ProvisioningConnectionResponse' + examples: + ProvisioningConnectionTokenZscalerEx: + $ref: >- + #/components/examples/ProvisioningConnectionTokenResponseWithProfileZscalerEx + ProvisioningConnectionTokenOrg2OrgEx: + $ref: >- + #/components/examples/ProvisioningConnectionTokenResponseWithProfileOrg2OrgEx + ProvisioningConnectionOauthO365Ex: + $ref: '#/components/examples/ProvisioningConnectionOauthResponseEx' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationConnections + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Update the default provisioning connection + description: Updates the default provisioning connection for an app + operationId: updateDefaultProvisioningConnectionForApplication + parameters: + - in: query + name: activate + schema: + type: boolean + description: Activates the provisioning connection + requestBody: + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/ProvisioningConnectionTokenRequest' + - $ref: '#/components/schemas/ProvisioningConnectionOauthRequest' + examples: + ProvisioningConnectionTokenZscalerEx: + $ref: '#/components/examples/ProvisioningConnectionTokenRequestEx' + ProvisioningConnectionTokenOrg2OrgEx: + $ref: >- + #/components/examples/ProvisioningConnectionTokenOrg2OrgRequestEx + ProvisioningConnectionOAuthOrg2OrgEx: + $ref: >- + #/components/examples/ProvisioningConnectionOAuthOrg2OrgWithRotationRequestEx + ProvisioningConnectionOauthO365Ex: + $ref: '#/components/examples/ProvisioningConnectionOauthO365RequestEx' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/ProvisioningConnectionResponse' + examples: + ProvisioningConnectionTokenZscalerEx: + $ref: >- + #/components/examples/ProvisioningConnectionTokenResponseWithProfileZscalerEx + ProvisioningConnectionTokenOrg2OrgEx: + $ref: >- + #/components/examples/ProvisioningConnectionTokenResponseWithProfileOrg2OrgEx + ProvisioningConnectionOAuthOrg2OrgEx: + $ref: >- + #/components/examples/ProvisioningConnectionOAuthOrg2OrgWithRotationResponseEx + ProvisioningConnectionOauthO365Ex: + $ref: '#/components/examples/ProvisioningConnectionOauthResponseEx' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationConnections + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/apps/{appId}/connections/default/jwks: + get: + summary: >- + Retrieve a JSON Web Key Set (JWKS) for the default provisioning + connection + description: >- + Retrieves a JWKS for the default provisioning connection. This can be + used by the OAuth 2.0 app's `jwk_uri` property in the target org. + operationId: getUserProvisioningConnectionJWKS + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/AppConnectionUserProvisionJWKResponse' + examples: + UserProvisioningJsonWebKeysResponseExample: + $ref: '#/components/examples/UserProvisioningJsonWebKeysResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationConnections + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/apps/{appId}/connections/default/lifecycle/activate: + post: + summary: Activate the default provisioning connection + description: Activates the default provisioning connection for an app + operationId: activateDefaultProvisioningConnectionForApplication + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationConnections + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/apps/{appId}/connections/default/lifecycle/deactivate: + post: + summary: Deactivate the default provisioning connection + description: Deactivates the default provisioning connection for an app + operationId: deactivateDefaultProvisioningConnectionForApplication + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationConnections + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/apps/{appId}/credentials/csrs: + get: + summary: List all certificate signing requests + description: Lists all Certificate Signing Requests for an application + operationId: listCsrsForApplication + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/Csr' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Generate a certificate signing request + description: >- + Generates a new key pair and returns the Certificate Signing + Request(CSR) for it. The information in a CSR is used by the Certificate + Authority (CA) to verify and create your certificate. It also contains + the public key that is included in your certificate. + + + Returns CSR in `pkcs#10` format if the `Accept` media type is + `application/pkcs10` or a CSR object if the `Accept` media type is + `application/json`. + + > **Note:** The key pair isn't listed in the Key Credentials for the app + until it's published. + operationId: generateCsrForApplication + x-codegen-request-body-name: metadata + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CsrMetadata' + required: true + responses: + '201': + description: Created + headers: + Content-Type: + schema: + type: string + description: The Content-Type of the response + examples: + pkcs10Header: + summary: application/pkcs10 Content-Type header + value: application/pkcs10; filename=okta.p10 + json: + summary: application/json Content-Type header + value: application/json + Content-Transfer-Encoding: + schema: + type: string + description: Encoding of the response + example: base64 + content: + application/pkcs10: + schema: + $ref: '#/components/schemas/AppCsrPkcs10' + examples: + CsrPkcs10Response: + $ref: '#/components/examples/AppCsrPkcs10Response' + application/json: + schema: + $ref: '#/components/schemas/Csr' + examples: + CsrJsonResponse: + $ref: '#/components/examples/AppCsrJsonResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/apps/{appId}/credentials/csrs/{csrId}: + get: + summary: Retrieve a certificate signing request + description: >- + Retrieves a Certificate Signing Request (CSR) for the app by `csrId`. + + + Returns a Base64-encoded CSR in DER format if the `Accept` media type is + `application/pkcs10` or a CSR object if the `Accept` media type is + `application/json`. + operationId: getCsrForApplication + responses: + '200': + description: Success + headers: + Content-Type: + schema: + type: string + description: The Content-Type of the response + examples: + pkcs10Header: + summary: application/pkcs10 Content-Type header + value: application/pkcs10; filename=okta.p10 + json: + summary: application/json Content-Type header + value: application/json + Content-Transfer-Encoding: + schema: + type: string + description: Encoding of the response + example: base64 + content: + application/json: + schema: + $ref: '#/components/schemas/Csr' + examples: + CsrJsonResponse: + $ref: '#/components/examples/AppCsrJsonResponse' + application/pkcs10: + schema: + $ref: '#/components/schemas/AppCsrPkcs10' + examples: + CsrPkcs10Response: + $ref: '#/components/examples/AppCsrPkcs10Response' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Revoke a certificate signing request + description: >- + Revokes a Certificate Signing Request and deletes the key pair from the + app + operationId: revokeCsrFromApplication + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathCsrId' + /api/v1/apps/{appId}/credentials/csrs/{csrId}/lifecycle/publish: + post: + summary: Publish a certificate signing request + description: >- + Publishes a Certificate Signing Request (CSR) for the app with a signed + X.509 certificate and adds it into the Application Key Credentials. + + > **Note:** Publishing a certificate completes the lifecycle of the CSR + and it's no longer accessible. + operationId: publishCsrFromApplication + requestBody: + required: true + content: + application/x-x509-ca-cert: + schema: + type: string + format: binary + description: >- + X.509 certificate in `CER` format. + + The client can either post in binary or Base64URL-encoded. If + the post is Base64URL-encoded, set the + `Content-Transfer-Encoding` header to `base64`. + example: '@certificate.pem' + x-okta-operationId: publishBinaryCerCert + application/pkix-cert: + schema: + type: string + format: binary + description: >- + X.509 certificate in `DER` format. + + The client can either post in binary or Base64URL-encoded. If + the post is Base64URL-encoded, set the + `Content-Transfer-Encoding` header to `base64`. + example: >- + MIIFgjCCA2qgAwIBAgICEAcwDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARPa3RhMQwwCgYDVQQLDANFbmcxDTALBgNVBAMMBFJvb3QwHhcNMTcwMzI3MjEyMDQ3WhcNMTgwNDA2MjEyMDQ3WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEGA1UECgwKT2t0YSwgSW5jLjEQMA4GA1UECwwHSmFua3lDbzEVMBMGA1UEAwwMSWRQIElzc3VlciA3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmkC6yAJVvFwUlmM9gKjb2d+YK5qHFt+mXSsbjWKKs4EfNm+BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL/q7n0f/SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH+bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQIDAQABo4IBLjCCASowCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUVqJukDmyENw/2pTApbxc/HRKbngwgZAGA1UdIwSBiDCBhYAUFx245ZZXqWTTbARfMlFWN77L9EahYqRgMF4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEMMAoGA1UECwwDRW5nMQ0wCwYDVQQDDARSb290ggkAlIfpwZjO5o8wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQCcoBSRtY+9cJY00hLvq6AloYZcdn/kUQupfmyz4n3lKE3wV2FB0swKnK0QDi8iNuQJFdag/19vDHC4/LhoSuv1Q+KXM61pPZVRXXPyC1+e7Y6hj93tEI5HcqLPcDRH1AIG2l8tE7LBn+MQB5Vh6oxjG2IdoWxg6abMfISU+MauPWql4vMDUWo9iNShAo44Z5fd+nuz+hlAinU9Xn9Jf2QsfKvcbMRq7iuqgkabgdmObmWb9KK0Vm7TDkxCH0pB0onPr6epVUP8Obg/pT1Oj/1hOLbfR8CHHWdAWzUBGGvp2TIy2A8LUaEoFnwkxZfdL7Bnd0RH/ClBtAjzLOxmUo7NbZmEnYCcD5pZz7BdZI0db/eBXFqfOlA88rEe+9Sv+NndIq0/WNIIsJi2RgjJnxsxvB5MjhhzmItpFIUl5yqoO3C9jcCp6HDBJxtCGbvAr5ALPn5RCJeBIr67WpAiTd7L3Ebu9SQZlXnoHX8kP04EA6ylR3W0EFbh7KUtq8M2H2vo0wjMj7ysl/3tT7cEZ97s1ygO5iJx3GfMDyrDhtLXSBJ20uSxTJeptRw8SDiwTqunIh1WyKlcQz1WGauSbW4eXdj/r9KYMJ3qMMkdP/9THQUtTcOYx51r8RV9pdzqF2HPnZZNziBa+wXJZHEWp70NyoakNthgYwtypqiDHs2f3Q== + x-okta-operationId: publishBinaryDerCert + application/x-pem-file: + schema: + type: string + format: binary + description: X.509 certificate in `PEM` format + example: '@certificate.pem' + x-okta-operationId: publishBinaryPemCert + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/JsonWebKey' + examples: + PublishCSR: + $ref: '#/components/examples/KeyCredentialExample' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorPublishCSRCertDoesNotMatchCSR: + $ref: '#/components/examples/ErrorPublishCSRCertDoesNotMatchCSR' + ErrorPublishCSRCertValidityLessThan90Days: + $ref: >- + #/components/examples/ErrorPublishCSRCertValidityLessThan90Days + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathCsrId' + /api/v1/apps/{appId}/credentials/jwks: + get: + summary: List all the OAuth 2.0 client JSON Web Keys + description: Lists all JSON Web Keys for an OAuth 2.0 client app + operationId: listJwk + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + oneOf: + - $ref: '#/components/schemas/OAuth2ClientJsonSigningKeyResponse' + - $ref: >- + #/components/schemas/OAuth2ClientJsonEncryptionKeyResponse + examples: + OAuthClientJsonWebKeyListResponseExample: + $ref: '#/components/examples/oAuthClientJsonWebKeyListResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationSSOPublicKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Add a JSON Web Key + description: >- + Adds a new JSON Web Key to the client`s JSON Web Keys. + + > **Note:** This API doesn't allow you to add a key if the existing key + doesn't have a `kid`. This is also consistent with how the [Dynamic + Client Registration](/openapi/okta-oauth/oauth/tag/Client/) or + [Applications](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/) + APIs behave, as they don't allow the creation of multiple keys without + `kids`. Use the [Replace an + Application](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication) + or the [Replace a Client + Application](/openapi/okta-oauth/oauth/tag/Client/#tag/Client/operation/replaceClient) + operation to update the JWKS or [Delete an OAuth 2.0 Client JSON Web + Key](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationSSOPublicKeys/#tag/ApplicationSSOPublicKeys/operation/deletejwk) + and re-add the key with a `kid`. + operationId: addJwk + requestBody: + required: true + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/OAuth2ClientJsonSigningKeyRequest' + - $ref: '#/components/schemas/OAuth2ClientJsonEncryptionKeyRequest' + examples: + createOAuth2ClientJsonWebKeyRequestBody: + $ref: '#/components/examples/oAuthClientJsonWebKeyRequest' + createOAuth2ClientJsonInactiveEncryptionKeyRequestBody: + $ref: >- + #/components/examples/oAuthClientJsonInactiveEncryptionKeyRequest + createOAuth2ClientJsonActiveEncryptionKeyRequestBody: + $ref: >- + #/components/examples/oAuthClientJsonActiveEncryptionKeyRequest + responses: + '201': + description: Created + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/OAuth2ClientJsonSigningKeyResponse' + - $ref: '#/components/schemas/OAuth2ClientJsonEncryptionKeyResponse' + examples: + newOAuth2ClientJsonWebKeyResponse: + $ref: '#/components/examples/oAuthClientJsonWebKey' + newOAuth2ClientJsonInactiveEncryptionKeyResponse: + $ref: '#/components/examples/oAuthClientJsonInactiveEncryptionKey' + newOAuth2ClientJsonActiveEncryptionKeyResponse: + $ref: '#/components/examples/oAuthClientJsonActiveEncryptionKey' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorClientJsonWebKeyNonUniqueKid: + $ref: '#/components/examples/ErrorClientJsonWebKeyNonUniqueKid' + ErrorClientJsonWebKeyDuplicateKid: + $ref: '#/components/examples/ErrorClientJsonWebKeyDuplicateKid' + ErrorClientJsonWebKeyKidLengthTooShort: + $ref: '#/components/examples/ErrorClientJsonWebKeyKidLengthTooShort' + ErrorClientJsonWebKeyTooManyKids: + $ref: '#/components/examples/ErrorClientJsonWebKeyTooManyKids' + ErrorOnlyOneActiveEncryptionKeyAllowed: + $ref: '#/components/examples/ErrorOnlyOneActiveEncryptionKeyAllowed' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOPublicKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/apps/{appId}/credentials/jwks/{keyId}: + get: + summary: Retrieve an OAuth 2.0 client JSON Web Key + description: Retrieves an OAuth 2.0 Client JSON Web Key by `keyId`. + operationId: getJwk + responses: + '200': + description: OK + content: + application/json: + schema: + type: object + oneOf: + - $ref: '#/components/schemas/OAuth2ClientJsonSigningKeyResponse' + - $ref: '#/components/schemas/OAuth2ClientJsonEncryptionKeyResponse' + examples: + OAuthClientJsonWebKeyResponseExample: + $ref: '#/components/examples/oAuthClientJsonWebKey' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationSSOPublicKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete an OAuth 2.0 client JSON Web Key + description: >- + Deletes an OAuth 2.0 Client JSON Web Key by `keyId`. You can only delete + an inactive key. + operationId: deletejwk + responses: + '204': + description: No Content + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorDeleteActiveJsonWebKey: + $ref: '#/components/examples/ErrorDeleteActiveJsonWebKey' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOPublicKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathJsonWebKeyId' + /api/v1/apps/{appId}/credentials/jwks/{keyId}/lifecycle/activate: + post: + summary: Activate an OAuth 2.0 client JSON Web Key + description: >- + Activates an OAuth 2.0 Client JSON Web Key by `keyId` + + > **Note:** You can have only one active encryption key at any given + time for app. When you activate an inactive key, the current active key + is automatically deactivated. + operationId: activateOAuth2ClientJsonWebKey + responses: + '200': + description: OK + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/OAuth2ClientJsonSigningKeyResponse' + - $ref: '#/components/schemas/OAuth2ClientJsonEncryptionKeyResponse' + examples: + activateOAuth2ClientJsonWebKeyResponse: + $ref: '#/components/examples/oAuthClientJsonWebKey' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOPublicKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathJsonWebKeyId' + /api/v1/apps/{appId}/credentials/jwks/{keyId}/lifecycle/deactivate: + post: + summary: Deactivate an OAuth 2.0 client JSON Web Key + description: >- + Deactivates an OAuth 2.0 Client JSON Web Key by `keyId`. + + > **Note:** You can only deactivate signing keys. Deactivating the + active encryption key isn't allowed if the client has ID token + encryption enabled. You can activate another encryption key, which makes + the current key inactive. + operationId: deactivateOAuth2ClientJsonWebKey + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientJsonSigningKeyResponse' + examples: + deactivateOAuth2ClientJsonWebKeyResponse: + $ref: >- + #/components/examples/deactivateOAuth2ClientJsonWebKeyResponse + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorDeactivateTheOnlyKeyWithPrivateKeyJwtAuthMethod: + $ref: >- + #/components/examples/ErrorDeactivateTheOnlyKeyWithPrivateKeyJwtAuthMethod + ErrorDeactivateTheOnlyKeyWithRequestObjectSignAlgorithm: + $ref: >- + #/components/examples/ErrorDeactivateTheOnlyKeyWithRequestObjectSignAlgorithm + ErrorDeactivateEncryptionKey: + $ref: '#/components/examples/ErrorDeactivateEncryptionKey' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOPublicKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathJsonWebKeyId' + /api/v1/apps/{appId}/credentials/keys: + get: + summary: List all key credentials + description: Lists all key credentials for an app + operationId: listApplicationKeys + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/JsonWebKey' + examples: + ListAllKeyCredentialsExample: + $ref: '#/components/examples/ListAllKeyCredentialsExample' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/apps/{appId}/credentials/keys/generate: + post: + summary: Generate a key credential + description: >- + Generates a new X.509 certificate for an app key credential + + > **Note:** To update an Application with the newly generated key + credential, use the [Replace an + Application](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication) + request with the new + [credentials.signing.kid](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication!path=4/credentials/signing/kid&t=request) + value in the request body. You can provide just the [Signing Credential + object](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication!path=4/credentials/signing&t=request) + instead of the entire [Application Credential + object](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication!path=4/credentials&t=request). + operationId: generateApplicationKey + parameters: + - name: validityYears + description: Expiry years of the Application Key Credential + in: query + required: true + schema: + type: integer + example: 5 + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/JsonWebKey' + examples: + KeyCredentialExample: + $ref: '#/components/examples/KeyCredentialExample' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorKeyCredentialInvalidValidity: + $ref: '#/components/examples/ErrorKeyCredentialInvalidValidity' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/apps/{appId}/credentials/keys/{keyId}: + get: + summary: Retrieve a key credential + description: Retrieves a specific Application Key Credential by `kid` + operationId: getApplicationKey + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/JsonWebKey' + examples: + KeyCredentialExample: + $ref: '#/components/examples/KeyCredentialExample' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathKeyId' + /api/v1/apps/{appId}/credentials/keys/{keyId}/clone: + post: + summary: Clone a key credential + description: >- + Clones an X.509 certificate for an Application Key Credential from a + source app to a target app. + + + For step-by-step instructions to clone a credential, see [Share + application key credentials for IdPs across + apps](https://developer.okta.com/docs/guides/sharing-cert/main/). + + > **Note:** Sharing certificates isn't a recommended security practice. + operationId: cloneApplicationKey + parameters: + - name: targetAid + in: query + description: Unique key of the target Application + required: true + schema: + type: string + example: 0ouuytCAJSSDELFTUIDS + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/JsonWebKey' + examples: + KeyCredentialExample: + $ref: '#/components/examples/KeyCredentialExample' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorKeyCredentialCloneDuplicateKey: + $ref: '#/components/examples/ErrorKeyCredentialCloneDuplicateKey' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOCredentialKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathKeyId' + /api/v1/apps/{appId}/credentials/secrets: + get: + summary: List all OAuth 2.0 client secrets + description: Lists all client secrets for an OAuth 2.0 client app + operationId: listOAuth2ClientSecrets + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/OAuth2ClientSecret' + examples: + OAuthClientSecretListResponseExample: + $ref: '#/components/examples/oAuthClientSecretListResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationSSOPublicKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create an OAuth 2.0 client secret + description: >- + Creates an OAuth 2.0 Client Secret object with a new active client + secret. You can create up to two Secret objects. An error is returned if + you attempt to create more than two Secret objects. + + > **Note:** This API lets you bring your own secret. If + [token_endpoint_auth_method](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=4/credentials/oauthClient/token_endpoint_auth_method&t=request) + of the app is `client_secret_jwt`, then the minimum length of + `client_secret` is 32 characters. If no secret is specified in the + request, Okta adds a new system-generated secret. + operationId: createOAuth2ClientSecret + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientSecretRequestBody' + examples: + createOAuth2ClientSecretSystemGeneratedRequestBody: + $ref: >- + #/components/examples/createOAuth2ClientSecretSystemGeneratedRequestBody + createOAuth2ClientSecretCustomRequestBody: + $ref: >- + #/components/examples/createOAuth2ClientSecretCustomRequestBody + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientSecret' + examples: + newOAuth2ClientSecretResponse: + $ref: '#/components/examples/oAuth2ClientSecretResponse' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorClientSecretTooLong: + $ref: '#/components/examples/ErrorClientSecretTooLong' + ErrorClientSecretTooShort: + $ref: '#/components/examples/ErrorClientSecretTooShort' + ErrorClientSecretTooShortJWT: + $ref: >- + #/components/examples/ErrorClientSecretTooShortWithClientSecretJWT + ErrorClientSecretPrivateKeyJWT: + $ref: '#/components/examples/ErrorClientSecretWithPrivateKeyJWT' + ErrorClientSecretNonAscii: + $ref: '#/components/examples/ErrorClientSecretNonAscii' + ErrorMaxNumberOfSecrets: + $ref: '#/components/examples/ErrorMaxNumberOfSecrets' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOPublicKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/apps/{appId}/credentials/secrets/{secretId}: + get: + summary: Retrieve an OAuth 2.0 client secret + description: Retrieves an OAuth 2.0 Client Secret by `secretId` + operationId: getOAuth2ClientSecret + responses: + '200': + description: OK + content: + application/json: + schema: + type: object + $ref: '#/components/schemas/OAuth2ClientSecret' + examples: + OAuthClientSecretResponseExample: + $ref: '#/components/examples/oAuth2ClientSecretResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationSSOPublicKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete an OAuth 2.0 client secret + description: >- + Deletes an OAuth 2.0 Client Secret by `secretId`. You can only delete an + inactive Secret. + operationId: deleteOAuth2ClientSecret + responses: + '204': + description: No Content + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorDeleteActiveClientSecret: + $ref: '#/components/examples/ErrorDeleteActiveSecret' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOPublicKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathClientSecretId' + /api/v1/apps/{appId}/credentials/secrets/{secretId}/lifecycle/activate: + post: + summary: Activate an OAuth 2.0 client secret + description: Activates an OAuth 2.0 Client Secret by `secretId` + operationId: activateOAuth2ClientSecret + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientSecret' + examples: + activateOAuth2ClientSecretResponse: + $ref: '#/components/examples/activateOAuth2ClientSecretResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOPublicKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathClientSecretId' + /api/v1/apps/{appId}/credentials/secrets/{secretId}/lifecycle/deactivate: + post: + summary: Deactivate an OAuth 2.0 client secret + description: >- + Deactivates an OAuth 2.0 Client Secret by `secretId`. You can't + deactivate a secret if it's the only secret of the client. + operationId: deactivateOAuth2ClientSecret + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ClientSecret' + examples: + deactivateOAuth2ClientSecretResponse: + $ref: '#/components/examples/deactivateOAuth2ClientSecretResponse' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorDeactivateTheOnlyClientSecret: + $ref: '#/components/examples/ErrorDeactivateTheOnlyClientSecret' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOPublicKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathClientSecretId' + /api/v1/apps/{appId}/cwo/connections: + get: + summary: Retrieve all Cross App Access connections + description: > + Retrieves inbound and outbound Cross App Access connections associated + with an app + operationId: getAllCrossAppAccessConnections + parameters: + - name: after + in: query + required: false + description: >- + Specifies the pagination cursor for the next page of connection + results + schema: + type: string + - name: limit + in: query + required: false + description: | + Specifies the number of results to return per page. The values: + * -1: Return all results (up to system maximum) + * 0: Return an empty result set + * Positive integer: Return up to that many results (capped at system maximum) + schema: + type: integer + format: int32 + default: -1 + maximum: 200 + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/OrgCrossAppAccessConnection' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationCrossAppAccessConnections + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + post: + summary: Create a Cross App Access connection + description: | + Creates a Cross App Access connection + operationId: createCrossAppAccessConnection + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/OrgCrossAppAccessConnection' + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/OrgCrossAppAccessConnection' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationCrossAppAccessConnections + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/apps/{appId}/cwo/connections/{connectionId}: + get: + summary: Retrieve a Cross App Access connection + description: | + Retrieves the Cross App Access connection with the specified ID + operationId: getCrossAppAccessConnection + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OrgCrossAppAccessConnection' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationCrossAppAccessConnections + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + patch: + summary: Update a Cross App Access connection + description: | + Updates the Cross App Access connection with the specified ID + operationId: updateCrossAppAccessConnection + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/OrgCrossAppAccessConnectionPatchRequest' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OrgCrossAppAccessConnection' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationCrossAppAccessConnections + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + delete: + summary: Delete a Cross App Access connection + description: | + Deletes a Cross App Access connection with the specified ID + operationId: deleteCrossAppAccessConnection + responses: + '204': + description: No Content + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationCrossAppAccessConnections + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/connectionId' + /api/v1/apps/{appId}/features: + get: + summary: List all features + description: > + Lists all features for an app + + > **Note:** This request returns an error if provisioning isn't enabled + for the app. + + > To set up provisioning, see [Update the default provisioning + connection](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationConnections/#tag/ApplicationConnections/operation/updateDefaultProvisioningConnectionForApplication). + operationId: listFeaturesForApplication + responses: + '200': + description: Success + content: + application/json: + schema: + items: + $ref: '#/components/schemas/ApplicationFeature' + type: array + examples: + ListAppFeatureResponse: + $ref: '#/components/examples/AppFeatureListResponseEx' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ListAppFeatureAPIValidationFailed: + $ref: '#/components/examples/ErrorAppFeatureAPIValidationFailed' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationFeatures + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/apps/{appId}/features/{featureName}: + get: + summary: Retrieve a feature + description: Retrieves a Feature object for an app + operationId: getFeatureForApplication + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ApplicationFeature' + examples: + AppFeatureResponse: + $ref: '#/components/examples/AppFeatureResponseEx' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationFeatures + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Update a feature + description: | + Updates a Feature object for an app + > **Note:** This endpoint supports partial updates. + operationId: updateFeatureForApplication + requestBody: + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/CapabilitiesObject' + - $ref: '#/components/schemas/CapabilitiesInboundProvisioningObject' + examples: + UpdateAppFeatureEx: + $ref: '#/components/examples/UpdateAppFeatureRequestEx' + UpdateInboundProvisioningFeatureEx: + $ref: >- + #/components/examples/UpdateInboundProvisioningFeatureRequestEx + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ApplicationFeature' + examples: + UpdateAppFeatureEx: + $ref: '#/components/examples/UpdateAppFeatureResponseEx' + UpdateInboundProvisioningFeatureEx: + $ref: >- + #/components/examples/UpdateInboundProvisioningFeatureResponseEx + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationFeatures + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathFeatureName' + /api/v1/apps/{appId}/federated-claims: + get: + summary: List all configured federated claims + description: Lists all federated claims for your app + operationId: listFederatedClaims + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/FederatedClaim' + examples: + listFederatedClaimResponse: + $ref: '#/components/examples/listFederatedClaimResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationSSOFederatedClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a federated claim + description: >- + Creates a claim that will be included in tokens produced by federation + protocols (for example: OIDC `id_tokens` or SAML Assertions) + operationId: createFederatedClaim + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/FederatedClaimRequestBody' + examples: + createFederatedClaimRequestBody: + $ref: '#/components/examples/createFederatedClaimRequestBody' + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/FederatedClaim' + examples: + federatedClaimResponse: + $ref: '#/components/examples/federatedClaimResponse' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOFederatedClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/apps/{appId}/federated-claims/{claimId}: + get: + summary: Retrieve a federated claim + description: Retrieves a federated claim by `claimId` + operationId: getFederatedClaim + responses: + '200': + description: OK + content: + application/json: + schema: + type: object + $ref: '#/components/schemas/FederatedClaimRequestBody' + examples: + federatedClaimResponse: + $ref: '#/components/examples/federatedClaimResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationSSOFederatedClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a federated claim + description: >- + Replaces a claim that will be included in tokens produced by federation + protocols (for example: OIDC `id_tokens` or SAML Assertions) + operationId: replaceFederatedClaim + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/FederatedClaim' + examples: + replaceFederatedClaim: + $ref: '#/components/examples/replaceFederatedClaimRequestBody' + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/FederatedClaim' + examples: + replaceFederatedClaimResponse: + $ref: '#/components/examples/replaceFederatedClaimResponse' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOFederatedClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a federated claim + description: Deletes a federated claim by `claimId` + operationId: deleteFederatedClaim + responses: + '204': + description: No Content + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationSSOFederatedClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/claimId' + /api/v1/apps/{appId}/grants: + get: + summary: List all app grants + description: Lists all scope consent Grants for the app + operationId: listScopeConsentGrants + parameters: + - $ref: '#/components/parameters/queryAppGrantsExpand' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + examples: + ListAppGrantsExample: + $ref: '#/components/examples/ListAppGrantsEx' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.appGrants.read + tags: + - ApplicationGrants + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Grant consent to scope + description: Grants consent for the app to request an OAuth 2.0 Okta scope + operationId: grantConsentToScope + x-codegen-request-body-name: oAuth2ScopeConsentGrant + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + examples: + AppGrantsExample: + $ref: '#/components/examples/AppGrantsPostEx' + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + examples: + AppGrantsExample: + $ref: '#/components/examples/AppGrantsEx' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.appGrants.manage + tags: + - ApplicationGrants + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/apps/{appId}/grants/{grantId}: + get: + summary: Retrieve an app grant + description: Retrieves a single scope consent Grant object for the app + operationId: getScopeConsentGrant + parameters: + - $ref: '#/components/parameters/queryAppGrantsExpand' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + examples: + AppGrantsExample: + $ref: '#/components/examples/AppGrantsEx' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.appGrants.read + tags: + - ApplicationGrants + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Revoke an app grant + description: Revokes permission for the app to grant the given scope + operationId: revokeScopeConsentGrant + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.appGrants.manage + tags: + - ApplicationGrants + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathGrantId' + /api/v1/apps/{appId}/group-push/mappings: + get: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: List all group push mappings + description: Lists all group push mappings with pagination support + operationId: listGroupPushMappings + parameters: + - name: after + description: Specifies the pagination cursor for the next page of mappings + in: query + schema: + type: string + - name: limit + in: query + description: Specifies the number of results returned + schema: + type: integer + format: int32 + default: 100 + maximum: 1000 + minimum: 1 + - name: lastUpdated + description: >- + Filters group push mappings by last updated date. The `lastUpdated` + parameter supports the following format: `YYYY-MM-DDTHH:mm:ssZ`. + This filters mappings updated on or after the specified date and + time in UTC. + + + If you don't specify a value, all group push mappings are returned. + in: query + schema: + type: string + example: '2025-01-01T00:00:00Z' + - name: sourceGroupId + description: >- + Filters group push mappings by source group ID. If you don't specify + a value, all group push mappings are returned. + in: query + schema: + type: string + example: 00g00000000000000000 + - name: status + description: >- + Filters group push mappings by status. If you don't specify a value, + all group push mappings are returned. + in: query + schema: + $ref: '#/components/schemas/GroupPushMappingStatus' + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/GroupPushMapping' + examples: + List group push mappings: + $ref: '#/components/examples/ListGroupPushMappingsResponse_Example' + List group push mappings with active filter: + $ref: >- + #/components/examples/ListGroupPushMappingsResponse_ExampleWithActiveFilter + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + - okta.groups.read + tags: + - GroupPushMapping + post: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: Create a group push mapping + description: >- + Creates or links a group push mapping. + + + **Note:** Either `targetGroupId` or `targetGroupName` must be provided, + but not both. If `targetGroupId` is provided, it links to an existing + group. If `targetGroupName` is provided, it creates a new group. + operationId: createGroupPushMapping + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CreateGroupPushMappingRequest' + examples: + Create group push mapping (create new group): + $ref: >- + #/components/examples/CreateGroupPushMappingRequest_ExampleCreate + Create group push mapping (Active Directory): + $ref: >- + #/components/examples/CreateGroupPushMappingRequest_ExampleCreate_ActiveDirectory + Create group push mapping (link existing group): + $ref: >- + #/components/examples/CreateGroupPushMappingRequest_ExampleLink + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/GroupPushMapping' + examples: + Create group push mapping: + $ref: >- + #/components/examples/CreateGroupPushMappingResponse_ExampleCreate + Create group push mapping (Active Directory): + $ref: >- + #/components/examples/CreateGroupPushMappingResponse_ExampleCreate_ActiveDirectory + Create group push mapping (link existing group): + $ref: >- + #/components/examples/CreateGroupPushMappingResponse_ExampleLink + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + - okta.groups.manage + tags: + - GroupPushMapping + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/apps/{appId}/group-push/mappings/{mappingId}: + get: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: Retrieve a group push mapping + description: Retrieves a group push mapping by ID + operationId: getGroupPushMapping + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/GroupPushMapping' + examples: + Retrieve group push mapping: + $ref: >- + #/components/examples/RetrieveGroupPushMappingResponse_Example + Retrieve group push mapping (Active Directory): + $ref: >- + #/components/examples/RetrieveGroupPushMappingResponse_Example_ActiveDirectory + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + - okta.groups.read + tags: + - GroupPushMapping + patch: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: Update a group push mapping + description: Updates the status of a group push mapping + operationId: updateGroupPushMapping + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UpdateGroupPushMappingRequest' + examples: + Update group push mapping: + $ref: '#/components/examples/UpdateGroupPushMappingRequest_Example' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/GroupPushMapping' + examples: + Update group push mapping: + $ref: '#/components/examples/UpdateGroupPushMappingResponse_Example' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + - okta.groups.manage + tags: + - GroupPushMapping + delete: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: Delete a group push mapping + description: >- + Deletes a specific group push mapping. The group push mapping must be in + an `INACTIVE` state. + operationId: deleteGroupPushMapping + parameters: + - in: query + name: deleteTargetGroup + description: >- + If set to `true`, the target group is also deleted. If set to + `false`, the target group isn't deleted. + required: true + schema: + type: boolean + default: false + responses: + '204': + description: No Content + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + description: Forbidden + headers: {} + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + - okta.groups.manage + tags: + - GroupPushMapping + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathGroupPushMappingId' + /api/v1/apps/{appId}/groups: + get: + summary: List all application groups + description: Lists all app group assignments + operationId: listApplicationGroupAssignments + parameters: + - name: q + in: query + description: >- + Specifies a filter for a list of assigned groups returned based on + their names. The value of `q` is matched against the group `name`. + + This filter only supports the `startsWith` operation that matches + the `q` string against the beginning of the [group + name](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!c=200&path=profile/name&t=response). + schema: + type: string + example: test + - name: after + in: query + description: >- + Specifies the pagination cursor for the `next` page of results. + Treat this as an opaque value obtained through the next link + relationship. See + [Pagination](https://developer.okta.com/docs/api/#pagination). + schema: + type: string + example: 16275000448691 + - $ref: '#/components/parameters/queryGroupAssignmentLimit' + - $ref: '#/components/parameters/queryGroupAssignmentWithMetadataExpand' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/ApplicationGroupAssignment' + examples: + listGroupAssignmentsResponseExample: + $ref: '#/components/examples/GroupAssignmentExListResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationGroups + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/apps/{appId}/groups/{groupId}: + get: + summary: Retrieve an application group + description: Retrieves an app group assignment + operationId: getApplicationGroupAssignment + parameters: + - $ref: '#/components/parameters/queryGroupAssignmentWithGroupExpand' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ApplicationGroupAssignment' + examples: + getGroupAssignmentResponseExample: + $ref: '#/components/examples/EmbeddedGroupAssignmentSampleResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationGroups + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Assign an application group + description: >- + Assigns a + [Group](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/) + to an app, which in turn assigns the app to each + [User](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/) + that belongs to the group. + + The resulting application user + [scope](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/#tag/ApplicationUsers/operation/listApplicationUsers!c=200&path=scope&t=response) + is `GROUP` since the assignment was from the group membership. + operationId: assignGroupToApplication + x-codegen-request-body-name: applicationGroupAssignment + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ApplicationGroupAssignment' + examples: + putGroupAssignmentRequestExample: + $ref: '#/components/examples/GroupAssignmentPutRequestExample' + required: false + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ApplicationGroupAssignment' + examples: + putGroupAssignmentResponseExample: + $ref: '#/components/examples/GroupAssignmentPutResponseExample' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationGroups + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + patch: + summary: Update an application group + description: Updates a group assignment to an app + operationId: updateGroupAssignmentToApplication + requestBody: + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/JsonPatchOperation' + examples: + groupAssignmentPatchRequetExample: + $ref: '#/components/examples/GroupAssignmentPatchRequestExample' + required: false + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ApplicationGroupAssignment' + examples: + patchGroupAssignmentResponseExample: + $ref: '#/components/examples/GroupAssignmentPatchResponseExample' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationGroups + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign an application group + description: Unassigns a Group from an app + operationId: unassignApplicationFromGroup + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationGroups + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathGroupId' + /api/v1/apps/{appId}/lifecycle/activate: + post: + summary: Activate an application + description: Activates an inactive application + operationId: activateApplication + responses: + '200': + description: Success + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/apps/{appId}/lifecycle/deactivate: + post: + summary: Deactivate an application + description: >- + Deactivates an active application + + + > **Note:** Deactivating an app triggers a full reconciliation of all + users assigned to the app by groups. This reconcile process removes the + app assignment for the deactivated app, and might also correct + assignments that were supposed to be removed but failed previously. + operationId: deactivateApplication + responses: + '200': + description: Success + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - Application + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/apps/{appId}/logo: + post: + summary: Upload an application logo + description: > + Uploads a logo for the app instance. + + If the app already has a logo, this operation replaces the previous + logo. + + + The logo is visible in the Admin Console as an icon for your app + instance. + + If you have one `appLink` object configured, this logo also appears in + the End-User Dashboard as an icon for your app. + + > **Note:** If you have multiple `appLink` objects, use the Admin + Console to add logos for each app link. + + > You can't use the API to add logos for multiple app links. + operationId: uploadApplicationLogo + requestBody: + content: + multipart/form-data: + schema: + type: object + properties: + file: + type: string + format: binary + description: > + The image file containing the logo. + + + The file must be in PNG, JPG, SVG, or GIF format, and less + than one MB in size. + + For best results, use an image with a transparent background + and a square dimension of 200 x 200 pixels to prevent + upscaling. + + + > **Notes:** + + > * Only SVG files encoded in UTF-8 are supported. For + example, `` is a valid + SVG file declaration. + + > * `multipart/form-data` isn't supported for Python. Remove + the `"Content-Type": "multipart/form-data"` line if you use + the Python request sample code. + required: + - file + responses: + '201': + description: Content Created + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationLogos + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/apps/{appId}/policies/{policyId}: + put: + summary: Assign an authentication policy + description: >- + Assigns an app to an [authentication + policy](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/), identified by + `policyId`. + + If the app was previously assigned to another policy, this operation + replaces that assignment with the updated policy identified by + `policyId`. + + + > **Note:** When you [merge duplicate authentication + policies](https://help.okta.com/okta_help.htm?type=oie&id=ext-merge-auth-policies), + + the policy and mapping CRUD operations may be unavailable during the + consolidation. When the consolidation is complete, you receive an email + with merged results. + operationId: assignApplicationPolicy + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationPolicies + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathPolicyId' + /api/v1/apps/{appId}/sso/saml/metadata: + get: + summary: Preview the application SAML metadata + description: Previews the SSO SAML metadata for an application + operationId: previewSAMLmetadataForApplication + parameters: + - name: kid + in: query + required: true + schema: + type: string + example: mXtzOtml09Dg1ZCeKxTRBo3KrQuBWFkJ5oxhVagjTzo + responses: + '200': + description: OK + content: + text/xml: + schema: + type: string + description: SAML metadata in XML + examples: + previewSAML: + summary: SAML metadata example + value: > + + + + + + + MIIDqDCCApCgAwIBAgIGAVGNO4qeMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEG + A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU + + MBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJ + + ARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODUwMDhaFw0xNzEyMTAxODUxMDdaMIGUMQswCQYD + + VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG + + A1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEc + + MBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC + + ggEBALAakG48bgcTWHdwmVLHig0mkiRejxIVm3wbzrNSJcBruTq2zCYZ1rGfVxTYON8kJqvkXPmv + + kzWKhpEkvhubL+mx29XpXY0AsNIfgcm5xIV56yhXSvlMdqzGo3ciRwoACaF+ClNLxmXK9UTZD89B + + bVVGCG5AEvja0eCQ0GYsO5i9aSI5aTroab8Aew31PuWl/RGQWmjVy8+7P4wwkKKJNKCpxMYDlhfa + + WRp0zwUSbUCO0qEyeAYdZx6CLES4FGrDi/7D6G+ewWC+kbz1tL1XpF2Dcg3+IOlHrV6VWzz3rG39 + + v9zFIncjvoQJFDGWhpqGqcmXvgH0Ze3SVcVF01T+bK0CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA + + AHmnSZ4imjNrIf9wxfQIcqHXEBoJ+oJtd59cw1Ur/YQY9pKXxoglqCQ54ZmlIf4GghlcZhslLO+m + + NdkQVwSmWMh6KLxVM18/xAkq8zyKbMbvQnTjFB7x45bgokwbjhivWqrB5LYHHCVN7k/8mKlS4eCK + + Ci6RGEmErjojr4QN2xV0qAqP6CcGANgpepsQJCzlWucMFKAh0x9Kl8fmiQodfyLXyrebYsVnLrMf + + jxE1b6dg4jKvv975tf5wreQSYZ7m//g3/+NnuDKkN/03HqhV7hTNi1fyctXk8I5Nwgyr+pT5LT2k + + YoEdncuy+GQGzE9yLOhC4HNfHQXpqp2tMPdRlw== + + + + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + + + + + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationSSO + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/apps/{appId}/tokens: + get: + summary: List all application refresh tokens + description: > + Lists all refresh tokens for an app + + + > **Note:** The results are [paginated]https://developer.okta.com/docs/api#pagination according to the + `limit` parameter. + + > If there are multiple pages of results, the Link header contains a + `next` link that you need to use as an opaque value (follow it, don't + parse it). + operationId: listOAuth2TokensForApplication + parameters: + - $ref: '#/components/parameters/queryAppGrantsExpand' + - $ref: '#/components/parameters/queryAppAfter' + - $ref: '#/components/parameters/queryLimit' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/OAuth2RefreshToken' + examples: + getOAuth2TokenForApplicationListExample: + $ref: '#/components/examples/OAuth2RefreshTokenResponseListEx' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationTokens + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Revoke all application tokens + description: >- + Revokes all OAuth 2.0 refresh tokens for the specified app. Any access + tokens issued with these refresh tokens are also revoked, but access + tokens issued without a refresh token aren't affected. + operationId: revokeOAuth2TokensForApplication + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationTokens + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/apps/{appId}/tokens/{tokenId}: + get: + summary: Retrieve an application token + description: Retrieves a refresh token for the specified app + operationId: getOAuth2TokenForApplication + parameters: + - $ref: '#/components/parameters/queryAppGrantsExpand' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2RefreshToken' + examples: + getOAuth2TokenForApplicationExample: + $ref: '#/components/examples/OAuth2RefreshTokenResponseEx' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationTokens + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Revoke an application token + description: Revokes the specified token for the specified app + operationId: revokeOAuth2TokenForApplication + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationTokens + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathTokenId' + /api/v1/apps/{appId}/users: + get: + summary: List all application users + description: Lists all assigned users for an app + operationId: listApplicationUsers + parameters: + - $ref: '#/components/parameters/queryAppAfter' + - $ref: '#/components/parameters/queryAppLimit' + - $ref: '#/components/parameters/queryAppUserQ' + - $ref: '#/components/parameters/queryAppUserExpand' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/AppUser' + examples: + ListAppUsersExample: + $ref: '#/components/examples/AppUserListEx' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Assign an application user + description: |- + Assigns a user to an app for: + + * SSO only
+ Assignments to SSO apps typically don't include a user profile. + However, if your SSO app requires a profile but doesn't have provisioning enabled, you can add profile attributes in the request body. + + * SSO and provisioning
+ Assignments to SSO and provisioning apps typically include credentials and an app-specific profile. + Profile mappings defined for the app are applied first before applying any profile properties that are specified in the request body. + > **Notes:** + > * When Universal Directory is enabled, you can only specify profile properties that aren't defined in profile mappings. + > * Omit mapped properties during assignment to minimize assignment errors. + operationId: assignUserToApplication + x-codegen-request-body-name: appUser + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AppUserAssignRequest' + examples: + AppUserSSOEx: + $ref: '#/components/examples/AppUserAssignSSORequest' + AppUserProvEx: + $ref: '#/components/examples/AppUserAssignProvRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AppUser' + examples: + AppUserSSOEx: + $ref: '#/components/examples/AppUserSSOResponse' + AppUserProvEx: + $ref: '#/components/examples/AppUserProvResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAppUserForbidden403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/apps/{appId}/users/{userId}: + get: + summary: Retrieve an application user + description: Retrieves a specific user assignment for a specific app + operationId: getApplicationUser + parameters: + - $ref: '#/components/parameters/queryAppUserExpand' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AppUser' + examples: + GetAppUserExample: + $ref: '#/components/examples/AppUserProvExpandResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - ApplicationUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Update an application user + description: Updates the profile or credentials of a user assigned to an app + operationId: updateApplicationUser + x-codegen-request-body-name: appUser + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AppUserUpdateRequest' + examples: + AppUserUpdateCredEx: + $ref: '#/components/examples/AppUserUpdateCredRequest' + AppUserUpdateProfileEx: + $ref: '#/components/examples/AppUserUpdateProfileRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AppUser' + examples: + AppUserUpdateCredEx: + $ref: '#/components/examples/AppUserCredUpdateResponse' + AppUserUpdateProfileEx: + $ref: '#/components/examples/AppUserProfUpdateResponse' + '400': + $ref: '#/components/responses/ErrorAppUserUpdateBadRequest400' + '403': + $ref: '#/components/responses/ErrorAppUserForbidden403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign an application user + description: >- + Unassigns a user from an app + + + For directories like Active Directory and LDAP, they act as the owner of + the user's credential with Okta delegating authentication (DelAuth) to + that directory. + + If this request is successful for a user when DelAuth is enabled, then + the user is in a state with no password. You can then reset the user's + password. + + + > **Important:** This is a destructive operation. You can't recover the + user's app profile. If the app is enabled for provisioning and + configured to deactivate users, the user is also deactivated in the + target app. + operationId: unassignUserFromApplication + parameters: + - name: sendEmail + in: query + description: Sends a deactivation email to the administrator if `true` + schema: + type: boolean + default: false + x-okta-added-version: 1.5.0 + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathAppUserId' + /api/v1/apps/{appName}/{appId}/oauth2/callback: + post: + summary: Verify the provisioning connection + description: > + Verifies the OAuth 2.0-based connection as part of the OAuth 2.0 consent + flow. The validation of the consent flow is the last step of the + provisioning setup for an OAuth 2.0-based connection. + + Currently, this operation only supports `office365`,`google`, `zoomus`, + and `slack` apps. + operationId: verifyProvisioningConnectionForApplication + parameters: + - name: code + in: query + schema: + type: string + description: Unique string associated with each authentication request + - name: state + in: query + schema: + type: string + description: >- + A temporary code string that the client exchanges for an access + token + responses: + '204': + description: No content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - ApplicationConnections + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathOAuthProvisioningAppName' + - $ref: '#/components/parameters/pathAppId' +components: + schemas: + Application: + type: object + properties: + accessibility: + $ref: '#/components/schemas/ApplicationAccessibility' + created: + type: string + format: date-time + readOnly: true + description: Timestamp when the application object was created + features: + type: array + description: > + Enabled app features + + > **Note:** See [Application + Features](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationFeatures/) + for app provisioning features. + readOnly: true + items: + type: string + enum: + - GROUP_PUSH + - IMPORT_NEW_USERS + - IMPORT_PROFILE_UPDATES + - IMPORT_USER_SCHEMA + - PROFILE_MASTERING + - PUSH_NEW_USERS + - PUSH_PASSWORD_UPDATES + - PUSH_PROFILE_UPDATES + - PUSH_USER_DEACTIVATION + - REACTIVATE_USERS + - OUTBOUND_DEL_AUTH + - DESKTOP_SSO + - FEDERATED_PROFILE + - SUPPRESS_ACTIVATION_EMAIL + - PUSH_PENDING_USERS + - MFA + - UPDATE_EXISTING_USERNAME + - EXCLUDE_USERNAME_UPDATE_ON_PROFILE_PUSH + - EXCHANGE_ACTIVE_SYNC + - IMPORT_SYNC + - IMPORT_SYNC_CONTACTS + - DEVICE_COMPLIANCE + - VPN_CONFIG + - IMPORT_SCHEMA_ENUM_VALUES + - SCIM_PROVISIONING + - DEVICE_FILTER_IN_SIGN_ON_RULES + - PROFILE_TEMPLATE_UPGRADE + - DEFAULT_PUSH_STATUS_TO_PUSH + - REAL_TIME_SYNC + - SSO + - AUTHN_CONTEXT + - JIT_PROVISIONING + - GROUP_SYNC + - OPP_SCIM_INCREMENTAL_IMPORTS + - IN_MEMORY_APP_USER + - LOG_STREAMING + - OAUTH_INTEGRATION + - IDP + - PUSH_NEW_USERS_WITHOUT_PASSWORD + - SKYHOOK_SERVICE + - ENTITLEMENT_MANAGEMENT + - PUSH_NEW_USERS_WITH_HASHED_PASSWORD + x-enumDescriptions: + GROUP_PUSH: >- + Creates or links a group in the app when a mapping is defined + for a group in Okta. Okta is the source for group memberships + and all group members in Okta who are also assigned to the app + are synced as group members to the app. + IMPORT_NEW_USERS: Creates or links a user in Okta to a user from the app + IMPORT_PROFILE_UPDATES: >- + Updates a linked user's app profile during manual or scheduled + imports + IMPORT_USER_SCHEMA: >- + Discovers the profile schema for a user from the app + automatically + PROFILE_MASTERING: >- + Designates the app as the identity lifecycle and profile + attribute authority for linked users. The user's profile in Okta + is read-only. + PUSH_NEW_USERS: >- + Creates or links a user account in the app when assigning the + app to a user in Okta + PUSH_PASSWORD_UPDATES: >- + Updates the user's app password when their password changes in + Okta + PUSH_PROFILE_UPDATES: >- + Updates a user's profile in the app when the user's profile + changes in Okta (the profile source) + PUSH_USER_DEACTIVATION: >- + Deactivates a user's account in the app when unassigned from the + app in Okta or deactivated + REACTIVATE_USERS: >- + Reactivates an existing inactive user when provisioning a user + to the app + OUTBOUND_DEL_AUTH: >- + Okta user authentication requests are delegated to a third-party + app + DESKTOP_SSO: >- + Okta user authentication requests are handled by desktop SSO + negotiation (if possible) + FEDERATED_PROFILE: >- + App user profiles are synchronized at sign-in and profile-view + instances instead of during bulk imports + SUPPRESS_ACTIVATION_EMAIL: >- + Activation emails aren't sent to users sourced by AD and orgs + with DelAuth enabled + PUSH_PENDING_USERS: >- + Users are in PENDING state in Okta and are created but not + active in the sourced app user + MFA: App can verify credentials as a second factor + UPDATE_EXISTING_USERNAME: App can update the user name for existing users + EXCLUDE_USERNAME_UPDATE_ON_PROFILE_PUSH: Exclude username update during profile push + EXCHANGE_ACTIVE_SYNC: App supports synchronizing credentials with OMM enrolled devices + IMPORT_SYNC: Synchronize import events + IMPORT_SYNC_CONTACTS: Synchronize contacts + DEVICE_COMPLIANCE: Apps support device compliance rules + VPN_CONFIG: App supports pushing VPN configuration to OMM enrolled devices + IMPORT_SCHEMA_ENUM_VALUES: >- + App supports downloading schema enum values. You can download + custom objects and integrating them with UD without being tied + to the type metadata system. + SCIM_PROVISIONING: >- + App supports generic SCIM client provisioning and can leverage + SCIM standard for provisioning and push custom attributes to a + third-party app + DEVICE_FILTER_IN_SIGN_ON_RULES: App supports filtering by client type in app sign-on rules + PROFILE_TEMPLATE_UPGRADE: >- + App supports profile template upgrades. This is primarily to + help roll out the profile template upgrade feature for + individual apps + DEFAULT_PUSH_STATUS_TO_PUSH: >- + App defaults Push status to `PUSH`. This feature is for apps, + such as SharePoint, that want to receive App User profile + updates even though they didn't implement traditional + PUSH_PROFILE_UPDATES in the client API. + REAL_TIME_SYNC: Apps support real-time synchronization + SSO: Apps support establishing a subject based on claims from an IdP + AUTHN_CONTEXT: >- + Apps support establishing an authentication context based on + claims from an IdP + JIT_PROVISIONING: Apps support provisioning a user based on claims from an IdP + GROUP_SYNC: >- + Apps support syncing group information based on claims from an + IdP + OPP_SCIM_INCREMENTAL_IMPORTS: Apps support incremental imports. Used for SCIM app instances + IN_MEMORY_APP_USER: >- + Apps support in-memory app users. This feature is used as an + alternative to Implicit App Assignment for a non-persisted app + user. + LOG_STREAMING: Apps support log streaming + OAUTH_INTEGRATION: App is an OAuth 2.0 integration + IDP: Apps support IdP functionalities + PUSH_NEW_USERS_WITHOUT_PASSWORD: Don't send generated password for new users + SKYHOOK_SERVICE: Use the Skyhook microservice for LCM operations + ENTITLEMENT_MANAGEMENT: Marker to showcase which OIN apps are entitlement enabled + PUSH_NEW_USERS_WITH_HASHED_PASSWORD: >- + Send hashed password for new users. This feature is only used + for CIS to CIC migration. + id: + type: string + readOnly: true + description: Unique ID for the app instance + label: + $ref: '#/components/schemas/ApplicationLabel' + lastUpdated: + type: string + format: date-time + readOnly: true + description: Timestamp when the application object was last updated + licensing: + $ref: '#/components/schemas/ApplicationLicensing' + orn: + type: string + readOnly: true + description: The Okta resource name (ORN) for the current app instance + profile: + type: object + description: >- + Contains any valid JSON schema for specifying properties that can be + referenced from a request (only available to OAuth 2.0 client apps). + + For example, add an app manager contact email address or define an + allowlist of groups that you can then reference using the Okta + Expression Language `getFilteredGroups` function. + + + > **Notes:** + + > * `profile` isn't encrypted, so don't store sensitive data in it. + + > * `profile` doesn't limit the level of nesting in the JSON schema + you created, but there is a practical size limit. Okta recommends a + JSON schema size of 1 MB or less for best performance. + additionalProperties: true + signOnMode: + $ref: '#/components/schemas/ApplicationSignOnMode' + status: + $ref: '#/components/schemas/ApplicationLifecycleStatus' + universalLogout: + $ref: '#/components/schemas/ApplicationUniversalLogout' + visibility: + $ref: '#/components/schemas/ApplicationVisibility' + _embedded: + type: object + description: >- + Embedded resources related to the app using the [JSON Hypertext + Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. If the `expand=user/{userId}` query parameter is + specified, then the assigned [Application + User](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/) is + embedded. + properties: + user: + type: object + description: >- + The specified [Application + User](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/) + assigned to the app + additionalProperties: + type: object + properties: {} + readOnly: true + _links: + $ref: '#/components/schemas/ApplicationLinks' + required: + - signOnMode + - label + discriminator: + propertyName: signOnMode + mapping: + AUTO_LOGIN: '#/components/schemas/AutoLoginApplication' + BASIC_AUTH: '#/components/schemas/BasicAuthApplication' + BOOKMARK: '#/components/schemas/BookmarkApplication' + BROWSER_PLUGIN: '#/components/schemas/BrowserPluginApplication' + OPENID_CONNECT: '#/components/schemas/OpenIdConnectApplication' + SAML_1_1: '#/components/schemas/Saml11Application' + SAML_2_0: '#/components/schemas/SamlApplication' + SECURE_PASSWORD_STORE: '#/components/schemas/SecurePasswordStoreApplication' + WS_FEDERATION: '#/components/schemas/WsFederationApplication' + ProvisioningConnectionResponse: + type: object + properties: + authScheme: + $ref: '#/components/schemas/ProvisioningConnectionTokenAuthScheme' + baseUrl: + type: string + description: Base URL + profile: + $ref: '#/components/schemas/ProvisioningConnectionResponseProfile' + status: + $ref: '#/components/schemas/ProvisioningConnectionStatus' + _links: + $ref: '#/components/schemas/LinksSelfLifecycleAndAuthorize' + required: + - profile + - status + ProvisioningConnectionTokenRequest: + title: Token-based connection + allOf: + - $ref: '#/components/schemas/ProvisioningConnectionRequest' + - description: Token-based provisioning connection request + properties: + baseUrl: + type: string + description: >- + Only used for the Zscaler 2.0 (`zscalerbyz`) app. The base URL + for the Zscaler 2.0 target app, which also contains the Zscaler + ID. + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + profile: + $ref: '#/components/schemas/ProvisioningConnectionTokenRequestProfile' + required: + - profile + type: object + ProvisioningConnectionOauthRequest: + title: OAuth 2.0-based connection + allOf: + - $ref: '#/components/schemas/ProvisioningConnectionRequest' + - description: OAuth 2.0-based provisioning connection request + properties: + profile: + $ref: '#/components/schemas/ProvisioningConnectionOauthRequestProfile' + required: + - profile + type: object + AppConnectionUserProvisionJWKResponse: + properties: + jwks: + $ref: '#/components/schemas/AppConnectionUserProvisionJWKList' + required: + - jwks + type: object + Csr: + type: object + properties: + created: + $ref: '#/components/schemas/createdProperty' + csr: + type: string + readOnly: true + example: >- + MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= + id: + type: string + readOnly: true + example: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + kty: + type: string + readOnly: true + example: RSA + _links: + $ref: '#/components/schemas/CSRLinks' + readOnly: true + nullable: false + CsrMetadata: + type: object + properties: + subject: + $ref: '#/components/schemas/CsrMetadataSubject' + subjectAltNames: + $ref: '#/components/schemas/CsrMetadataSubjectAltNames' + AppCsrPkcs10: + description: Base64URL-encoded CSR in DER format + format: base64 + type: string + JsonWebKey: + type: object + properties: + created: + $ref: '#/components/schemas/createdProperty' + e: + description: RSA key value (public exponent) for Key binding + type: string + readOnly: true + expiresAt: + description: Timestamp when the certificate expires + type: string + format: date-time + readOnly: true + kid: + description: Unique identifier for the certificate + type: string + readOnly: true + kty: + description: >- + Cryptographic algorithm family for the certificate's keypair. Valid + value: `RSA` + type: string + readOnly: true + lastUpdated: + type: string + format: date-time + $ref: '#/components/schemas/lastUpdatedProperty' + 'n': + description: >- + RSA modulus value that is used by both the public and private keys + and provides a link between them + type: string + use: + description: 'Acceptable use of the certificate. Valid value: `sig`' + type: string + readOnly: true + x5c: + description: >- + X.509 certificate chain that contains a chain of one or more + certificates + type: array + items: + type: string + readOnly: true + x5t#S256: + description: >- + X.509 certificate SHA-256 thumbprint, which is the base64url-encoded + SHA-256 thumbprint (digest) of the DER encoding of an X.509 + certificate + type: string + readOnly: true + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + OAuth2ClientJsonSigningKeyResponse: + title: Signing Key + description: >- + A [JSON Web Key (JWK)](https://tools.ietf.org/html/rfc7517) is a JSON + representation of a cryptographic key. Okta uses signing keys to verify + the signature of a JWT when provided for the `private_key_jwt` client + authentication method or for a signed authorize request object. Okta + supports both RSA and Elliptic Curve (EC) keys for signing tokens. + allOf: + - $ref: '#/components/schemas/OAuth2ClientJsonWebKeyResponseBase' + oneOf: + - $ref: '#/components/schemas/OAuth2ClientJsonWebKeyRsaResponse' + - $ref: '#/components/schemas/OAuth2ClientJsonWebKeyECResponse' + OAuth2ClientJsonEncryptionKeyResponse: + title: Encryption Key + allOf: + - $ref: '#/components/schemas/OAuth2ClientJsonWebKeyRequestBase' + - $ref: '#/components/schemas/OAuth2ClientJsonWebKeyResponseBase' + description: >- + A [JSON Web Key + (JWK)](https://tools.ietf.org/html/rfc7517) is a JSON representation of + a cryptographic key. Okta uses an encryption key to encrypt an ID token + JWT minted by the org authorization server or custom authorization + server. Okta supports only RSA keys for encrypting tokens. + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: true + type: object + properties: + e: + type: string + description: RSA key value (exponent) for key binding + example: AQAB + nullable: false + kty: + type: string + description: Cryptographic algorithm family for the certificate's key pair + example: RSA + nullable: false + enum: + - RSA + 'n': + type: string + description: RSA key value (modulus) for key binding + example: >- + mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ + nullable: false + use: + type: string + description: Acceptable use of the JSON Web Key + example: enc + nullable: false + enum: + - enc + OAuth2ClientJsonSigningKeyRequest: + title: Signing Key + allOf: + - $ref: '#/components/schemas/OAuth2ClientJsonWebKeyRequestBase' + oneOf: + - $ref: '#/components/schemas/OAuth2ClientJsonWebKeyRsaRequest' + - $ref: '#/components/schemas/OAuth2ClientJsonWebKeyECRequest' + description: >- + A [JSON Web Key (JWK)](https://tools.ietf.org/html/rfc7517) is a JSON + representation of a cryptographic key. Okta uses signing keys to verify + the signature of a JWT when provided for the `private_key_jwt` client + authentication method or for a signed authorize request object. Okta + supports both RSA and Elliptic Curve (EC) keys for signing tokens. + type: object + properties: + alg: + type: string + description: Algorithm used in the key + example: RS256 + nullable: false + use: + type: string + description: Acceptable use of the JSON Web Key + example: sig + nullable: false + enum: + - sig + OAuth2ClientJsonEncryptionKeyRequest: + title: Encryption Key + allOf: + - $ref: '#/components/schemas/OAuth2ClientJsonWebKeyRequestBase' + description: >- + A [JSON Web Key + (JWK)](https://tools.ietf.org/html/rfc7517) is a JSON representation of + a cryptographic key. Okta uses an encryption key to encrypt an ID token + JWT minted by the org authorization server or custom authorization + server. Okta supports only RSA keys for encrypting tokens. + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: true + type: object + properties: + e: + type: string + description: RSA key value (exponent) for key binding + example: AQAB + nullable: false + kty: + type: string + description: Cryptographic algorithm family for the certificate's key pair + example: RSA + nullable: false + enum: + - RSA + 'n': + type: string + description: RSA key value (modulus) for key binding + example: >- + mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ + nullable: false + use: + type: string + description: Acceptable use of the JSON Web Key + example: enc + nullable: false + enum: + - enc + OAuth2ClientSecret: + type: object + properties: + client_secret: + type: string + description: The OAuth 2.0 client secret string + example: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + readOnly: true + nullable: false + created: + type: string + description: Timestamp when the OAuth Client 2.0 Secret was created + example: '2023-02-21T20:08:24.000Z' + readOnly: true + nullable: false + id: + type: string + description: The unique ID of the OAuth Client Secret + example: ocs2f4zrZbs8nUa7p0g4 + readOnly: true + nullable: false + lastUpdated: + type: string + description: Timestamp when the OAuth Client 2.0 Secret was updated + example: '2023-02-21T20:08:24.000Z' + readOnly: true + nullable: false + secret_hash: + type: string + description: OAuth 2.0 client secret string hash + example: yk4SVx4sUWVJVbHt6M-UPA + readOnly: true + nullable: false + status: + type: string + enum: + - ACTIVE + - INACTIVE + description: Status of the OAuth 2.0 Client Secret + example: ACTIVE + nullable: false + default: ACTIVE + _links: + $ref: '#/components/schemas/OAuthClientSecretLinks' + readOnly: true + nullable: false + OAuth2ClientSecretRequestBody: + type: object + properties: + client_secret: + type: string + description: The OAuth 2.0 client secret string + example: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + status: + type: string + enum: + - ACTIVE + - INACTIVE + description: Status of the OAuth 2.0 Client Secret + example: ACTIVE + OrgCrossAppAccessConnection: + description: Connection object for Cross App Access connections + type: object + properties: + created: + type: string + description: The ISO 8601 formatted date and time when the connection was created + format: date-time + readOnly: true + example: '2024-10-15T10:30:00.000Z' + id: + type: string + description: Unique identifier for the connection + readOnly: true + example: cwofxqCAJWWGELFTYASJ + lastUpdated: + type: string + description: >- + The ISO 8601 formatted date and time when the connection was last + updated + format: date-time + readOnly: true + example: '2024-10-15T14:20:00.000Z' + requestingAppInstanceId: + type: string + description: ID of the requesting app instance + example: 0oafxqCAJWWGELFTYASJ + resourceAppInstanceId: + type: string + description: ID of the resource app instance + example: 0oafxqCBJWWGELFTYASK + status: + description: Indicates if the Cross App Access connection is active or inactive + type: string + enum: + - ACTIVE + - INACTIVE + example: ACTIVE + OrgCrossAppAccessConnectionPatchRequest: + description: Patch request object for Cross App Access Connections + type: object + properties: + status: + type: string + description: Requested value of Cross App Access connection status + enum: + - ACTIVE + - INACTIVE + example: ACTIVE + required: + - status + ApplicationFeature: + description: | + The Feature object is used to configure app feature settings. + type: object + properties: + description: + type: string + description: Description of the feature + example: Settings for provisioning users from Okta to a downstream app + readOnly: true + name: + $ref: '#/components/schemas/ApplicationFeatureType' + readOnly: true + status: + allOf: + - $ref: '#/components/schemas/EnabledStatus' + - default: DISABLED + - example: ENABLED + - readOnly: true + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - readOnly: true + discriminator: + propertyName: name + mapping: + USER_PROVISIONING: '#/components/schemas/UserProvisioningApplicationFeature' + INBOUND_PROVISIONING: '#/components/schemas/InboundProvisioningApplicationFeature' + CapabilitiesObject: + title: USER_PROVISIONING + description: Defines the configurations for the USER_PROVISIONING feature + type: object + properties: + create: + $ref: '#/components/schemas/CapabilitiesCreateObject' + update: + $ref: '#/components/schemas/CapabilitiesUpdateObject' + CapabilitiesInboundProvisioningObject: + title: INBOUND_PROVISIONING + description: Defines the configuration for the INBOUND_PROVISIONING feature + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + type: object + properties: + importRules: + $ref: '#/components/schemas/CapabilitiesImportRulesObject' + importSettings: + $ref: '#/components/schemas/CapabilitiesImportSettingsObject' + required: + - importSettings + - importRules + FederatedClaim: + type: object + properties: + created: + type: string + description: Timestamp when the federated claim was created + example: '2024-02-29T20:08:24.000Z' + readOnly: true + nullable: false + expression: + type: string + description: The Okta Expression Language expression to be evaluated at runtime + example: appuser.entitlements.role + readOnly: false + nullable: false + id: + type: string + description: The unique ID of the federated claim + example: ofc2f4zrZbs8nUa7p0g4 + readOnly: true + nullable: false + lastUpdated: + type: string + description: Timestamp when the federated claim was updated + example: '2023-02-21T20:08:24.000Z' + readOnly: true + nullable: false + name: + type: string + description: The name of the claim to be used in the produced token + example: roleg + readOnly: false + nullable: false + FederatedClaimRequestBody: + type: object + properties: + expression: + type: string + description: The Okta Expression Language expression to be evaluated at runtime + example: appuser.entitlements.role + name: + type: string + description: The name of the claim to be used in the produced token + example: role + OAuth2ScopeConsentGrant: + description: Grant object that represents an app consent scope grant + type: object + properties: + clientId: + type: string + description: Client ID of the app integration + readOnly: true + example: oag3ih1zrm1cBFOiq0h6 + created: + $ref: '#/components/schemas/createdProperty' + createdBy: + $ref: '#/components/schemas/OAuth2Actor' + id: + type: string + description: ID of the Grant object + readOnly: true + example: oag3ih1zrm1cBFOiq0h6 + issuer: + type: string + description: >- + The issuer of your org authorization server. This is typically your + Okta domain. + example: https://my_test_okta_org.oktapreview.com + lastUpdated: + $ref: '#/components/schemas/lastUpdatedProperty' + scopeId: + type: string + description: >- + The name of the [Okta + scope](https://developer.okta.com/docs/api/oauth2/#oauth-20-scopes) + for which consent is granted + example: okta.users.read + source: + $ref: '#/components/schemas/OAuth2ScopeConsentGrantSource' + status: + $ref: '#/components/schemas/GrantOrTokenStatus' + userId: + type: string + description: User ID that granted consent (if `source` is `END_USER`) + readOnly: true + example: 00u5t60iloOHN9pBi0h7 + _embedded: + type: object + description: Embedded resources related to the Grant + properties: + scope: + type: object + properties: + id: + type: string + description: The name of the Okta scope for which consent is granted + example: okta.users.read + readOnly: true + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + app: + description: Link to the app resource + allOf: + - $ref: '#/components/schemas/AppResourceHrefObject' + client: + description: Link to the client resource + allOf: + - $ref: '#/components/schemas/AppResourceHrefObject' + scope: + description: Link to the scope resource + allOf: + - $ref: '#/components/schemas/ScopeResourceHrefObject' + user: + description: Link to the user resource + allOf: + - $ref: '#/components/schemas/UserResourceHrefObject' + authorizationServer: + description: Link to the authorization server resource + allOf: + - $ref: >- + #/components/schemas/AuthorizationServerResourceHrefObject + - readOnly: true + required: + - issuer + - scopeId + GroupPushMappingStatus: + description: The status of the group push mapping + type: string + enum: + - ACTIVE + - ERROR + - INACTIVE + x-enumDescriptions: + ACTIVE: >- + The group push mapping is active and Okta pushes membership changes to + the target group + INACTIVE: >- + The group push mapping is inactive and Okta doesn't push membership + changes to the target group + ERROR: >- + The group push mapping is in an error state and Okta doesn't push + membership changes to the target group + GroupPushMapping: + type: object + properties: + appConfig: + type: object + readOnly: true + $ref: '#/components/schemas/AppConfig' + created: + description: Timestamp when the group push mapping was created + type: string + format: date-time + readOnly: true + errorSummary: + description: The error message summary if the latest push failed + type: string + readOnly: true + id: + description: The ID of the group push mapping + type: string + readOnly: true + lastPush: + description: Timestamp when the group push mapping was pushed + type: string + format: date-time + readOnly: true + lastUpdated: + description: Timestamp when the group push mapping was last updated + type: string + format: date-time + readOnly: true + sourceGroupId: + description: The ID of the source group for the group push mapping + type: string + readOnly: true + status: + description: The status of the group push mapping + type: string + $ref: '#/components/schemas/GroupPushMappingStatus' + readOnly: true + targetGroupId: + description: The ID of the target group for the group push mapping + type: string + readOnly: true + _links: + $ref: '#/components/schemas/GroupPushMappingLinks' + CreateGroupPushMappingRequest: + type: object + properties: + appConfig: + type: object + $ref: '#/components/schemas/AppConfig' + sourceGroupId: + description: The ID of the source group for the group push mapping + type: string + status: + type: string + $ref: '#/components/schemas/GroupPushMappingStatusUpsert' + targetGroupId: + description: >- + The ID of the existing target group for the group push mapping. This + is used to link to an existing group. Required if `targetGroupName` + is not provided. + type: string + targetGroupName: + description: >- + The name of the target group for the group push mapping. This is + used when creating a new downstream group. If the group already + exists, it links to the existing group. Required if `targetGroupId` + is not provided. + type: string + required: + - sourceGroupId + UpdateGroupPushMappingRequest: + type: object + properties: + status: + description: >- + The status of the group push mapping. + + + If changing the group push mapping status to `ACTIVE`, Okta performs + an initial push to the target group, and then begins pushing + membership changes. + + + If changing the group push mapping status to `INACTIVE`, Okta stops + pushing membership changes to the target group. + type: string + $ref: '#/components/schemas/GroupPushMappingStatusUpsert' + required: + - status + ApplicationGroupAssignment: + title: Application Group Assignment + description: >- + The Application Group object that defines a group of users' app-specific + profile and credentials for an app + type: object + properties: + id: + type: string + description: >- + ID of the + [group](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/) + readOnly: true + example: 00g4hb1HChfUriNgW0g4 + lastUpdated: + allOf: + - $ref: '#/components/schemas/lastUpdatedProperty' + - example: '2014-06-24T15:28:14.000Z' + priority: + type: integer + description: >- + Priority assigned to the group. If an app has more than one group + assigned to the same user, then the group with the higher priority + has its profile applied to the [application + user](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/). + + If a priority value isn't specified, then the next highest priority + is assigned by default. + + See [Assign attribute group + priority](https://help.okta.com/okta_help.htm?type=oie&id=ext-usgp-app-group-priority) + and the [sample priority use + case](https://help.okta.com/okta_help.htm?type=oie&id=ext-usgp-combine-values-use). + example: 99 + profile: + $ref: '#/components/schemas/GroupAssignmentProfile' + _embedded: + type: object + description: >- + Embedded resource related to the Application Group using the [JSON + Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. + + If the `expand=group` query parameter is specified, then the + [group](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/) + object is embedded. + + If the `expand=metadata` query parameter is specified, then the + group assignment metadata is embedded. + additionalProperties: + type: object + properties: {} + readOnly: true + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + app: + $ref: '#/components/schemas/HrefObjectAppLink' + group: + $ref: '#/components/schemas/HrefObjectGroupLink' + JsonPatchOperation: + description: The update action + type: object + properties: + op: + $ref: '#/components/schemas/PatchAction' + path: + type: string + description: The resource path of the attribute to update + value: + type: object + description: The update operation value + OAuth2RefreshToken: + type: object + properties: + clientId: + type: string + description: Client ID + created: + $ref: '#/components/schemas/createdProperty' + expiresAt: + type: string + description: Expiration time of the OAuth 2.0 Token + format: date-time + readOnly: true + id: + type: string + description: ID of the Token object + readOnly: true + example: oar579Mcp7OUsNTlo0g3 + issuer: + type: string + description: The complete URL of the authorization server that issued the Token + example: https://{yourOktaDomain}/oauth2/ausain6z9zIedDCxB0h7 + lastUpdated: + $ref: '#/components/schemas/lastUpdatedProperty' + scopes: + type: array + description: The scope names attached to the Token + items: + type: string + example: offline_access + status: + $ref: '#/components/schemas/GrantOrTokenStatus' + userId: + type: string + description: The ID of the user associated with the Token + example: 00u5t60iloOHN9pBi0h7 + _embedded: + type: object + description: >- + The embedded resources related to the object if the `expand` query + parameter is specified + properties: + scopes: + type: array + description: The scope objects attached to the Token + items: + $ref: '#/components/schemas/OAuth2RefreshTokenScope' + readOnly: true + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + app: + description: Link to the app resource + allOf: + - $ref: '#/components/schemas/AppResourceHrefObject' + revoke: + description: Link to revoke the refresh Token + allOf: + - $ref: '#/components/schemas/RevokeRefreshTokenHrefObject' + - properties: + hints: + properties: + allow: + items: + enum: + - DELETE + default: DELETE + type: object + type: object + client: + description: Link to the client resource + allOf: + - $ref: '#/components/schemas/AppResourceHrefObject' + user: + description: Link to the user resource + allOf: + - $ref: '#/components/schemas/UserResourceHrefObject' + authorizationServer: + description: Link to the Token authorization server resource + allOf: + - $ref: >- + #/components/schemas/AuthorizationServerResourceHrefObject + AppUser: + title: Application User + description: >- + The application user object defines a user's app-specific profile and + credentials for an app + type: object + properties: + created: + allOf: + - $ref: '#/components/schemas/createdProperty' + - example: '2014-06-24T15:27:59.000Z' + credentials: + $ref: '#/components/schemas/AppUserCredentials' + externalId: + type: string + description: >- + The ID of the user in the target app that's linked to the Okta + application user object. + + This value is the native app-specific identifier or primary key for + the user in the target app. + + + The `externalId` is set during import when the user is confirmed + (reconciled) or during provisioning when the user is created in the + target app. + + This value isn't populated for SSO app assignments (for example, + SAML or SWA) because it isn't synchronized with a target app. + readOnly: true + example: 70c14cc17d3745e8a9f98d599a68329c + id: + type: string + description: Unique identifier for the Okta user + example: 00u11z6WHMYCGPCHCRFK + lastSync: + type: string + description: >- + Timestamp of the last synchronization operation. This value is only + updated for apps with the `IMPORT_PROFILE_UPDATES` or `PUSH + PROFILE_UPDATES` feature. + format: date-time + readOnly: true + example: '2014-06-24T15:27:59.000Z' + lastUpdated: + allOf: + - $ref: '#/components/schemas/lastUpdatedProperty' + - example: '2014-06-24T15:28:14.000Z' + passwordChanged: + type: string + description: Timestamp when the application user password was last changed + format: date-time + readOnly: true + nullable: true + example: '2014-06-24T15:27:59.000Z' + profile: + $ref: '#/components/schemas/AppUserProfile' + scope: + type: string + description: >- + Indicates if the assignment is direct (`USER`) or by group + membership (`GROUP`). + enum: + - USER + - GROUP + example: USER + status: + $ref: '#/components/schemas/AppUserStatus' + statusChanged: + type: string + description: Timestamp when the application user status was last changed + format: date-time + readOnly: true + example: '2014-06-24T15:28:14.000Z' + syncState: + $ref: '#/components/schemas/AppUserSyncState' + _embedded: + type: object + description: >- + Embedded resources related to the application user using the [JSON + Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification + additionalProperties: + type: object + properties: {} + readOnly: true + _links: + $ref: '#/components/schemas/LinksAppAndUser' + AppUserAssignRequest: + allOf: + - $ref: '#/components/schemas/AppUser' + - required: + - id + AppUserUpdateRequest: + oneOf: + - $ref: '#/components/schemas/AppUserCredentialsRequestPayload' + - $ref: '#/components/schemas/AppUserProfileRequestPayload' + ApplicationAccessibility: + description: Specifies access settings for the app + type: object + properties: + errorRedirectUrl: + type: string + description: Custom error page URL for the app + loginRedirectUrl: + type: string + description: >- + Custom login page URL for the app + + > **Note:** The `loginRedirectUrl` property is deprecated in + Identity Engine. This property is used with the custom app login + feature. Orgs that actively use this feature can continue to do so. + See [Okta-hosted sign-in (redirect + authentication)](https://developer.okta.com/docs/guides/redirect-authentication/) + or [configure IdP routing + rules](https://help.okta.com/okta_help.htm?type=oie&id=ext-cfg-routing-rules) + to redirect users to the appropriate sign-in app for orgs that don't + use the custom app login feature. + selfService: + type: boolean + description: Represents whether the app can be self-assignable by users + ApplicationLabel: + description: User-defined display name for app + type: string + ApplicationLicensing: + description: Licenses for the app + type: object + properties: + seatCount: + type: integer + description: Number of licenses purchased for the app + ApplicationSignOnMode: + description: > + Authentication mode for the app + + + | signOnMode | Description | + + | ---------- | ----------- | + + | AUTO_LOGIN | Secure Web Authentication (SWA) | + + | BASIC_AUTH | HTTP Basic Authentication with Okta Browser Plugin | + + | BOOKMARK | Just a bookmark (no-authentication) | + + | BROWSER_PLUGIN | Secure Web Authentication (SWA) with Okta Browser + Plugin | + + | OPENID_CONNECT | Federated Authentication with OpenID Connect (OIDC) | + + | SAML_1_1 | Federated Authentication with SAML 1.1 WebSSO (not + supported for custom apps) | + + | SAML_2_0 | Federated Authentication with SAML 2.0 WebSSO | + + | SECURE_PASSWORD_STORE | Secure Web Authentication (SWA) with POST + (plugin not required) | + + | WS_FEDERATION | Federated Authentication with WS-Federation Passive + Requestor Profile | + + + Select the `signOnMode` for your custom app: + type: string + enum: + - AUTO_LOGIN + - BASIC_AUTH + - BOOKMARK + - BROWSER_PLUGIN + - OPENID_CONNECT + - SAML_1_1 + - SAML_2_0 + - SECURE_PASSWORD_STORE + - WS_FEDERATION + ApplicationLifecycleStatus: + description: App instance status + type: string + enum: + - ACTIVE + - DELETED + - INACTIVE + readOnly: true + ApplicationUniversalLogout: + description: >- +
+ + Universal Logout properties for the app. These properties are only + returned and can't be updated. + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + example: ACTIVE + type: object + properties: + identityStack: + type: string + description: >- + Indicates whether the app uses a shared identity stack that may + cause the user to sign out of other apps by the same company + enum: + - SHARED + - NOT_SHARED + example: SHARED + protocol: + type: string + description: The protocol used for Universal Logout + enum: + - PROPRIETARY + - GLOBAL_TOKEN_REVOCATION + x-enumDescriptions: + PROPRIETARY: Universal Logout is implemented with a proprietary method. + GLOBAL_TOKEN_REVOCATION: >- + Universal Logout is implemented with the [Global Token + Revocation](https://datatracker.ietf.org/doc/draft-parecki-oauth-global-token-revocation/) + protocol. See the [Global Token Revocation + API](https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/GlobalTokenRevocation/). + example: PROPRIETARY + status: + type: string + description: Universal Logout status for the app instance + enum: + - ENABLED + - DISABLED + - UNSUPPORTED + example: ENABLED + x-enumDescriptions: + ENABLED: >- + Universal Logout is enabled. Users are signed out of the app + instance when the Okta system or an admin initiates logout. + DISABLED: Universal Logout is disabled + UNSUPPORTED: The app doesn't support Universal Logout + supportType: + type: string + description: >- + Indicates whether the app supports full or partial Universal Logout + (UL). + enum: + - FULL + - PARTIAL + x-enumDescriptions: + FULL: >- + Full UL support (users are signed out of an app when the Okta + system or an admin initiates logout) + PARTIAL: >- + This app's sign-out behavior can be different from other supported + UL apps. + example: FULL + readOnly: true + ApplicationVisibility: + description: Specifies visibility settings for the app + type: object + properties: + appLinks: + type: object + description: >- + Links or icons that appear on the End-User Dashboard if they're set + to `true`. + additionalProperties: + type: boolean + autoLaunch: + type: boolean + description: Automatically signs in to the app when user signs into Okta + autoSubmitToolbar: + type: boolean + description: Automatically sign in when user lands on the sign-in page + hide: + $ref: '#/components/schemas/ApplicationVisibilityHide' + ApplicationLinks: + description: Discoverable resources related to the app + properties: + accessPolicy: + $ref: '#/components/schemas/AccessPolicyLink' + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + appLinks: + type: array + description: List of app link resources + items: + $ref: '#/components/schemas/HrefObject' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + groups: + $ref: '#/components/schemas/GroupsLink' + help: + $ref: '#/components/schemas/HelpLink' + logo: + type: array + description: List of app logo resources + items: + $ref: '#/components/schemas/HrefObject' + metadata: + $ref: '#/components/schemas/MetadataLink' + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + users: + $ref: '#/components/schemas/UsersLink' + readOnly: true + type: object + ProvisioningConnectionTokenAuthScheme: + description: >- + A token is used to authenticate with the app. This property is only + returned for the `TOKEN` authentication scheme. + type: string + enum: + - TOKEN + ProvisioningConnectionResponseProfile: + properties: + authScheme: + $ref: '#/components/schemas/ProvisioningConnectionAuthScheme' + signing: + $ref: '#/components/schemas/Org2OrgProvisioningOAuthSigningSettings' + required: + - authScheme + type: object + ProvisioningConnectionStatus: + description: Provisioning connection status + default: DISABLED + type: string + enum: + - DISABLED + - ENABLED + - UNKNOWN + x-enumDescriptions: + DISABLED: The provisioning connection is disabled. + ENABLED: The provisioning connection is enabled. + UNKNOWN: >- + Provisioning isn't supported by the app, or the authentication method + is unknown. + LinksSelfLifecycleAndAuthorize: + allOf: + - $ref: '#/components/schemas/LinksSelfAndLifecycle' + - type: object + properties: + authorize: + $ref: '#/components/schemas/HrefObjectAuthorizeLink' + ProvisioningConnectionRequest: + type: object + ProvisioningConnectionTokenRequestProfile: + properties: + authScheme: + $ref: '#/components/schemas/ProvisioningConnectionTokenAuthScheme' + token: + type: string + description: Token used to authenticate with the app + required: + - authScheme + type: object + ProvisioningConnectionOauthRequestProfile: + properties: + authScheme: + $ref: '#/components/schemas/ProvisioningConnectionOauthAuthScheme' + clientId: + type: string + description: >- + Only used for the Okta Org2Org (`okta_org2org`) app. The unique + client identifier for the OAuth 2.0 service app from the target org. + settings: + $ref: '#/components/schemas/Office365ProvisioningSettings' + signing: + $ref: '#/components/schemas/Org2OrgProvisioningOAuthSigningSettings' + required: + - authScheme + type: object + AppConnectionUserProvisionJWKList: + properties: + keys: + type: array + items: + $ref: '#/components/schemas/JsonWebKey' + required: + - keys + type: object + createdProperty: + description: Timestamp when the object was created + format: date-time + example: '2017-03-28T01:11:10.000Z' + type: string + readOnly: true + CSRLinks: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the + current status of a CSR object using the [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + properties: + publish: + $ref: '#/components/schemas/HrefCsrPublishLink' + self: + $ref: '#/components/schemas/HrefCsrSelfLink' + readOnly: true + type: object + CsrMetadataSubject: + type: object + properties: + commonName: + type: string + description: Common name of the subject + example: SP Issuer + countryName: + type: string + description: Country name or code + example: US + localityName: + type: string + description: Locality (city) name + example: San Francisco + organizationalUnitName: + type: string + description: >- + Name of the smaller organization, for example, the department or the + division + example: Dev + organizationName: + type: string + description: Large organization name + example: Okta, Inc. + stateOrProvinceName: + type: string + description: State or province name + example: California + CsrMetadataSubjectAltNames: + type: object + properties: + dnsNames: + type: array + description: DNS names of the subject + items: + type: string + example: dev.okta.com + lastUpdatedProperty: + format: date-time + description: Timestamp when the object was last updated + type: string + readOnly: true + ErrorCause: + type: object + properties: + errorSummary: + type: string + OAuth2ClientJsonWebKeyResponseBase: + type: object + properties: + created: + type: string + description: Timestamp when the OAuth 2.0 client JSON Web Key was created + example: '2023-02-21T20:08:24.000Z' + readOnly: true + nullable: false + id: + type: string + description: The unique ID of the OAuth Client JSON Web Key + example: pks2f4zrZbs8nUa7p0g4 + readOnly: true + nullable: false + lastUpdated: + type: string + description: Timestamp when the OAuth 2.0 client JSON Web Key was updated + example: '2023-02-21T20:08:24.000Z' + readOnly: true + nullable: false + _links: + $ref: '#/components/schemas/OAuthClientSecretLinks' + readOnly: true + nullable: false + OAuth2ClientJsonWebKeyRsaResponse: + title: RSA Signing Key + description: An RSA signing key + allOf: + - $ref: '#/components/schemas/OAuth2ClientJsonWebKeyRequestBase' + - $ref: '#/components/schemas/OAuth2ClientJsonWebKeyResponseBase' + type: object + properties: + e: + type: string + description: RSA key value (exponent) for key binding + example: AQAB + nullable: false + kty: + type: string + description: Cryptographic algorithm family for the certificate's key pair + example: RSA + nullable: false + enum: + - RSA + 'n': + type: string + description: RSA key value (modulus) for key binding + example: >- + mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ + nullable: false + OAuth2ClientJsonWebKeyECResponse: + title: EC Signing Key + description: An EC signing key + allOf: + - $ref: '#/components/schemas/OAuth2ClientJsonWebKeyRequestBase' + - $ref: '#/components/schemas/OAuth2ClientJsonWebKeyResponseBase' + type: object + properties: + kty: + type: string + description: Cryptographic algorithm family for the certificate's key pair + example: RSA + nullable: false + enum: + - EC + x: + type: string + description: The public x coordinate for the elliptic curve point + 'y': + type: string + description: The public y coordinate for the elliptic curve point + OAuth2ClientJsonWebKeyRequestBase: + type: object + properties: + kid: + type: string + description: Unique identifier of the JSON Web Key in the OAUth 2.0 client's JWKS + example: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 + nullable: true + status: + type: string + enum: + - ACTIVE + - INACTIVE + description: Status of the OAuth 2.0 client JSON Web Key + example: ACTIVE + nullable: false + default: ACTIVE + OAuth2ClientJsonWebKeyRsaRequest: + title: RSA Signing Key + description: An RSA signing key + allOf: + - $ref: '#/components/schemas/OAuth2ClientJsonWebKeyRequestBase' + type: object + properties: + e: + type: string + description: RSA key value (exponent) for key binding + example: AQAB + nullable: false + kty: + type: string + description: Cryptographic algorithm family for the certificate's key pair + example: RSA + nullable: false + enum: + - RSA + 'n': + type: string + description: RSA key value (modulus) for key binding + example: >- + mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ + nullable: false + OAuth2ClientJsonWebKeyECRequest: + title: EC Signing Key + description: An EC signing key + allOf: + - $ref: '#/components/schemas/OAuth2ClientJsonWebKeyRequestBase' + type: object + properties: + kty: + type: string + description: Cryptographic algorithm family for the certificate's key pair + example: RSA + nullable: false + enum: + - EC + x: + type: string + description: The public x coordinate for the elliptic curve point + 'y': + type: string + description: The public y coordinate for the elliptic curve point + OAuthClientSecretLinks: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the + current status of an application using the [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + properties: + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + delete: + $ref: '#/components/schemas/HrefObjectDeleteLink' + readOnly: true + type: object + ApplicationFeatureType: + description: > + Key name of the feature + + + | Feature name | Description | + + | --------- | ------------- | + + | USER_PROVISIONING | User profiles are pushed from Okta to the + third-party app. Represents the **To App** provisioning feature setting + in the Admin Console. | + + | INBOUND_PROVISIONING | User profiles are imported from the third-party + app into Okta. This feature represents the **To Okta** provisioning + feature setting in the Admin Console. | + + + Select the feature: + example: USER_PROVISIONING + type: string + enum: + - USER_PROVISIONING + - INBOUND_PROVISIONING + EnabledStatus: + description: Setting status + type: string + enum: + - DISABLED + - ENABLED + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + CapabilitiesCreateObject: + description: > + Determines whether Okta assigns a new app account to each user managed + by Okta. + + + Okta doesn't create a new account if it detects that the username + specified in Okta already exists in the app. + + The user's Okta username is assigned by default. + type: object + properties: + lifecycleCreate: + $ref: '#/components/schemas/LifecycleCreateSettingObject' + CapabilitiesUpdateObject: + description: Determines whether updates to a user's profile are pushed to the app + type: object + properties: + lifecycleDeactivate: + $ref: '#/components/schemas/LifecycleDeactivateSettingObject' + password: + $ref: '#/components/schemas/PasswordSettingObject' + profile: + $ref: '#/components/schemas/ProfileSettingObject' + CapabilitiesImportRulesObject: + description: Defines user import rules + type: object + properties: + userCreateAndMatch: + $ref: '#/components/schemas/CapabilitiesImportRulesUserCreateAndMatchObject' + CapabilitiesImportSettingsObject: + description: Defines import settings + type: object + properties: + schedule: + $ref: '#/components/schemas/ImportScheduleObject' + username: + $ref: '#/components/schemas/ImportUsernameObject' + OAuth2Actor: + description: User that created the object + type: object + properties: + id: + type: string + description: User ID + readOnly: true + example: 00u5t60iloOHN9pBi0h7 + type: + type: string + description: Type of user + example: User + readOnly: true + OAuth2ScopeConsentGrantSource: + description: User type source that granted consent + example: ADMIN + type: string + enum: + - ADMIN + - END_USER + readOnly: true + GrantOrTokenStatus: + description: Status + example: ACTIVE + type: string + enum: + - ACTIVE + - REVOKED + readOnly: true + AppResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7 + title: + type: string + description: Link name + example: My App + ScopeResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: >- + https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scpCmCCV1DpxVkCaye2X + title: + type: string + description: Link name + example: My phone + UserResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7 + title: + type: string + description: Link name + example: SAML Jackson + AuthorizationServerResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: >- + https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7 + title: + type: string + description: Link name + example: Example Authorization Server + AppConfig: + description: >- + Additional app configuration for group push mappings. Currently only + required for Active Directory. + type: object + properties: + type: + type: string + $ref: '#/components/schemas/AppConfigType' + discriminator: + propertyName: type + mapping: + ACTIVE_DIRECTORY: '#/components/schemas/AppConfigActiveDirectory' + GroupPushMappingLinks: + description: Discoverable resources related to the group push mapping + allOf: + - properties: + app: + $ref: '#/components/schemas/HrefObjectAppLink' + sourceGroup: + $ref: '#/components/schemas/HrefObjectGroupLink' + targetGroup: + $ref: '#/components/schemas/HrefObjectGroupLink' + type: object + type: object + GroupPushMappingStatusUpsert: + description: The status of the group push mapping + title: GroupPushMappingStatus + default: ACTIVE + type: string + enum: + - ACTIVE + - INACTIVE + GroupAssignmentProfile: + description: >- + Specifies the profile properties applied to [application + users](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/) + that are assigned to the app through group membership. + + Some reference properties are imported from the target app and can't be + configured. See + [profile](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/getUser!c=200&path=profile&t=response). + additionalProperties: true + type: object + HrefObjectAppLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the app resource + HrefObjectGroupLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the group resource + PatchAction: + description: The operation (PATCH action) + type: string + enum: + - remove + - replace + x-enumDescriptions: + remove: Removes the attribute in `path` + replace: Replaces the attribute in content `path` with the content in `value` + OAuth2RefreshTokenScope: + type: object + properties: + description: + type: string + description: Description of the Scope + example: >- + Requests a refresh token by default, used to obtain more access + tokens without re-prompting the user for authentication + displayName: + type: string + description: Name of the end user displayed in a consent dialog + id: + type: string + description: Scope object ID + readOnly: true + example: scppb56cIl4GvGxy70g3 + name: + type: string + description: Scope name + example: offline_access + _links: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the + current status of an application using the [JSON Hypertext + Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + scope: + description: Link to Scope resource + allOf: + - $ref: '#/components/schemas/OfflineAccessScopeResourceHrefObject' + RevokeRefreshTokenHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: >- + https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 + AppUserCredentials: + description: > + Specifies a user's credentials for the app. + + This parameter can be omitted for apps with [sign-on + mode](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/getApplication!c=200&path=0/signOnMode&t=response) + (`signOnMode`) or [authentication + schemes](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/getApplication!c=200&path=0/credentials/scheme&t=response) + (`credentials.scheme`) that don't require credentials. + type: object + properties: + password: + $ref: '#/components/schemas/AppUserPasswordCredential' + userName: + type: string + description: >- + The user's username in the app + + + > **Note:** The + [userNameTemplate](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=0/credentials/userNameTemplate&t=request) + in the application object defines the default username generated + when a user is assigned to that app. + + > If you attempt to assign a username or password to an app with an + incompatible [authentication + scheme](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=0/credentials/scheme&t=request), + the following error is returned: + + > "Credentials should not be set on this resource based on the + scheme." + minLength: 1 + maxLength: 100 + example: testuser@example.com + AppUserProfile: + description: > + Specifies the default and custom profile properties for a user. + + Properties that are visible in the Admin Console for an app assignment + can also be assigned through the API. + + Some properties are reference properties that are imported from the + target app and can't be configured. + + See + [profile](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/getUser!c=200&path=profile&t=response). + additionalProperties: true + type: object + AppUserStatus: + description: Status of an application user + example: ACTIVE + type: string + enum: + - ACTIVE + - APPROVED + - DEPROVISIONED + - IMPLICIT + - IMPORTED + - INACTIVE + - MATCHED + - PENDING + - PROVISIONED + - REVOKED + - STAGED + - SUSPENDED + - UNASSIGNED + x-enumDescriptions: + ACTIVE: >- + The application user is provisioned and is enabled to use the app. + This status also occurs if the app has the `IMPORT_PROFILE_UPDATES` + feature enabled and user import is confirmed, or if the app doesn't + have provisioning enabled. + INACTIVE: >- + The application user is provisioned, but isn't enabled to use the app. + Application users in this status can be reactivated with a password + reset or permanently deleted. + IMPORTED: The application user is created based on imported data. + MATCHED: The imported user is matched with an existing Application User. + UNASSIGNED: >- + The application user was imported, but the user-matching operation was + skipped. + SUSPENDED: >- + The application user is provisioned, but isn't enabled to use the app. + Application users in this status can be reactivated without a password + reset. + PENDING: >- + The application user is provisioned, but in a pending state and can't + use the app. The status moves to `ACTIVE` when the application user is + activated. + APPROVED: >- + The application user was created but not provisioned. This status can + occur when manual provisioning acknowledgment is required. + REVOKED: >- + The application user is disabled and waiting for deprovisioning + acknowledgment. The application user can be deleted after + deprovisioning acknowledgment. + IMPLICIT: The application user is now migrated to use implicit app assignment. + STAGED: >- + The application user doesn't have `externalId` set and the background + provisioning operation is queued. This applies to apps with the + `PUSH_NEW_USERS` feature enabled. + PROVISIONED: >- + The background provisioning operation completed and the application + user was assigned an `externalId` successfully. + DEPROVISIONED: >- + The user was removed by the provisioning operation and the + `externalId` property is unassigned. + readOnly: true + AppUserSyncState: + description: >- + The synchronization state for the application user. + + The application user's `syncState` depends on whether the + `PROFILE_MASTERING` feature is enabled for the app. + + + > **Note:** User provisioning currently must be configured through the + Admin Console. + example: SYNCHRONIZED + type: string + enum: + - DISABLED + - ERROR + - OUT_OF_SYNC + - SYNCHRONIZED + - SYNCING + x-enumDescriptions: + DISABLED: >- + The provisioning feature is disabled for the app (`PROFILE_MASTERING` + feature is disabled). + OUT_OF_SYNC: >- + The Application User has changes that haven't been pushed to the + target app. + SYNCING: >- + A background provisioning operation is running to update the user's + profile in the target app. + SYNCHRONIZED: >- + All changes to the application user profile have successfully been + synchronized with the target app. + ERROR: >- + A background provisioning operation failed to update the user's + profile in the target app. You must resolve the provisioning task in + the Admin Console before you retry the operation. + readOnly: true + LinksAppAndUser: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of resources + related to the application user. + type: object + properties: + app: + $ref: '#/components/schemas/HrefObjectAppLink' + group: + $ref: '#/components/schemas/HrefObjectGroupLink' + user: + $ref: '#/components/schemas/HrefObjectUserLink' + readOnly: true + AppUserCredentialsRequestPayload: + title: Credentials + description: Updates the assigned user credentials + type: object + properties: + credentials: + $ref: '#/components/schemas/AppUserCredentials' + AppUserProfileRequestPayload: + title: Profile + description: >- + Updates the assigned user profile + + > **Note:** The Okta API currently doesn't support entity tags for + conditional updates. As long as you're the only user updating the the + user profile, Okta recommends you fetch the most recent profile with + [Retrieve an Application + User](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/#tag/ApplicationUsers/operation/getApplicationUser), + apply your profile update, and then `POST` back the updated profile. + type: object + properties: + profile: + $ref: '#/components/schemas/AppUserProfile' + OAuthProvisioningEnabledApp: + description: Application name for the provisioning connection + type: string + enum: + - google + - office365 + - slack + - zoomus + ApplicationVisibilityHide: + description: Hides the app for specific end-user apps + type: object + properties: + iOS: + type: boolean + description: Okta Mobile for iOS or Android (pre-dates Android) + default: false + example: false + web: + type: boolean + description: Okta End-User Dashboard on a web browser + default: false + example: true + AccessPolicyLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the app access policy resource + HrefObjectActivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to activate the resource + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + HrefObjectDeactivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to deactivate the resource + GroupsLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + Link to the [Application + Groups](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationGroups/#tag/ApplicationGroups/operation/listApplicationGroupAssignments) + resource + HelpLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the app help resource + MetadataLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + Link to the [SAML + metadata](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationSSO/#tag/ApplicationSSO/operation/previewSAMLmetadataForApplication) + for SSO + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + UsersLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + Link to the [Application + Users](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/#tag/ApplicationUsers/operation/listApplicationUsers) + resource + ProvisioningConnectionAuthScheme: + description: Defines the method of authentication + type: string + enum: + - OAUTH2 + - TOKEN + - UNKNOWN + x-enumDescriptions: + TOKEN: A token is used to authenticate with the app. + OAUTH2: OAuth 2.0 is used to authenticate with the app. + UNKNOWN: >- + The authentication scheme used by the app isn't supported, or the app + doesn't support provisioning. + Org2OrgProvisioningOAuthSigningSettings: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + title: Org2Org Provisioning OAuth Signing Settings + description: |- + Only used for the Okta Org2Org (`okta_org2org`) app. + + The signing key rotation setting. + type: object + properties: + rotationMode: + $ref: '#/components/schemas/ConnectionsSigningRotationMode' + required: + - rotationMode + LinksSelfAndLifecycle: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + HrefObjectAuthorizeLink: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + description: Link to authorize scopes + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHintsGuidanceObject' + href: + type: string + description: Link URI + required: + - href + readOnly: true + ProvisioningConnectionOauthAuthScheme: + description: OAuth 2.0 is used to authenticate with the app. + type: string + enum: + - OAUTH2 + Office365ProvisioningSettings: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + title: Microsoft Office 365 provisioning settings + description: Settings required for the Microsoft Office 365 provisioning connection + type: object + properties: + adminPassword: + type: string + description: Microsoft Office 365 global administrator password + adminUsername: + type: string + description: Microsoft Office 365 global administrator username + required: + - adminUsername + - adminPassword + HrefCsrPublishLink: + title: Link Object + description: Link to publish CSR + type: object + properties: + hints: + $ref: '#/components/schemas/CsrPublishHrefHints' + href: + type: string + description: Link URI + example: >- + https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish + required: + - href + readOnly: true + HrefCsrSelfLink: + title: Link Object + description: Link to the resource (self) + type: object + properties: + hints: + $ref: '#/components/schemas/CsrSelfHrefHints' + href: + type: string + description: Link URI + example: >- + https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + required: + - href + readOnly: true + HrefObjectDeleteLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to delete the resource + LifecycleCreateSettingObject: + description: >- + Determines whether to update a user in the app when a user in Okta is + updated + type: object + properties: + status: + allOf: + - $ref: '#/components/schemas/EnabledStatus' + - default: DISABLED + LifecycleDeactivateSettingObject: + description: Determines whether deprovisioning occurs when the app is unassigned + type: object + properties: + status: + allOf: + - $ref: '#/components/schemas/EnabledStatus' + - default: DISABLED + PasswordSettingObject: + description: >- + Determines whether Okta creates and pushes a password in the app for + each assigned user + type: object + properties: + change: + $ref: '#/components/schemas/ChangeEnum' + seed: + $ref: '#/components/schemas/SeedEnum' + status: + allOf: + - $ref: '#/components/schemas/EnabledStatus' + - default: DISABLED + - example: ENABLED + ProfileSettingObject: + description: > + This setting determines whether a user in the app gets updated when + they're updated in Okta. + + + If enabled, Okta updates a user's attributes in the app when the app is + assigned. + + Future changes made to the Okta user's profile automatically overwrite + the corresponding attribute value in the app. + type: object + properties: + status: + allOf: + - $ref: '#/components/schemas/EnabledStatus' + - example: DISABLED + - default: DISABLED + CapabilitiesImportRulesUserCreateAndMatchObject: + description: Rules for matching and creating users + type: object + properties: + allowPartialMatch: + type: boolean + description: >- + Allows user import upon partial matching. Partial matching occurs + when the first and last names of an imported user match those of an + existing Okta user, even if the username or email attributes don't + match. + autoActivateNewUsers: + type: boolean + description: If set to `true`, imported new users are automatically activated. + autoConfirmExactMatch: + type: boolean + description: >- + If set to `true`, exact-matched users are automatically confirmed on + activation. If set to `false`, exact-matched users need to be + confirmed manually. + autoConfirmNewUsers: + type: boolean + description: >- + If set to `true`, imported new users are automatically confirmed on + activation. This doesn't apply to imported users that already exist + in Okta. + autoConfirmPartialMatch: + type: boolean + description: >- + If set to `true`, partially matched users are automatically + confirmed on activation. If set to `false`, partially matched users + need to be confirmed manually. + exactMatchCriteria: + type: string + description: Determines the attribute to match users + enum: + - EMAIL + - USERNAME + ImportScheduleObject: + description: Import schedule configuration + type: object + properties: + fullImport: + allOf: + - $ref: '#/components/schemas/ImportScheduleSettings' + - description: Determines the full import schedule + incrementalImport: + allOf: + - $ref: '#/components/schemas/ImportScheduleSettings' + - description: Determines the incremental import schedule + status: + $ref: '#/components/schemas/EnabledStatus' + ImportUsernameObject: + description: Determines the Okta username for the imported user + type: object + properties: + userNameExpression: + type: string + description: >- + For `usernameFormat=CUSTOM`, specifies the Okta Expression Language + statement for a username format that imported users use to sign in + to Okta + usernameFormat: + type: string + description: Determines the username format when users sign in to Okta + default: EMAIL + enum: + - EMAIL + - CUSTOM + required: + - usernameFormat + AppConfigType: + description: The type of the app configuration + type: string + enum: + - ACTIVE_DIRECTORY + OfflineAccessScopeResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: >- + https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scppb56cIl4GvGxy70g3 + title: + type: string + description: Link name + example: offline_access + AppUserPasswordCredential: + description: >- + The user's password. This is a write-only property. An empty `password` + object is returned to indicate that a password value exists. + type: object + properties: + value: + description: Password value + type: string + format: password + writeOnly: true + HrefObjectUserLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the user resource + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + ConnectionsSigningRotationMode: + description: The signing key rotation setting for the provisioning connection + type: string + enum: + - AUTO + - MANUAL + x-enumDescriptions: + AUTO: >- + Okta manages key rotation for the provisioning connection. Use the + [Retrieve a JWKS for the default provisioning + connection](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationConnections/#tag/ApplicationConnections/operation/getUserProvisioningConnectionJWKS) + endpoint for the latest key credentials. + MANUAL: >- + You need to rotate the keys for your provisioning connection manually + based on your own schedule. See [Key + rotation](https://developer.okta.com/docs/concepts/key-rotation/). + HrefHintsGuidanceObject: + allOf: + - $ref: '#/components/schemas/HrefHints' + - description: Describes allowed HTTP verbs and guidance for the `href` + - type: object + properties: + guidance: + type: array + description: > + Specifies the URI to invoke for granting scope consent required + to complete the OAuth 2.0 connection + items: + type: string + CsrPublishHrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + type: string + enum: + - POST + CsrSelfHrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + type: string + enum: + - GET + - DELETE + ChangeEnum: + description: >- + Determines whether a change in a user's password also updates the user's + password in the app + default: KEEP_EXISTING + example: CHANGE + type: string + enum: + - CHANGE + - KEEP_EXISTING + SeedEnum: + description: >- + Determines whether the generated password is the user's Okta password or + a randomly generated password + default: RANDOM + example: OKTA + type: string + enum: + - OKTA + - RANDOM + ImportScheduleSettings: + type: object + properties: + expression: + type: string + description: The import schedule in UNIX cron format + example: 00 21 * * Mon,Thu,Fri,Sat + timezone: + type: string + description: >- + The import schedule time zone in Internet Assigned Numbers Authority + (IANA) time zone name format + minLength: 1 + maxLength: 64 + example: America/Los_Angeles + required: + - expression + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + ErrorInvalidToken401: + description: Unauthorized + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + InvalidTokenProvided: + $ref: '#/components/examples/ErrorInvalidTokenProvided' + ErrorAppUserForbidden403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AppUserProvEx: + $ref: '#/components/examples/ErrorAppUserForbiddenAction' + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorAppUserUpdateBadRequest400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AppUserUpdateCredEx: + $ref: '#/components/examples/ErrorAppUserUpdateBadRequest' + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + parameters: + queryAppsExpand: + name: expand + in: query + description: >- + An optional parameter used for link expansion to embed more resources in + the response. + + Only supports `expand=user/{userId}` and must be used with the `user.id + eq "{userId}"` filter query for the same user. + + Returns the assigned [application + user](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/) in the + `_embedded` property. + schema: + type: string + example: user/0oa1gjh63g214q0Hq0g4 + pathAppId: + name: appId + description: Application ID + in: path + required: true + schema: + type: string + example: 0oafxqCAJWWGELFTYASJ + pathCsrId: + name: csrId + description: '`id` of the CSR' + in: path + required: true + schema: + type: string + example: fd7x1h7uTcZFx22rU1f7 + pathJsonWebKeyId: + name: keyId + in: path + schema: + type: string + required: true + description: Unique `id` of the Custom Authorization Server JSON Web Key + example: apk2f4zrZbs8nUa7p0g4 + pathKeyId: + name: keyId + description: ID of the Key Credential for the application + in: path + required: true + schema: + type: string + example: sjP9eiETijYz110VkhHN + pathClientSecretId: + name: secretId + in: path + schema: + type: string + required: true + description: Unique `id` of the OAuth 2.0 Client Secret + example: ocs2f4zrZbs8nUa7p0g4 + connectionId: + name: connectionId + description: Connection ID + in: path + required: true + schema: + type: string + example: 0oafxqCAJWWGELFTYASJ + pathFeatureName: + name: featureName + description: Name of the Feature + in: path + required: true + schema: + $ref: '#/components/schemas/ApplicationFeatureType' + claimId: + name: claimId + in: path + schema: + type: string + required: true + description: The unique `id` of the federated claim + example: ofc2f4zrZbs8nUa7p0g4 + queryAppGrantsExpand: + name: expand + in: query + description: >- + An optional parameter to return scope details in the `_embedded` + property. Valid value: `scope` + schema: + type: string + example: scope + pathGrantId: + name: grantId + description: Grant ID + in: path + required: true + schema: + type: string + example: iJoqkwx50mrgX4T9LcaH + pathGroupPushMappingId: + name: mappingId + description: Group push mapping ID + in: path + required: true + schema: + type: string + example: gPm00000000000000000 + queryGroupAssignmentLimit: + name: limit + in: query + description: >- + Specifies the number of objects to return per page. + + If there are multiple pages of results, the Link header contains a + `next` link that you need to use as an opaque value (follow it, don't + parse it). + + See [Pagination]https://developer.okta.com/docs/api#pagination. + examples: + min: + value: 20 + summary: Minimum limit value + hundred: + value: 100 + summary: Sample limit value + max: + value: 200 + summary: Maximum limit value + schema: + type: integer + format: int32 + default: 20 + minimum: 20 + maximum: 200 + queryGroupAssignmentWithMetadataExpand: + name: expand + in: query + description: >- + An optional query parameter to return the corresponding assigned + [group](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/) + or + + the group assignment metadata details in the `_embedded` property. + schema: + type: string + example: metadata + examples: + group: + value: group + summary: Embedded assigned group + metadata: + value: metadata + summary: Embedded group assignment metadata + pathGroupId: + name: groupId + description: The `id` of the group + in: path + required: true + schema: + type: string + example: 00g1emaKYZTWRYYRRTSK + queryGroupAssignmentWithGroupExpand: + name: expand + in: query + description: >- + An optional query parameter to return the corresponding assigned + [group](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/) + or + + the group assignment metadata details in the `_embedded` property. + schema: + type: string + example: group + examples: + group: + value: group + summary: Embedded assigned group + metadata: + value: metadata + summary: Embedded group assignment metadata + pathPolicyId: + name: policyId + description: '`id` of the Policy' + in: path + required: true + schema: + type: string + example: 00plrilJ7jZ66Gn0X0g3 + queryAppAfter: + name: after + in: query + description: >- + Specifies the pagination cursor for the next page of results. Treat this + as an opaque value obtained through the next link relationship. See + [Pagination]https://developer.okta.com/docs/api#pagination. + schema: + type: string + example: 16275000448691 + queryLimit: + name: limit + in: query + schema: + type: integer + minimum: 1 + maximum: 200 + default: 20 + description: A limit on the number of objects to return + pathTokenId: + name: tokenId + description: '`id` of Token' + in: path + required: true + schema: + type: string + example: sHHSth53yJAyNSTQKDJZ + queryAppLimit: + name: limit + in: query + schema: + type: integer + format: int32 + minimum: 1 + maximum: 500 + default: 50 + description: > + Specifies the number of objects to return per page. + + If there are multiple pages of results, the Link header contains a + `next` link that you need to use as an opaque value (follow it, don't + parse it). + + See [Pagination]https://developer.okta.com/docs/api#pagination. + queryAppUserQ: + name: q + in: query + schema: + type: string + example: sam + description: > + Specifies a filter for the list of application users returned based on + their profile attributes. + + The value of `q` is matched against the beginning of the following + profile attributes: `userName`, `firstName`, `lastName`, and `email`. + + This filter only supports the `startsWith` operation that matches the + `q` string against the beginning of the attribute values. + + > **Note:** For OIDC apps, user profiles don't contain the `firstName` + or `lastName` attributes. Therefore, the query only matches against the + `userName` or `email` attributes. + queryAppUserExpand: + name: expand + in: query + description: >- + An optional query parameter to return the corresponding + [User](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/) object in the + `_embedded` property. + + Valid value: `user` + schema: + type: string + example: user + pathAppUserId: + name: userId + description: ID of an existing Okta user + in: path + required: true + schema: + type: string + example: 00u13okQOVWZJGDOAUVR + pathOAuthProvisioningAppName: + name: appName + in: path + required: true + schema: + $ref: '#/components/schemas/OAuthProvisioningEnabledApp' + examples: + GetApplicationsByUserResponseEx: + summary: Retrieve apps assigned to a user + value: + - id: 0oa1gjh63g214q0Hq0g4 + orn: >- + orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:testorgone_customsaml20app_1:0oa1gjh63g214q0Hq0g4 + name: testorgone_customsaml20app_1 + label: Custom Saml 2.0 App + status: ACTIVE + lastUpdated: '2016-08-09T20:12:19.000Z' + created: '2016-08-09T20:12:19.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + testorgone_customsaml20app_1_link: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${fn:substringBefore(source.login, "@")} + type: BUILT_IN + signing: {} + settings: + app: {} + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: '' + ssoAcsUrl: https://{yourOktaDomain} + idpIssuer: https://www.okta.com/${org.externalKey} + audience: https://example.com/tenant/123 + recipient: https://recipient.okta.com + destination: https://destination.okta.com + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: >- + urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + slo: + enabled: true + spIssuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + participateSlo: + enabled: true + logoutRequestUrl: https://testorgone.okta.com/logout/participate + sessionIndexRequired: true + bindingType: REDIRECT + spCertificate: + x5c: + - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n" + assertionEncryption: + enabled: false + requestCompressed: false + allowMultipleAcsEndpoints: false + acsEndpoints: [] + attributeStatements: [] + _links: + logo: + - name: medium + href: >- + https://testorgone.okta.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + appLinks: + - name: testorgone_customsaml20app_1_link + href: >- + https://testorgone.okta.com/home/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/aln1gofChJaerOVfY0g4 + type: text/html + help: + href: >- + https://testorgone-admin.okta.com/app/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/setup/help/SAML_2_0/instructions + type: text/html + users: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/users + deactivate: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/lifecycle/deactivate + groups: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/groups + metadata: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/sso/saml/metadata + type: application/xml + _embedded: + user: + id: 00ucw2RPGIUNTDQOYPOF + externalId: null + created: '2014-03-21T23:31:35.000Z' + lastUpdated: '2014-03-21T23:31:35.000Z' + scope: USER + status: ACTIVE + statusChanged: '2014-03-21T23:31:35.000Z' + passwordChanged: null + syncState: DISABLED + lastSync: null + credentials: + userName: user@example.com + _links: + app: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oabizCHPNYALCHDUIOD + user: + href: >- + https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF + id: 0oabkvBLDEKCNXBGYUAS + name: template_swa + label: Sample Plugin App + status: ACTIVE + lastUpdated: '2013-09-11T17:58:54.000Z' + created: '2013-09-11T17:46:08.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.login} + type: BUILT_IN + settings: + app: + buttonField: btn-login + passwordField: txtbox-password + usernameField: txtbox-username + url: https://example.com/login.html + _links: + logo: + - href: https://example.okta.com/img/logos/logo_1.png + name: medium + type: image/png + users: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users + groups: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups + self: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate + _embedded: + user: + id: 00ucw2RPGIUNTDQOYPOF + externalId: null + created: '2014-06-10T15:16:01.000Z' + lastUpdated: '2014-06-10T15:17:38.000Z' + scope: USER + status: ACTIVE + statusChanged: '2014-06-10T15:16:01.000Z' + passwordChanged: '2014-06-10T15:17:38.000Z' + syncState: DISABLED + lastSync: null + credentials: + userName: user@example.com + password: {} + _links: + app: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS + user: + href: >- + https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF + GetApplicationsByGroupResponseEx: + summary: Retrieve apps assigned to a group + value: + - id: 0oa7vicdkRNrz59R80w6 + name: workday + orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:workday:0oa7vicdkRNrz59R80w6 + label: hrportal2 + status: ACTIVE + lastUpdated: '2021-05-17T23:10:50.000Z' + created: '2021-05-17T23:10:49.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${source.login} + type: BUILT_IN + signing: + kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg + settings: + app: + siteURL: https://acme.workday.com + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: null + ssoAcsUrlOverride: null + audienceOverride: null + recipientOverride: null + destinationOverride: null + attributeStatements: [] + _links: + help: + href: >- + https://testorgone-admin.okta.com/app/workday/0oa7vicdkRNrz59R80w6/setup/help/SAML_2_0/external-doc + type: text/html + metadata: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/sso/saml/metadata + type: application/xml + appLinks: + - name: login + href: >- + https://testorgone.okta.com/home/workday/0oa7vicdkRNrz59R80w6/30 + type: text/html + groups: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/groups + logo: + - name: medium + href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6 + type: image/png + users: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/users + deactivate: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/lifecycle/deactivate + - id: 0oa7vicvor8YSr9Hc0w6 + orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:workday:0oa7vicvor8YSr9Hc0w6 + name: workday + label: hrportal1 + status: ACTIVE + lastUpdated: '2021-05-17T23:10:22.000Z' + created: '2021-05-17T23:10:22.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${source.login} + type: BUILT_IN + signing: + kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg + settings: + app: + siteURL: https://acme.workday.com + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: null + ssoAcsUrlOverride: null + audienceOverride: null + recipientOverride: null + destinationOverride: null + attributeStatements: [] + _links: + help: + href: >- + https://testorgone-admin.okta.com/app/workday/0oa7vicvor8YSr9Hc0w6/setup/help/SAML_2_0/external-doc + type: text/html + metadata: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/sso/saml/metadata + type: application/xml + appLinks: + - name: login + href: >- + https://testorgone.okta.com/home/workday/0oa7vicvor8YSr9Hc0w6/30 + type: text/html + groups: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/groups + logo: + - name: medium + href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6 + type: image/png + users: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/users + deactivate: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/lifecycle/deactivate + - id: 0oabkvBLDEKCNXBGYUAS + name: template_swa + orn: >- + orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:template_swa:0oabkvBLDEKCNXBGYUAS + label: Sample Plugin App + status: ACTIVE + lastUpdated: '2013-09-11T17:58:54.000Z' + created: '2013-09-11T17:46:08.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.login} + type: BUILT_IN + settings: + app: + buttonField: btn-login + passwordField: txtbox-password + usernameField: txtbox-username + url: https://example.com/login.html + _links: + logo: + - href: https:/example.okta.com/img/logos/logo_1.png + name: medium + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups + self: + href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate + GetApplicationsByKeyResponseEx: + summary: Retrieve apps using a key + value: + - id: 0oa1gjh63g214q0Hq0g4 + name: testorgone_customsaml20app_1 + orn: >- + orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:testorgone_customsaml20app_1:0oa1gjh63g214q0Hq0g4 + label: Custom Saml 2.0 App + status: ACTIVE + lastUpdated: '2016-08-09T20:12:19.000Z' + created: '2016-08-09T20:12:19.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + testorgone_customsaml20app_1_link: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${fn:substringBefore(source.login, "@")} + type: BUILT_IN + signing: {} + settings: + app: {} + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: '' + ssoAcsUrl: https://{yourOktaDomain} + idpIssuer: https://www.okta.com/${org.externalKey} + audience: https://example.com/tenant/123 + recipient: https://recipient.okta.com + destination: https://destination.okta.com + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: >- + urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + slo: + enabled: true + spIssuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + participateSlo: + enabled: true + logoutRequestUrl: https://testorgone.okta.com/logout/participate + sessionIndexRequired: true + bindingType: REDIRECT + spCertificate: + x5c: + - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n" + assertionEncryption: + enabled: true + keyTransportAlgorithm: RSA_15 + encryptionAlgorithm: AES256_GCM + x5c: + - "MIIC6jCCAdKgAwIBAgIGAZKbFN7JMA0GCSqGSIb3DQEBCwUAMDYxNDAyBgNVBAMM\r\n" + requestCompressed: false + allowMultipleAcsEndpoints: false + acsEndpoints: [] + attributeStatements: [] + _links: + logo: + - name: medium + href: >- + https://testorgone.okta.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + appLinks: + - name: testorgone_customsaml20app_1_link + href: >- + https://testorgone.okta.com/home/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/aln1gofChJaerOVfY0g4 + type: text/html + help: + href: >- + https://testorgone-admin.okta.com/app/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/setup/help/SAML_2_0/instructions + type: text/html + users: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/users + deactivate: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/lifecycle/deactivate + groups: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/groups + metadata: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/sso/saml/metadata + type: application/xml + _embedded: + user: + id: 00ucw2RPGIUNTDQOYPOF + externalId: null + created: '2014-03-21T23:31:35.000Z' + lastUpdated: '2014-03-21T23:31:35.000Z' + scope: USER + status: ACTIVE + statusChanged: '2014-03-21T23:31:35.000Z' + passwordChanged: null + syncState: DISABLED + lastSync: null + credentials: + userName: user@example.com + _links: + app: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oabizCHPNYALCHDUIOD + user: + href: >- + https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF + id: 0oabkvBLDEKCNXBGYUAS + name: template_swa + label: Sample Plugin App + status: ACTIVE + lastUpdated: '2013-09-11T17:58:54.000Z' + created: '2013-09-11T17:46:08.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.login} + type: BUILT_IN + settings: + app: + buttonField: btn-login + passwordField: txtbox-password + usernameField: txtbox-username + url: https://example.com/login.html + _links: + logo: + - href: https://example.okta.com/img/logos/logo_1.png + name: medium + type: image/png + users: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users + groups: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups + self: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate + _embedded: + user: + id: 00ucw2RPGIUNTDQOYPOF + externalId: null + created: '2014-06-10T15:16:01.000Z' + lastUpdated: '2014-06-10T15:17:38.000Z' + scope: USER + status: ACTIVE + statusChanged: '2014-06-10T15:16:01.000Z' + passwordChanged: '2014-06-10T15:17:38.000Z' + syncState: DISABLED + lastSync: null + credentials: + userName: user@example.com + password: {} + _links: + app: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS + user: + href: >- + https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF + GetApplicationsByNameResponseEx: + summary: Retrieve apps by name + value: + - id: 0oa7vicdkRNrz59R80w6 + name: workday + orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:workday:0oa7vicdkRNrz59R80w6 + label: hrportal2 + status: ACTIVE + lastUpdated: '2021-05-17T23:10:50.000Z' + created: '2021-05-17T23:10:49.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${source.login} + type: BUILT_IN + signing: + kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg + settings: + app: + siteURL: https://acme.workday.com + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: null + ssoAcsUrlOverride: null + audienceOverride: null + recipientOverride: null + destinationOverride: null + attributeStatements: [] + _links: + help: + href: >- + https://testorgone-admin.okta.com/app/workday/0oa7vicdkRNrz59R80w6/setup/help/SAML_2_0/external-doc + type: text/html + metadata: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/sso/saml/metadata + type: application/xml + appLinks: + - name: login + href: >- + https://testorgone.okta.com/home/workday/0oa7vicdkRNrz59R80w6/30 + type: text/html + groups: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/groups + logo: + - name: medium + href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6 + type: image/png + users: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/users + deactivate: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/lifecycle/deactivate + - id: 0oa7vicvor8YSr9Hc0w6 + name: workday + orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:workday:0oa7vicdkRNrz59R80w6 + label: hrportal1 + status: ACTIVE + lastUpdated: '2021-05-17T23:10:22.000Z' + created: '2021-05-17T23:10:22.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${source.login} + type: BUILT_IN + signing: + kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg + settings: + app: + siteURL: https://acme.workday.com + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: null + ssoAcsUrlOverride: null + audienceOverride: null + recipientOverride: null + destinationOverride: null + attributeStatements: [] + _links: + help: + href: >- + https://testorgone-admin.okta.com/app/workday/0oa7vicvor8YSr9Hc0w6/setup/help/SAML_2_0/external-doc + type: text/html + metadata: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/sso/saml/metadata + type: application/xml + appLinks: + - name: login + href: >- + https://testorgone.okta.com/home/workday/0oa7vicvor8YSr9Hc0w6/30 + type: text/html + groups: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/groups + logo: + - name: medium + href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6 + type: image/png + users: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/users + deactivate: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/lifecycle/deactivate + BookmarkEx: + summary: BOOKMARK + value: + name: bookmark + label: Sample Bookmark App + signOnMode: BOOKMARK + settings: + app: + url: https://example.com/bookmark.html + AutoLoginEx: + summary: AUTO_LOGIN + value: + label: Custom SWA App + signOnMode: AUTO_LOGIN + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + settings: + signOn: + redirectUrl: http://swasecondaryredirecturl.okta.com + loginUrl: http://swaprimaryloginurl.okta.com + BasicAuthEx: + summary: BASIC_AUTH + value: + name: template_basic_auth + label: Sample Basic Auth App + signOnMode: BASIC_AUTH + settings: + app: + url: https://example.com/login.html + authURL: https://example.com/auth.html + SecurePasswordStoreEx: + summary: SECURE_PASSWORD_STORE + value: + name: template_sps + label: Example SWA App + signOnMode: SECURE_PASSWORD_STORE + settings: + app: + url: https://example.com/login.html + passwordField: '#txtbox-password' + usernameField: '#txtbox-username' + optionalField1: param1 + optionalField1Value: somevalue + optionalField2: param2 + optionalField2Value: yetanothervalue + optionalField3: param3 + optionalField3Value: finalvalue + WSFederationEx: + summary: WS_FEDERATION + value: + name: template_wsfed + label: Sample WS-Fed App + signOnMode: WS_FEDERATION + settings: + app: + audienceRestriction: urn:example:app + groupValueFormat: windowsDomainQualifiedName + wReplyURL: https://example.com/ + nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + siteURL: https://example.com + usernameAttribute: username + BrowserPluginEx: + summary: BROWSER_PLUGIN + value: + name: template_swa + label: Sample Plugin App + signOnMode: BROWSER_PLUGIN + settings: + app: + buttonField: btn-login + passwordField: txtbox-password + usernameField: txtbox-username + url: https://example.com/login.html + BrowserPluginSwa3FieldEx: + summary: BROWSER_PLUGIN with three CSS selectors + value: + name: template_swa3field + label: Sample Plugin App + signOnMode: BROWSER_PLUGIN + settings: + app: + buttonSelector: '#btn-login' + passwordSelector: '#txtbox-password' + userNameSelector: '#txtbox-username' + targetURL: https://example.com/login.html + extraFieldSelector: .login + extraFieldValue: SOMEVALUE + Saml2.0Ex: + summary: SAML_2_0 + value: + label: Example Custom SAML 2.0 App + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + signOnMode: SAML_2_0 + settings: + signOn: + defaultRelayState: '' + ssoAcsUrl: http://testorgone.okta + idpIssuer: http://www.okta.com/${org.externalKey} + audience: asdqwe123 + recipient: http://testorgone.okta + destination: http://testorgone.okta + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + samlAssertionLifetimeSeconds: 3600 + slo: + enabled: true + issuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + participateSlo: + enabled: true + logoutRequestUrl: https://testorgone.okta.com/logout/participate + sessionIndexRequired: true + bindingType: REDIRECT + spCertificate: + x5c: + - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n" + assertionEncryption: + enabled: true + keyTransportAlgorithm: RSA_15 + encryptionAlgorithm: AES256_GCM + x5c: + - "MIIC6jCCAdKgAwIBAgIGAZKbFN7JMA0GCSqGSIb3DQEBCwUAMDYxNDAyBgNVBAMM\r\n" + requestCompressed: false + allowMultipleAcsEndpoints: true + acsEndpoints: + - url: http://testorgone.okta + index: 0 + - url: http://testorgone.okta/1 + index: 1 + attributeStatements: + - type: EXPRESSION + name: Attribute + namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + values: + - Value + OpenidConnectEx: + summary: OPENID_CONNECT + value: + name: oidc_client + label: Sample Client profile + signOnMode: OPENID_CONNECT + credentials: + oauthClient: + token_endpoint_auth_method: client_secret_post + profile: + label: oauth2 client app 1 + settings: + oauthClient: + client_uri: http://localhost:8080 + logo_uri: http://developer.okta.com/assets/images/logo-new.png + redirect_uris: + - https://example.com/oauth2/callback + - myapp://callback + response_types: + - token + - id_token + - code + grant_types: + - authorization_code + application_type: native + participate_slo: false + BookmarkAppResponseEx: + summary: BOOKMARK + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: >- + http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: >- + http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: bookmark + orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:bookmark:0oafxqCAJWWGELFTYASJ + label: Sample Bookmark App + features: [] + signOnMode: BOOKMARK + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: {} + settings: + app: + requestIntegration: false + url: https://example.com/bookmark.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + emOptInStatus: DISABLED + AutoLoginAppResponseEx: + summary: AUTO_LOGIN + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: >- + http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: >- + http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + customswaapp_link: true + name: customswaapp + orn: >- + orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:customswaapp:0oafxqCAJWWGELFTYASJ + label: Custom SWA App + features: [] + signOnMode: AUTO_LOGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: {} + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + emOptInStatus: DISABLED + signOn: + redirectUrl: http://swasecondaryredirecturl.okta.com + loginUrl: http://swaprimaryloginurl.okta.com + BasicAuthResponseEx: + summary: BASIC_AUTH + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: >- + http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: >- + http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_basic_auth + orn: >- + orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:template_basic_auth:0oafxqCAJWWGELFTYASJ + label: Sample Basic Auth App + features: [] + signOnMode: BASIC_AUTH + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + loginUrlRegex: null + url: https://example.com/login.html + authURL: https://example.com/auth.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + emOptInStatus: DISABLED + SecurePasswordStoreResponseEx: + summary: SECURE_PASSWORD_STORE + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: >- + http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: >- + http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_sps + orn: >- + orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:template_sps:0oafxqCAJWWGELFTYASJ + label: Example SWA App + features: [] + signOnMode: SECURE_PASSWORD_STORE + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + url: https://example.com/login.html + passwordField: '#txtbox-password' + usernameField: '#txtbox-username' + optionalField1: param1 + optionalField1Value: somevalue + optionalField2: param2 + optionalField2Value: yetanothervalue + optionalField3: param3 + optionalField3Value: finalvalue + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + emOptInStatus: DISABLED + WSFederationResponseEx: + summary: WS_FEDERATION + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: >- + http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: >- + http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_wsfed + orn: >- + orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:template_wsfed:0oafxqCAJWWGELFTYASJ + label: Sample WS-Fed App + features: [] + signOnMode: WS_FEDERATION + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: + kid: FzJvvXtBHvs_-n70T4C2Rb2d64AyN4fqOme6piHOUKU + settings: + app: + groupFilter: null + siteURL: https://example.com + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + wReplyOverride: false + digestAlgorithm: SHA1 + usernameAttribute: username + signatureAlgorithm: RSA_SHA1 + audienceRestriction: urn:example:app + wReplyURL: https://example.com/ + groupName: http://schemas.microsoft.com/ws/2008/06/identity/claims/role + attributeStatements: null + nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + realm: urn:okta:app:exkarjfNMKUjTmzTZ0g4 + groupValueFormat: windowsDomainQualifiedName + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + emOptInStatus: DISABLED + BrowserPluginResponseEx: + summary: BROWSER_PLUGIN + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: >- + http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: >- + http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_swa + orn: >- + orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:template_swa:0oafxqCAJWWGELFTYASJ + label: Sample Plugin App + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + loginUrlRegex: null + usernameField: txtbox-username + buttonField: btn-login + passwordField: txtbox-password + url: https://example.com/login.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + emOptInStatus: DISABLED + BrowserPluginSwa3FieldResponseEx: + summary: BROWSER_PLUGIN with three CSS selectors + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: >- + http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: >- + http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_swa3field + orn: >- + orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:template_swa3field:0oafxqCAJWWGELFTYASJ + label: Sample Plugin App + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + loginUrlRegex: null + extraFieldSelector: .login + extraFieldValue: SOMEVALUE + userNameSelector: '#txtbox-username' + passwordSelector: '#txtbox-password' + buttonSelector: '#btn-login' + targetURL: https://example.com/login.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + emOptInStatus: DISABLED + Saml2.0ResponseEx: + summary: SAML_2_0 + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: >- + http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: >- + http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + testorgone_examplecustomsaml20app_1_link: true + name: testorgone_examplecustomsaml20app_1 + orn: >- + orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:testorgone_examplecustomsaml20app_1:0oafxqCAJWWGELFTYASJ + label: Example Custom SAML 2.0 App + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: + kid: mh_16Cc8sIfHMFDMlHnp194cxKvJ6yXqs_mNn_6ZC0Q + settings: + app: {} + signOn: + defaultRelayState: null + ssoAcsUrl: http://testorgone.okta + idpIssuer: http://www.okta.com/${org.externalKey} + audience: asdqwe123 + recipient: http://testorgone.okta + destination: http://testorgone.okta + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + spIssuer: https://testorgone.okta.com + samlAssertionLifetimeSeconds: 3600 + slo: + enabled: true + issuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + requestCompressed: false + allowMultipleAcsEndpoints: false + acsEndpoints: [] + samlSignedRequestEnabled: false + attributeStatements: + - type: EXPRESSION + name: Attribute + namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + values: + - Value + inlineHooks: [] + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + emOptInStatus: DISABLED + OpenidConnectResponseEx: + summary: OPENID_CONNECT + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: >- + http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: >- + http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: true + web: true + appLinks: + oidc_client_link: true + name: oidc_client + orn: >- + orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:oidc_client:0oafxqCAJWWGELFTYASJ + label: Sample Client profile + features: [] + signOnMode: OPENID_CONNECT + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: + kid: H34mvc6VrfV5yvy5wA8ikMFws6WInx4nvsAs-7EYbVc + oauthClient: + autoKeyRotation: true + client_id: 0oahonkqCRR6TSNlg4 + client_secret: wj9bOsLK0BRNJqy7KMMnaE7m8qrW51bPO2n1-PYvkOmhHRYgcuOecQkEwq9MPYa5 + token_endpoint_auth_method: client_secret_post + pkce_required: true + settings: + app: {} + oauthClient: + client_uri: http://localhost:8080 + logo_uri: http://developer.okta.com/assets/images/logo-new.png + redirect_uris: + - https://example.com/oauth2/callback + - myapp://callback + response_types: + - token + - id_token + - code + grant_types: + - authorization_code + application_type: native + issuer_mode: DYNAMIC + idp_initiated_login: + mode: DISABLED + default_scope: [] + wildcard_redirect: DISABLED + dpop_bound_access_tokens: false + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + emOptInStatus: DISABLED + profile: + label: oauth2 client app 1 + GetApplicationsResponseEx: + summary: Retrieve an app + value: + id: 0oa1gjh63g214q0Hq0g4 + name: testorgone_customsaml20app_1 + orn: >- + orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:testorgone_customsaml20app_1:0oa1gjh63g214q0Hq0g4 + label: Custom Saml 2.0 App + status: ACTIVE + lastUpdated: '2016-08-09T20:12:19.000Z' + created: '2016-08-09T20:12:19.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + testorgone_customsaml20app_1_link: true + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${fn:substringBefore(source.login, "@")} + type: BUILT_IN + signing: {} + settings: + app: {} + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + signOn: + defaultRelayState: '' + ssoAcsUrl: https://{yourOktaDomain} + idpIssuer: https://www.okta.com/${org.externalKey} + audience: https://example.com/tenant/123 + recipient: https://recipient.okta.com + destination: https://destination.okta.com + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + slo: + enabled: true + spIssuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + participateSlo: + enabled: true + logoutRequestUrl: https://testorgone.okta.com/logout/participate + sessionIndexRequired: true + bindingType: REDIRECT + spCertificate: + x5c: + - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n" + assertionEncryption: + enabled: true + keyTransportAlgorithm: RSA_15 + encryptionAlgorithm: AES256_GCM + x5c: + - "MIIC6jCCAdKgAwIBAgIGAZKbFN7JMA0GCSqGSIb3DQEBCwUAMDYxNDAyBgNVBAMM\r\n" + requestCompressed: false + allowMultipleAcsEndpoints: false + acsEndpoints: [] + attributeStatements: [] + inlineHooks: + - id: cal3ughy17pylLxQB357 + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/inlineHooks/cal3ughy17pylLxQB357 + hints: + allow: + - GET + - PUT + - DELETE + universalLogout: + status: ENABLED + supportType: FULL + identityStack: NOT_SHARED + protocol: GLOBAL_TOKEN_REVOCATION + _links: + logo: + - name: medium + href: >- + https://testorgone.okta.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + appLinks: + - name: testorgone_customsaml20app_1_link + href: >- + https://testorgone.okta.com/home/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/aln1gofChJaerOVfY0g4 + type: text/html + help: + href: >- + https://testorgone-admin.okta.com/app/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/setup/help/SAML_2_0/instructions + type: text/html + users: + href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/users + deactivate: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/lifecycle/deactivate + groups: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/groups + metadata: + href: >- + https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/sso/saml/metadata + type: application/xml + BookmarkPutEx: + summary: BOOKMARK + value: + name: bookmark + label: Sample Bookmark App updated + signOnMode: BOOKMARK + settings: + app: + requestIntegration: true + url: https://example.com/bookmark.html + AutoLoginPutEx: + summary: AUTO_LOGIN + value: + label: Custom SWA App updated + status: ACTIVE + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + features: [] + signOnMode: AUTO_LOGIN + credentials: + scheme: ADMIN_SETS_CREDENTIALS + userNameTemplate: + template: ${source.email} + type: BUILT_IN + settings: + signOn: + redirectUrl: http://swasecondaryredirecturlupdated.okta.com + loginUrl: http://swaprimaryloginurl.okta.com + BasicAuthPutEx: + summary: BASIC_AUTH + value: + label: Sample Basic Auth App updated + signOnMode: BASIC_AUTH + settings: + app: + url: https://example.com/loginUpdated.html + authURL: https://example.com/auth.html + SecurePasswordStorePutEx: + summary: SECURE_PASSWORD_STORE + value: + name: template_sps + label: Example SWA App updated + signOnMode: SECURE_PASSWORD_STORE + settings: + app: + url: https://example.com/login.html + passwordField: '#txtbox-password' + usernameField: '#txtbox-username' + optionalField1: param1 + optionalField1Value: somevalue_updated + optionalField2: param2 + optionalField2Value: yetanothervalue + optionalField3: param3 + optionalField3Value: finalvalue_updated + WSFederationPutEx: + summary: WS_FEDERATION + value: + name: template_wsfed + label: Sample WS-Fed App updated + signOnMode: WS_FEDERATION + settings: + app: + audienceRestriction: urn:exampleupdated:app + groupValueFormat: windowsDomainQualifiedName + wReplyURL: https://example.com/ + nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + siteURL: https://example.com + usernameAttribute: username + BrowserPluginPutEx: + summary: BROWSER_PLUGIN + value: + name: template_swa + label: Sample Plugin App updated + signOnMode: BROWSER_PLUGIN + settings: + app: + buttonField: btn-login + passwordField: txtbox-password + usernameField: txtbox-username + url: https://example_updated.com/login.html + BrowserPluginSwa3FieldPutEx: + summary: BROWSER_PLUGIN with three CSS selectors + value: + name: template_swa3field + label: Sample Plugin App updated + signOnMode: BROWSER_PLUGIN + settings: + app: + buttonSelector: '#btn-login' + passwordSelector: '#txtbox-password' + userNameSelector: '#txtbox-username' + targetURL: https://exampleupdated.com/login.html + extraFieldSelector: .login + extraFieldValue: SOMEVALUE + Saml2.0PutEx: + summary: SAML_2_0 + value: + label: Example Custom SAML 2.0 App updated + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + signOnMode: SAML_2_0 + settings: + signOn: + defaultRelayState: '' + ssoAcsUrl: http://testorgone.okta + idpIssuer: http://www.okta.com/${org.externalKey} + audience: asdqwe123 + recipient: http://testorgone.okta + destination: http://testorgone.okta + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + samlAssertionLifetimeSeconds: 3600 + slo: + enabled: true + issuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + participateSlo: + enabled: true + logoutRequestUrl: https://testorgone.okta.com/logout/participate + sessionIndexRequired: true + bindingType: REDIRECT + spCertificate: + x5c: + - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n..." + assertionEncryption: + enabled: true + keyTransportAlgorithm: RSA_15 + encryptionAlgorithm: AES256_GCM + x5c: + - "MIIC6jCCAdKgAwIBAgIGAZKbFN7JMA0GCSqGSIb3DQEBCwUAMDYxNDAyBgNVBAMM\r\n" + requestCompressed: false + allowMultipleAcsEndpoints: true + acsEndpoints: + - url: http://testorgone.okta + index: 0 + - url: http://testorgone.okta/1 + index: 1 + attributeStatements: + - type: EXPRESSION + name: Attribute + namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + values: + - Value + OpenidConnectPutEx: + summary: OPENID_CONNECT + value: + name: oidc_client + label: Sample Client profile updated + signOnMode: OPENID_CONNECT + BookmarkPutResponseEx: + summary: BOOKMARK + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: >- + http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: >- + http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: bookmark + orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:bookmark:0oafxqCAJWWGELFTYASJ + label: Sample Bookmark App updated + features: [] + signOnMode: BOOKMARK + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: {} + settings: + app: + requestIntegration: true + url: https://example.com/bookmark.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + emOptInStatus: DISABLED + AutoLoginPutResponseEx: + summary: AUTO_LOGIN + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: >- + http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: >- + http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + customswaapp_link: true + name: customswaapp + orn: >- + orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:customswaapp:0oafxqCAJWWGELFTYASJ + label: Custom SWA App updated + features: [] + signOnMode: AUTO_LOGIN + credentials: + scheme: ADMIN_SETS_CREDENTIALS + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: {} + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + emOptInStatus: DISABLED + signOn: + redirectUrl: http://swasecondaryredirecturlupdated.okta.com + loginUrl: http://swaprimaryloginurl.okta.com + BasicAuthPutResponseEx: + summary: BASIC_AUTH + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: >- + http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: >- + http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_basic_auth + orn: >- + orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:template_basic_auth:0oafxqCAJWWGELFTYASJ + label: Sample Basic Auth App updated + features: [] + signOnMode: BASIC_AUTH + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + loginUrlRegex: null + url: https://example.com/loginUpdated.html + authURL: https://example.com/auth.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + emOptInStatus: DISABLED + SecurePasswordStorePutResponseEx: + summary: SECURE_PASSWORD_STORE + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: >- + http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: >- + http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_sps + orn: >- + orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:template_sps:0oafxqCAJWWGELFTYASJ + label: Example SWA App updated + features: [] + signOnMode: SECURE_PASSWORD_STORE + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + url: https://example.com/login.html + passwordField: '#txtbox-password' + usernameField: '#txtbox-username' + optionalField1: param1 + optionalField1Value: somevalue_updated + optionalField2: param2 + optionalField2Value: yetanothervalue + optionalField3: param3 + optionalField3Value: finalvalue_updated + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + emOptInStatus: DISABLED + WSFederationPutResponseEx: + summary: WS_FEDERATION + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: >- + http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: >- + http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_wsfed + orn: >- + orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:template_wsfed:0oafxqCAJWWGELFTYASJ + label: Sample WS-Fed App updated + features: [] + signOnMode: WS_FEDERATION + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: + kid: FzJvvXtBHvs_-n70T4C2Rb2d64AyN4fqOme6piHOUKU + settings: + app: + groupFilter: null + siteURL: https://example.com + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + wReplyOverride: false + digestAlgorithm: SHA1 + usernameAttribute: username + signatureAlgorithm: RSA_SHA1 + audienceRestriction: urn:exampleupdated:app + wReplyURL: https://example.com/ + groupName: http://schemas.microsoft.com/ws/2008/06/identity/claims/role + attributeStatements: null + nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + realm: urn:okta:app:exkarjfNMKUjTmzTZ0g4 + groupValueFormat: windowsDomainQualifiedName + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + emOptInStatus: DISABLED + BrowserPluginPutResponseEx: + summary: BROWSER_PLUGIN + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: >- + http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: >- + http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_swa + orn: >- + orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:template_swa:0oafxqCAJWWGELFTYASJ + label: Sample Plugin App updated + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + loginUrlRegex: null + usernameField: txtbox-username + buttonField: btn-login + passwordField: txtbox-password + url: https://example_updated.com/login.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + emOptInStatus: DISABLED + BrowserPluginSwa3FieldPutResponseEx: + summary: BROWSER_PLUGIN with three CSS selectors + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: >- + http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: >- + http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + name: template_swa3field + orn: >- + orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:template_swa3field:0oafxqCAJWWGELFTYASJ + label: Sample Plugin App updated + features: [] + signOnMode: BROWSER_PLUGIN + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.email} + type: BUILT_IN + revealPassword: false + signing: {} + settings: + app: + loginUrlRegex: null + extraFieldSelector: .login + extraFieldValue: SOMEVALUE + userNameSelector: '#txtbox-username' + passwordSelector: '#txtbox-password' + buttonSelector: '#btn-login' + targetURL: https://exampleupdated.com/login.html + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + emOptInStatus: DISABLED + Saml2.0PutResponseEx: + summary: SAML_2_0 + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: >- + http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: >- + http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + testorgone_examplecustomsaml20app_1_link: true + name: testorgone_examplecustomsaml20app_1 + orn: >- + orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:testorgone_examplecustomsaml20app_1:0oafxqCAJWWGELFTYASJ + label: Example Custom SAML 2.0 App updated + features: [] + signOnMode: SAML_2_0 + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: + kid: mh_16Cc8sIfHMFDMlHnp194cxKvJ6yXqs_mNn_6ZC0Q + settings: + app: {} + signOn: + defaultRelayState: null + ssoAcsUrl: http://testorgone.okta + idpIssuer: http://www.okta.com/${org.externalKey} + audience: asdqwe123 + recipient: http://testorgone.okta + destination: http://testorgone.okta + subjectNameIdTemplate: ${user.userName} + subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + responseSigned: true + assertionSigned: true + signatureAlgorithm: RSA_SHA256 + digestAlgorithm: SHA256 + honorForceAuthn: true + authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + spIssuer: https://testorgone.okta.com + samlAssertionLifetimeSeconds: 3600 + slo: + enabled: true + issuer: https://testorgone.okta.com + logoutUrl: https://testorgone.okta.com/logout + requestCompressed: false + allowMultipleAcsEndpoints: false + acsEndpoints: [] + samlSignedRequestEnabled: false + attributeStatements: + - type: EXPRESSION + name: Attribute + namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + values: + - Value + inlineHooks: [] + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + emOptInStatus: DISABLED + OpenidConnectPutResponseEx: + summary: OPENID_CONNECT + value: + id: 0oafxqCAJWWGELFTYASJ + status: ACTIVE + lastUpdated: '2023-01-21T14:11:24.000Z' + created: '2023-01-21T14:11:24.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + loginRedirectUrl: null + _links: + uploadLogo: + href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo + hints: + allow: + - POST + appLinks: + - name: customswaapp_link + href: >- + http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 + type: text/html + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups + logo: + - name: medium + href: >- + http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate + visibility: + autoLaunch: false + autoSubmitToolbar: false + hide: + iOS: true + web: true + appLinks: + oidc_client_link: true + name: oidc_client + orn: >- + orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:oidc_client:0oafxqCAJWWGELFTYASJ + label: Sample Client profile updated + features: [] + signOnMode: OPENID_CONNECT + credentials: + userNameTemplate: + template: ${source.email} + type: BUILT_IN + signing: + kid: H34mvc6VrfV5yvy5wA8ikMFws6WInx4nvsAs-7EYbVc + oauthClient: + autoKeyRotation: true + client_id: 0oahonkqCRR6TSNlg4 + client_secret: wj9bOsLK0BRNJqy7KMMnaE7m8qrW51bPO2n1-PYvkOmhHRYgcuOecQkEwq9MPYa5 + token_endpoint_auth_method: client_secret_post + pkce_required: true + settings: + app: {} + oauthClient: + client_uri: http://localhost:8080 + logo_uri: http://developer.okta.com/assets/images/logo-new.png + redirect_uris: + - https://example.com/oauth2/callback + - myapp://callback + response_types: + - token + - id_token + - code + grant_types: + - authorization_code + application_type: native + issuer_mode: DYNAMIC + idp_initiated_login: + mode: DISABLED + default_scope: [] + wildcard_redirect: DISABLED + dpop_bound_access_tokens: false + notifications: + vpn: + network: + connection: DISABLED + message: null + helpUrl: null + manualProvisioning: false + implicitAssignment: false + notes: + admin: null + enduser: null + emOptInStatus: DISABLED + ProvisioningConnectionTokenResponseWithProfileZscalerEx: + summary: Provisioning connection with token for Zscaler 2.0 (zscalerbyz) app + value: + authScheme: TOKEN + status: ENABLED + baseUrl: https://scim.zscalerbeta.net/1234567/890/scim + profile: + authScheme: TOKEN + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default + hints: + allow: + - GET + - POST + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate + hints: + allow: + - POST + ProvisioningConnectionTokenResponseWithProfileOrg2OrgEx: + summary: Provisioning connection with token for Okta Org2Org (okta_org2org) app + value: + authScheme: TOKEN + status: ENABLED + baseUrl: https://targetorg.okta.com + profile: + authScheme: TOKEN + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default + hints: + allow: + - GET + - POST + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate + hints: + allow: + - POST + ProvisioningConnectionOauthResponseEx: + summary: Provisioning connection with OAuth 2.0 for Microsoft Office 365 app + value: + status: ENABLED + profile: + authScheme: OAUTH2 + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default + hints: + allow: + - GET + - POST + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate + hints: + allow: + - POST + authorize: + href: >- + https://login.microsoftonline.com/myofficetenant.onmicrosoft.com/oauth2/authorize?response_type=code&state=>&client_id=&redirect_uri=&scope= + hints: + allow: + - GET + guidance: + - >- + Specifies the URI to invoke in a browser for granting scope + consent required to complete the OAuth 2.0 connection. + ProvisioningConnectionTokenRequestEx: + summary: Provisioning connection with token for Zscaler 2.0 (zscalerbyz) app + value: + baseUrl: https://scim.zscalerbeta.net/1234567/890/scim + profile: + authScheme: TOKEN + token: 00NgAPZqUVy8cX9ehNzzahEE5b-On9sImTcInvWp-x + ProvisioningConnectionTokenOrg2OrgRequestEx: + summary: Provisioning connection with token for Okta Org2Org app + value: + profile: + authScheme: TOKEN + clientId: 0oa2h6su6bVFyJzIf1d7 + ProvisioningConnectionOAuthOrg2OrgWithRotationRequestEx: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: >- + Provisioning connection with OAuth 2.0 for Okta Org2Org app with key + rotation + value: + profile: + authScheme: OAUTH + clientId: 0oa2h6su6bVFyJzIf1d7 + signing: + rotationMode: AUTO + ProvisioningConnectionOauthO365RequestEx: + summary: Provisioning connection with OAuth 2.0 for Microsoft Office 365 app + value: + profile: + authScheme: OAUTH2 + settings: + adminUsername: office_admin-username + adminPassword: office_admin-password + ProvisioningConnectionOAuthOrg2OrgWithRotationResponseEx: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: >- + Provisioning connection with OAuth 2.0 for Okta Org2Org (okta_org2org) + app + value: + authScheme: OAUTH2 + status: ENABLED + profile: + authScheme: OAUTH2 + clientId: 0oa2wmzEtqh49C1Sr0g4 + signing: + rotationMode: AUTO + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default + hints: + allow: + - GET + - POST + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate + hints: + allow: + - POST + UserProvisioningJsonWebKeysResponse: + summary: JSON Web Key list response example + value: + jwks: + keys: + - kid: '-rZYtf4RZWc_tVTlmrvLPcDwvO4SwbWeztzB7AjHyLA' + kty: RSA + alg: RSA + use: sig + e: AQAB + 'n': AJncrKuine49_CEVR4GPn.....zOrouIUCSMlRL0HU= + AppCsrPkcs10Response: + summary: CSR in DER format + value: >- + MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9 + AppCsrJsonResponse: + summary: CSR object in JSON format + value: + id: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + created: '2017-03-28T01:11:10.000Z' + csr: >- + MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= + kty: RSA + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + hints: + allow: + - GET + - DELETE + publish: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish + hints: + allow: + - POST + KeyCredentialExample: + summary: Key credential example + value: + created: '2015-12-10T18:56:23.000Z' + lastUpdated: '2024-08-13T18:26:57.000Z' + expiresAt: '2017-12-10T18:56:22.000Z' + x5c: + - >- + MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw== + e: AQAB + 'n': >- + mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ + kid: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 + kty: RSA + use: sig + x5t#S256": 5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps + ErrorPublishCSRCertDoesNotMatchCSR: + summary: Mismatch certificate and CSR error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: certificate' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: The certificate doesn't match the CSR. + ErrorPublishCSRCertValidityLessThan90Days: + summary: Certificate valid for 90 days error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: certificate' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: The certificate must be valid for more than 90 days. + oAuthClientJsonWebKeyListResponse: + summary: JSON Web Key list response example + value: + jwks: + keys: + - id: pks2f4zrZbs8nUa7p0g4 + kid: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + alg: RS256 + use: sig + e: AQAB + 'n': AJncrKuine49_CEVR4GPn.....zOrouIUCSMlRL0HU= + status: INACTIVE + created: '2023-02-21T20:08:24.000Z' + lastUpdated: '2023-02-21T20:08:24.000Z' + _links: + activate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f4zrZbs8nUa7p0g4/lifecycle/activate + hints: + allow: + - POST + delete: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f4zrZbs8nUa7p0g4 + hints: + allow: + - DELETE + - id: pks2f50kZB0cITmYU0g4 + kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + alg: RS256 + use: sig + e: AQAB + 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= + status: ACTIVE + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + oAuthClientJsonWebKeyRequest: + summary: JSON Web Key request example + value: + id: pks2f50kZB0cITmYU0g4 + kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + alg: RS256 + use: sig + e: AQAB + 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= + status: ACTIVE + oAuthClientJsonInactiveEncryptionKeyRequest: + summary: Add an inactive JSON encryption key request example + value: + id: pks2f50kZB0cITmYU0g4 + kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + use: enc + e: AQAB + 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= + status: INACTIVE + oAuthClientJsonActiveEncryptionKeyRequest: + summary: Add an active JSON encryption key request example + value: + id: pks2f50kZB0cITmYU0g4 + kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + use: enc + e: AQAB + 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= + status: ACTIVE + oAuthClientJsonWebKey: + summary: JSON Web Key example + value: + id: pks2f50kZB0cITmYU0g4 + kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + alg: RS256 + use: sig + e: AQAB + 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= + status: ACTIVE + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + oAuthClientJsonInactiveEncryptionKey: + summary: JSON inactive encryption key example + value: + id: pks2f50kZB0cITmYU0g4 + kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + use: enc + e: AQAB + 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= + status: INACTIVE + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + activate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4/lifecycle/activate + hints: + allow: + - POST + delete: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4 + hints: + allow: + - DELETE + oAuthClientJsonActiveEncryptionKey: + summary: JSON active encryption key example + value: + id: pks2f50kZB0cITmYU0g4 + kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + use: enc + e: AQAB + 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= + status: ACTIVE + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + ErrorClientJsonWebKeyNonUniqueKid: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: >- + Each key should have a unique kid when adding multiple keys. Use + the Apps API to update the JWKS to add a kid for the existing key, + or delete the existing key and re-add the key with a kid using the + JWKS APIs. + ErrorClientJsonWebKeyDuplicateKid: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: All keys in the 'jwks' must have a unique `kid`. + ErrorClientJsonWebKeyKidLengthTooShort: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: >- + RSA key length in the 'jwks' is less than '2,048' bits for the + given key. + ErrorClientJsonWebKeyTooManyKids: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: >- + You can't create a new key. You have reached the maximum number of + keys allowed (50). To add another key, you must first delete an + existing one. + ErrorOnlyOneActiveEncryptionKeyAllowed: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: The client can have only one active encryption key in the 'jwks'. + ErrorDeleteActiveJsonWebKey: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: >- + ''ACTIVE'' keys cannot be deleted. Activate another key before + deleting this one. + deactivateOAuth2ClientJsonWebKeyResponse: + summary: Deactivate JSON Signing Key example + value: + id: pks2f50kZB0cITmYU0g4 + kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + alg: RS256 + use: sig + e: AQAB + 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= + status: INACTIVE + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + activate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4/lifecycle/activate + hints: + allow: + - POST + ErrorDeactivateTheOnlyKeyWithPrivateKeyJwtAuthMethod: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: >- + Can't deactivate the only active JSON Web Key when the value for + `token_endpoint_auth_method` is `private_key_jwt`. + ErrorDeactivateTheOnlyKeyWithRequestObjectSignAlgorithm: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: >- + The `jwks` must contain at least one key with an algorithm + matching the `request_object_signature_algorithm`. + ErrorDeactivateEncryptionKey: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: You can't deactivate the active encryption key. + ListAllKeyCredentialsExample: + summary: List all key credentials example + value: + - created: '2015-12-10T18:56:23.000Z' + lastUpdated: '2024-08-13T18:26:57.000Z' + expiresAt: '2017-12-10T18:56:22.000Z' + x5c: + - >- + MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw== + e: AQAB + 'n': >- + mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ + kid: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 + kty: RSA + use: sig + x5t#S256": 5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps + - created: '2015-12-10T18:55:35.000Z' + lastUpdated: '2024-08-13T18:26:57.000Z' + expiresAt: '2045-01-23T02:15:23.000Z' + x5c: + - >- + MIIDqDCCApCgAwIBAgIGAUsUkouzMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTAxMjMwMjE0MjNaFw00NTAxMjMwMjE1MjNaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKhmkmKsu3FYeBiJg44aN6Ah3g9gof1cytXJVMnblDUWpLfe/FMUQCssh8Y8NCYRri5jni4efBgk6B3SkC7ymqsOXILIEHSwUYWnAaqDOTxO101mHzryowu1+0PldRNoyTthahpprvAPYlTin9zrDTqFT+WY/zwoaN8H+CfixlW1nM85qF18zYYekkW50MSoHPcfJKe2ywIhPXTYTSBEPcHh8dQEjBrZn7A4qOoDnfOXll8OL7j2O6EVyTtHA0tLJHVLpwI4gSPsXFwEnHltjN57odwYe9yds0BbM/YG9i+am1+3cmZ6Uyd16mLGclrr05o9BHcEZ4ZctV2hr6whbRsCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAnNlF27gRmhGTQ+GRAvbvYToFRgsIbBAPvRqB2LmEIiQ6UJd602w6uP1sv/zEzBYg4SnMLuVyWgOJ6d71dCvXdIO9mgAq6BaEPjlo0WhGyt+zGrpkMnIX5EwRa64kHydcPRHNA607wVYA96sJdyNJEMzBvjY9fJnfevzzDCN3NWpMS2T6rk6HP5IziI1VuFWY2OUC1kbCqLj1dUgp8koe3ftLL55ZpkAocnVMnrzBveNjgAOAiKTMcyS0bhESph9aVWvuHVZSfTnUjnTPb/4jA2YlB3ED+qaU3aqHwft1KXwZskNXBKXy7lyC+CMoeB3/ncFhSg/UllBooPPS3wYlNA== + e: AQAB + 'n': >- + htbi5H5MN_oYaKcZ8vlWRZn2oTrPY0v8_2Br_VZPJgJ57dCgguq5dDk1Me_ax-B3kjBPdXcW8wEoUFaU30spyVeQjZrdqsSvF0nMW4OzrMOIqrGLwCrAoDBS8tutfk5Y7qc-5xABzxgu4BjgSK5nWXbCt_UR0DzVTknotmMGeT8tAej8F6GAphLa0YhIxWT7Jy-y_pdANsiUPRiZBoLueGI0rrCqgYHIQVjNoj4-si105KCXbQuyYM9_Cd-dyyu5KJ4Ic0cOW61gpx4pnecMgSy8OX57FEd06W2hExBd49ah6jra2KFMeOGe3rkIXirdkofl1mBgeQ77ruKO1wW9Qw + kid: mXtzOtml09Dg1ZCeKxTRBo3KrQuBWFkJ5oxhVagjTzo + kty: RSA + use: sig + x5t#S256": 7CCyXWwKzH4P6PoBP91B1S_iIZVzuGffVnUXu-BTYQQ + ErrorKeyCredentialInvalidValidity: + summary: Key credential invalid year error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: generateKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: Validity years out of range. It should be 2 - 10 years. + ErrorKeyCredentialCloneDuplicateKey: + summary: Duplicate key credential error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: cloneKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: >- + Key already exists in the list of key credentials for the target + app. + oAuthClientSecretListResponse: + summary: Secrets list response example + value: + - id: ocs2f4zrZbs8nUa7p0g4 + status: INACTIVE + client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + secret_hash: yk4SVx4sUWVJVbHt6M-UPA + created: '2023-02-21T20:08:24.000Z' + lastUpdated: '2023-02-21T20:08:24.000Z' + _links: + activate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate + hints: + allow: + - POST + delete: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4 + hints: + allow: + - DELETE + - id: ocs2f50kZB0cITmYU0g4 + status: ACTIVE + client_secret: HAGDTYU9XbLnS......3xasFDDwecdZuFs5B + secret_hash: 0WOOvBSzV9clc4Nr7Rbaug + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + createOAuth2ClientSecretSystemGeneratedRequestBody: + summary: Add a system-generated client secret + value: {} + createOAuth2ClientSecretCustomRequestBody: + summary: Add a user provided client secret + value: + client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + status: ACTIVE + oAuth2ClientSecretResponse: + summary: Client secret response example + value: + id: ocs2f50kZB0cITmYU0g4 + status: ACTIVE + client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + secret_hash: FpCwXwSjTRQNtEI11I00-g + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + ErrorClientSecretTooLong: + summary: Client secret too long error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: client_secret' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: >- + client_secret: 'client_secret' can't be more than '100' characters + long. + ErrorClientSecretTooShort: + summary: Client secret too short error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: client_secret' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: >- + client_secret: 'client_secret' must be at least '14' characters + long. + ErrorClientSecretTooShortWithClientSecretJWT: + summary: Client secret is too short for JWT error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: client_secret' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: >- + client_secret: 'client_secret' must be at least '32' characters + long when 'token_endpoint_auth_method' is 'client_secret_jwt'. + ErrorClientSecretWithPrivateKeyJWT: + summary: Client secret can't be used for private key JWT error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: client_secret' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: >- + 'client_secret' can't be used when 'token_endpoint_auth_method' is + 'private_key_jwt'. + ErrorClientSecretNonAscii: + summary: Client secret allows only ASCII error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: client_secret' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: >- + client_secret: ''client_secret'' must only contain printable + ASCII: [x20-x7E]+ + ErrorMaxNumberOfSecrets: + summary: Maximum client secrets reached error + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: OAuth2ClientSecretMediated' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: You've reached the maximum number of client secrets per client. + ErrorDeleteActiveSecret: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: OAuth2ClientSecretMediated' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: >- + You can't delete an active client secret. Deactivate the secret + before deleting it. + activateOAuth2ClientSecretResponse: + summary: Activate secret response example + value: + id: ocs2f50kZB0cITmYU0g4 + status: ACTIVE + client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + secret_hash: 0WOOvBSzV9clc4Nr7Rbaug + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + deactivateOAuth2ClientSecretResponse: + summary: Deactivate secret response example + value: + id: ocs2f4zrZbs8nUa7p0g4 + status: INACTIVE + client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B + secret_hash: yk4SVx4sUWVJVbHt6M-UPA + created: '2023-02-21T20:08:24.000Z' + lastUpdated: '2023-02-21T20:08:24.000Z' + _links: + activate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate + hints: + allow: + - POST + delete: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4 + hints: + allow: + - DELETE + ErrorDeactivateTheOnlyClientSecret: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: OAuth2ClientSecretMediated' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: You can't deactivate the only active client secret. + AppFeatureListResponseEx: + summary: List app feature response + value: + - name: USER_PROVISIONING + status: ENABLED + description: User provisioning settings from Okta to a downstream application + capabilities: + create: + lifecycleCreate: + status: DISABLED + update: + profile: + status: DISABLED + lifecycleDeactivate: + status: DISABLED + password: + status: DISABLED + seed: RANDOM + change: KEEP_EXISTING + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING + hints: + allow: + - GET + - PUT + ErrorAppFeatureAPIValidationFailed: + summary: API validation failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: feature' + errorLink: E0000001 + errorId: oaeZLxeiHUUQomPkM8xOqvu1A + errorCauses: + - errorSummary: Provisioning is not enabled for the app instance. + AppFeatureResponseEx: + summary: App feature response + value: + name: USER_PROVISIONING + status: ENABLED + description: User provisioning settings from Okta to a downstream application + capabilities: + create: + lifecycleCreate: + status: DISABLED + update: + profile: + status: DISABLED + lifecycleDeactivate: + status: DISABLED + password: + status: DISABLED + seed: RANDOM + change: KEEP_EXISTING + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING + hints: + allow: + - GET + - PUT + UpdateAppFeatureRequestEx: + summary: Update USER_PROVISIONING request + value: + create: + lifecycleCreate: + status: ENABLED + update: + lifecycleDeactivate: + status: ENABLED + profile: + status: ENABLED + password: + status: ENABLED + seed: RANDOM + change: CHANGE + UpdateInboundProvisioningFeatureRequestEx: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: Update INBOUND_PROVISIONING request + value: + capabilities: + importSettings: + username: + userNameFormat: EMAIL + schedule: + status: ENABLED + fullImport: + expression: 0 0 * * 0 + timezone: America/New_York + incrementalImport: + expression: 0 */3 * * * + timezone: America/New_York + importRules: + userCreateAndMatch: + exactMatchCriteria: EMAIL + allowPartialMatch: false + autoConfirmPartialMatch: false + autoConfirmExactMatch: false + autoConfirmNewUsers: false + autoActivateNewUsers: false + UpdateAppFeatureResponseEx: + summary: Update USER_PROVISIONING response + value: + name: USER_PROVISIONING + status: ENABLED + description: User provisioning settings from Okta to a downstream application + capabilities: + create: + lifecycleCreate: + status: ENABLED + update: + lifecycleDeactivate: + status: ENABLED + profile: + status: ENABLED + password: + status: ENABLED + seed: RANDOM + change: CHANGE + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING + hints: + allow: + - GET + - PUT + UpdateInboundProvisioningFeatureResponseEx: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: Update INBOUND_PROVISIONING response + value: + name: INBOUND_PROVISIONING + status: ENABLED + description: In-bound provisioning settings from an application to Okta + capabilities: + importSettings: + username: + userNameFormat: EMAIL + schedule: + status: ENABLED + fullImport: + expression: 0 0 * * 0 + timezone: America/New_York + incrementalImport: + expression: 0 */3 * * * + timezone: America/New_York + importRules: + userCreateAndMatch: + exactMatchCriteria: EMAIL + allowPartialMatch: false + autoConfirmPartialMatch: false + autoConfirmExactMatch: false + autoConfirmNewUsers: false + autoActivateNewUsers: false + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/apps/${appId}/features/INBOUND_PROVISIONING + hints: + allow: + - GET + - PUT + listFederatedClaimResponse: + summary: List federated claim response example + value: + - id: ofc893fbjaBaqdtoX0g7 + name: role + expression: appuser.entitlements.role + created: '2024-12-25T03:00:00.000Z' + lastUpdated: '2024-12-25T03:00:00.000Z' + - id: ofc893fbjaTxynmo5v93 + name: readOnly + expression: appuser.entitlements.readOnly + created: '2024-12-25T05:00:00.000Z' + lastUpdated: '2024-12-25T05:00:00.000Z' + createFederatedClaimRequestBody: + summary: Create federated claim example + value: + name: role + expression: appuser.entitlements.role + federatedClaimResponse: + summary: An example federated claim + value: + id: ofc893fbjaBaqdtoX0g7 + name: role + expression: appuser.entitlements.role + created: '2024-12-25T03:00:00.000Z' + lastUpdated: '2024-12-25T03:00:00.000Z' + replaceFederatedClaimRequestBody: + summary: Replace federated claim example + value: + name: readOnly + expression: appuser.entitlements.readOnly + replaceFederatedClaimResponse: + summary: An updated federated claim + value: + id: ofc893fbjaTxynmo5v93 + name: readOnly + expression: appuser.entitlements.readOnly + created: '2024-12-25T04:00:00.000Z' + lastUpdated: '2024-12-25T05:00:00.000Z' + ListAppGrantsEx: + summary: List all app grants example + value: + - id: oag91n9ruw3dsaXzP0h6 + status: ACTIVE + created: '2023-02-21T16:54:00.000Z' + createdBy: + id: 00u6eltha0nrSc47i0h7 + type: User + lastUpdated: '2023-02-21T16:54:00.000Z' + issuer: '{yourOktaDomain}' + clientId: '{clientId}' + scopeId: okta.users.read + source: ADMIN + _embedded: + scope: + id: okta.users.read + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + title: Application name + self: + href: >- + https://{yourOktaDomain}/api/v1/apps/{appId}/grants/oag91n9ruw3dsaXzP0h6 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} + title: Client name + - id: oaghm3sh9ukdkvDmO0h6 + status: ACTIVE + created: '2023-02-03T21:57:49.000Z' + createdBy: + id: 00u6eltha0nrSc47i0h7 + type: User + lastUpdated: '2023-02-03T21:57:49.000Z' + issuer: '{yourOktaDomain}' + clientId: '{clientId}' + scopeId: okta.apps.manage + source: ADMIN + _embedded: + scope: + id: okta.apps.manage + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + title: Application name + self: + href: >- + https://{yourOktaDomain}/api/v1/apps/{appId}/grants/oaghm3sh9ukdkvDmO0h6 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} + title: Client name + AppGrantsPostEx: + summary: App grants example + value: + issuer: '{yourOktaDomain}' + scopeId: okta.users.read + AppGrantsEx: + summary: App grants example + value: + id: oag91n9ruw3dsaXzP0h6 + status: ACTIVE + created: '2023-02-21T16:54:00.000Z' + createdBy: + id: 00u6eltha0nrSc47i0h7 + type: User + lastUpdated: '2023-02-21T16:54:00.000Z' + issuer: '{yourOktaDomain}' + clientId: '{clientId}' + scopeId: okta.users.read + source: ADMIN + _embedded: + scope: + id: okta.users.read + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + title: Application name + self: + href: >- + https://{yourOktaDomain}/api/v1/apps/{appId}/grants/oag91n9ruw3dsaXzP0h6 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} + title: Client name + ListGroupPushMappingsResponse_Example: + value: + - created: '2025-01-01T00:00:00Z' + errorSummary: '' + id: gPm00000000000000000 + lastPush: '2025-01-01T00:00:00Z' + lastUpdated: '2025-01-01T00:00:00Z' + sourceGroupId: 00g00000000000000000 + status: ACTIVE + targetGroupId: 00g00000000000000001 + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oa00000000000000000 + sourceGroup: + href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000000 + targetGroup: + href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000001 + - created: '2025-01-02T00:00:00Z' + errorSummary: '' + id: gPm00000000000000001 + lastPush: '2025-01-02T00:00:00Z' + lastUpdated: '2025-01-02T00:00:00Z' + sourceGroupId: 00g00000000000000002 + status: INACTIVE + targetGroupId: 00g00000000000000003 + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oa00000000000000000 + sourceGroup: + href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000002 + targetGroup: + href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000003 + ListGroupPushMappingsResponse_ExampleWithActiveFilter: + value: + - created: '2025-01-01T00:00:00Z' + errorSummary: '' + id: gPm00000000000000000 + lastPush: '2025-01-01T00:00:00Z' + lastUpdated: '2025-01-01T00:00:00Z' + sourceGroupId: 00g00000000000000000 + status: ACTIVE + targetGroupId: 00g00000000000000001 + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oa00000000000000000 + sourceGroup: + href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000000 + targetGroup: + href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000001 + CreateGroupPushMappingRequest_ExampleCreate: + value: + sourceGroupId: 00g00000000000000000 + status: ACTIVE + targetGroupName: NewGroup + CreateGroupPushMappingRequest_ExampleCreate_ActiveDirectory: + value: + appConfig: + type: ACTIVE_DIRECTORY + distinguishedName: dc=example,dc=com + groupScope: GLOBAL + groupType: SECURITY + samAccountName: NewGroup + sourceGroupId: 00g00000000000000000 + status: ACTIVE + targetGroupName: NewGroup + CreateGroupPushMappingRequest_ExampleLink: + value: + sourceGroupId: 00g00000000000000000 + status: ACTIVE + targetGroupId: 00g00000000000000001 + CreateGroupPushMappingResponse_ExampleCreate: + value: + created: '2025-01-01T00:00:00Z' + errorSummary: '' + id: gPm00000000000000000 + lastPush: '2025-01-01T00:00:00Z' + lastUpdated: '2025-01-01T00:00:00Z' + sourceGroupId: 00g00000000000000000 + status: ACTIVE + targetGroupId: 00g00000000000000001 + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oa00000000000000000 + sourceGroup: + href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000000 + targetGroup: + href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000001 + CreateGroupPushMappingResponse_ExampleCreate_ActiveDirectory: + value: + appConfig: + type: ACTIVE_DIRECTORY + distinguishedName: dc=example,dc=com + groupScope: GLOBAL + groupType: SECURITY + samAccountName: NewGroup + created: '2025-01-01T00:00:00Z' + errorSummary: '' + id: gPm00000000000000000 + lastPush: '2025-01-01T00:00:00Z' + lastUpdated: '2025-01-01T00:00:00Z' + sourceGroupId: 00g00000000000000000 + status: ACTIVE + targetGroupId: 00g00000000000000001 + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oa00000000000000000 + sourceGroup: + href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000000 + targetGroup: + href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000001 + CreateGroupPushMappingResponse_ExampleLink: + value: + created: '2025-01-01T00:00:00Z' + errorSummary: '' + id: gPm00000000000000000 + lastPush: '2025-01-01T00:00:00Z' + lastUpdated: '2025-01-01T00:00:00Z' + sourceGroupId: 00g00000000000000000 + status: ACTIVE + targetGroupId: 00g00000000000000001 + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oa00000000000000000 + sourceGroup: + href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000000 + targetGroup: + href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000001 + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + RetrieveGroupPushMappingResponse_Example: + value: + created: '2025-01-01T00:00:00Z' + errorSummary: '' + id: gPm00000000000000000 + lastPush: '2025-01-01T00:00:00Z' + lastUpdated: '2025-01-01T00:00:00Z' + sourceGroupId: 00g00000000000000000 + status: ACTIVE + targetGroupId: 00g00000000000000001 + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oa00000000000000000 + sourceGroup: + href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000000 + targetGroup: + href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000001 + RetrieveGroupPushMappingResponse_Example_ActiveDirectory: + value: + appConfig: + type: ACTIVE_DIRECTORY + distinguishedName: dc=example,dc=com + groupScope: GLOBAL + groupType: SECURITY + samAccountName: AdGroup + created: '2025-01-01T00:00:00Z' + errorSummary: '' + id: gPm00000000000000000 + lastPush: '2025-01-01T00:00:00Z' + lastUpdated: '2025-01-01T00:00:00Z' + sourceGroupId: 00g00000000000000000 + status: ACTIVE + targetGroupId: 00g00000000000000001 + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oa00000000000000000 + sourceGroup: + href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000000 + targetGroup: + href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000001 + UpdateGroupPushMappingRequest_Example: + value: + status: INACTIVE + UpdateGroupPushMappingResponse_Example: + value: + created: '2025-01-01T00:00:00Z' + errorSummary: '' + id: gPm00000000000000000 + lastPush: '2025-01-01T00:00:00Z' + lastUpdated: '2025-01-01T00:00:00Z' + sourceGroupId: 00g00000000000000000 + status: INACTIVE + targetGroupId: 00g00000000000000001 + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oa00000000000000000 + sourceGroup: + href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000000 + targetGroup: + href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000001 + GroupAssignmentExListResponse: + summary: Application groups list with embedded metadata + value: + - id: 00g15acRUy0SYb9GT0g4 + priority: 0 + lastUpdated: '2024-06-02T13:17:57.000Z' + profile: + preferredLanguage: English + manager: Donald Glover + securityQuestion: Who is the footballer to have played the game + securityAnswer: Ronaldinho + timezone: Canada/Eastern + initialStatus: active_with_pass + managerId: ike.ogb@gmail.com + locale: en_US + division: top + organization: wazobia + userType: null + department: marketing + _links: + app: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4 + self: + href: >- + http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4 + group: + href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4 + _embedded: + metadata: + credentials: {} + profile: + division: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: >- + http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + preferredLanguage: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: >- + http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + manager: + source: + type: MAPPING + value: + - id: null + lastUpdated: null + securityQuestion: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: >- + http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + securityAnswer: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: >- + http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + timezone: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: >- + http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + organization: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: >- + http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + initialStatus: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: >- + http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + managerId: + source: + type: MAPPING + value: + - id: null + lastUpdated: null + userType: + source: + type: MAPPING + value: + - id: null + lastUpdated: null + locale: + source: + type: USER + value: + - id: 00uzojLwDGgUynjJS0g3 + self: + href: >- + http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 + lastUpdated: null + department: + source: + type: MAPPING + value: + - id: null + lastUpdated: null + EmbeddedGroupAssignmentSampleResponse: + summary: Application group with an embedded group + value: + id: 00g15acRUy0SYb9GT0g4 + priority: 0 + lastUpdated: '2024-06-02T13:17:57.000Z' + profile: + preferredLanguage: English + manager: Donald Glover + securityQuestion: Who is the footballer to have played the game + securityAnswer: Ronaldinho + timezone: Canada/Eastern + initialStatus: active_with_pass + managerId: ike.ogb@gmail.com + locale: en_US + division: top + organization: wazobia + userType: null + department: marketing + _links: + app: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4 + self: + href: >- + http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4 + group: + href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4 + _embedded: + group: + id: 00g15acRUy0SYb9GT0g4 + created: '2024-06-02T13:02:12.000Z' + lastUpdated: '2024-06-02T13:02:12.000Z' + lastMembershipUpdated: '2024-06-02T13:03:13.000Z' + objectClass: + - okta:user_group + type: OKTA_GROUP + profile: + name: Football Group + description: Group with professional footballers + _links: + logo: + - name: medium + href: >- + http://{yourOktaDomain}/assets/img/logos/groups/odyssey/okta-medium.30ce6d4085dff29412984e4c191bc874.png + type: image/png + - name: large + href: >- + http://{yourOktaDomain}/assets/img/logos/groups/odyssey/okta-large.c3cb8cda8ae0add1b4fe928f5844dbe3.png + type: image/png + users: + href: >- + http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4/users + apps: + href: >- + http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4/apps + GroupAssignmentPutRequestExample: + summary: Assign application group request + value: + id: 00g15acRUy0SYb9GT0g4 + profile: + preferredLanguage: English + manager: Arsene Wenger + securityQuestion: Who is the footballer to have played the game + securityAnswer: Jay Jay Okocha + timezone: Canada/Eastern + initialStatus: active_with_pass + managerId: ike.ogb@gmail.com + locale: en_US + division: top + organization: null + userType: null + department: Accounting + GroupAssignmentPutResponseExample: + summary: Assign application group response + value: + id: 00g15acRUy0SYb9GT0g4 + priority: 0 + lastUpdated: '2024-06-03T13:52:07.000Z' + profile: + preferredLanguage: English + manager: Arsene Wenger + securityQuestion: Who is the footballer to have played the game + securityAnswer: Jay Jay Okocha + timezone: Canada/Eastern + initialStatus: active_with_pass + managerId: ike.ogb@gmail.com + locale: en_US + division: top + organization: null + userType: null + department: Accounting + _links: + app: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4 + self: + href: >- + http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4 + group: + href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4 + GroupAssignmentPatchRequestExample: + summary: Update app group request + value: + - op: replace + path: /profile/manager + value: Carlo Ancelotti + GroupAssignmentPatchResponseExample: + summary: Update application group response + value: + id: 00g15acRUy0SYb9GT0g4 + priority: 0 + lastUpdated: '2024-06-03T13:42:20.000Z' + profile: + preferredLanguage: English + securityQuestion: Who is the footballer to have played the game + securityAnswer: Jay Jay Okocha + timezone: Canada/Eastern + initialStatus: active_with_pass + managerId: ike.ogb@gmail.com + locale: en_US + division: top + organization: null + userType: null + department: Accounting + manager: Carlo Ancelotti + _links: + app: + href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4 + self: + href: >- + http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4 + group: + href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4 + OAuth2RefreshTokenResponseListEx: + summary: App refresh token list example + value: + - id: oar579Mcp7OUsNTlo0g3 + status: ACTIVE + created: '2023-03-09T03:18:06.000Z' + lastUpdated: '2023-03-09T03:18:06.000Z' + expiresAt: '2023-03-16T03:18:06.000Z' + issuer: https://{yourOktaDomain}/oauth2/ausain6z9zIedDCxB0h7 + clientId: 0oabskvc6442nkvQO0h7 + userId: 00u5t60iloOHN9pBi0h7 + scopes: + - offline_access + - car:drive + _embedded: + scopes: + - id: scppb56cIl4GvGxy70g3 + name: offline_access + description: >- + Requests a refresh token by default and is used to obtain more + access tokens without re-prompting the user for authentication + _links: + scope: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scppb56cIl4GvGxy70g3 + title: offline_access + - id: scp142iq2J8IGRUCS0g4 + name: car:drive + displayName: Drive car + description: Allows the user to drive a car + _links: + scope: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scp142iq2J8IGRUCS0g4 + title: Drive car + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7 + title: Native + self: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 + revoke: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 + hints: + allow: + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oabskvc6442nkvQO0h7 + title: Example Client App + user: + href: https://{yourOktaDomain}/api/v1/users/00upcgi9dyWEOeCwM0g3 + title: Saml Jackson + authorizationServer: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7 + title: Example Authorization Server + OAuth2RefreshTokenResponseEx: + summary: OAuth 2.0 refresh token example + value: + id: oar579Mcp7OUsNTlo0g3 + status: ACTIVE + created: '2023-03-09T03:18:06.000Z' + lastUpdated: '2023-03-09T03:18:06.000Z' + expiresAt: '2023-03-16T03:18:06.000Z' + issuer: https://{yourOktaDomain}/oauth2/ausain6z9zIedDCxB0h7 + clientId: 0oabskvc6442nkvQO0h7 + userId: 00u5t60iloOHN9pBi0h7 + scopes: + - offline_access + - car:drive + _embedded: + scopes: + - id: scppb56cIl4GvGxy70g3 + name: offline_access + description: >- + Requests a refresh token by default and is used to obtain more + access tokens without re-prompting the user for authentication + _links: + scope: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scppb56cIl4GvGxy70g3 + title: offline_access + - id: scp142iq2J8IGRUCS0g4 + name: car:drive + displayName: Drive car + description: Allows the user to drive a car + _links: + scope: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scp142iq2J8IGRUCS0g4 + title: Drive car + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7 + title: Native + self: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 + revoke: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 + hints: + allow: + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oabskvc6442nkvQO0h7 + title: Example Client App + user: + href: https://{yourOktaDomain}/api/v1/users/00upcgi9dyWEOeCwM0g3 + title: Saml Jackson + authorizationServer: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7 + title: Example Authorization Server + AppUserListEx: + summary: List application user example + value: + - id: 00u1dnq5S0CfjlkpABCD + externalId: 00u5edt3PNbbjzvIABCD + created: '2024-01-31T18:25:01.000Z' + lastUpdated: '2024-01-31T18:25:03.000Z' + scope: USER + status: PROVISIONED + statusChanged: '2024-01-31T18:25:03.000Z' + passwordChanged: null + syncState: SYNCHRONIZED + lastSync: '2024-01-31T18:25:03.000Z' + credentials: + userName: saml.test@example.com + profile: + secondEmail: null + lastName: Test + mobilePhone: null + displayName: Saml O Test + email: saml.test@example.com + salesforceGroups: [] + role: Tester + firstName: Saml + streetAddress: null + profile: Standard Platform User + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oajiqIRNXPPJBNZMGYL + user: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD + _embedded: + user: + id: 00u1dnq5S0CfjlkpABCD + status: ACTIVE + created: '2024-01-09T15:36:04.000Z' + activated: '2024-01-09T15:36:05.000Z' + statusChanged: '2024-01-09T15:36:05.000Z' + lastLogin: null + lastUpdated: '2024-01-09T15:36:05.000Z' + passwordChanged: '2024-01-09T15:36:05.000Z' + type: + id: otyzhh29g7Python90g3 + profile: + firstName: Saml + lastName: Test + mobilePhone: null + secondEmail: null + login: saml.test@example.com + email: saml.test@example.com + credentials: + password: {} + provider: + type: OKTA + name: OKTA + _links: + suspend: + href: >- + https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/suspend + method: POST + schema: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/user/oscarho9g7PythoN23z9 + resetPassword: + href: >- + https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/reset_password + method: POST + expirePassword: + href: >- + https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/expire_password + method: POST + changeRecoveryQuestion: + href: >- + https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/credentials/change_recovery_question + method: POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD + type: + href: >- + https://{yourOktaDomain}/api/v1/meta/types/user/otyzhh29g7Python90g3 + changePassword: + href: >- + https://rain.okta1.com/api/v1/users/00u1dnq5S0CfjlkpABCD/credentials/change_password + method: POST + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/deactivate + method: POST + AppUserAssignSSORequest: + summary: SSO application user request example + value: + id: 00ud4tVDDXYVKPXKVLCO + scope: USER + credentials: + userName: rae.cloud@example.com + AppUserAssignProvRequest: + summary: SSO and provisioning application user request example + value: + id: 00u15s1KDETTQMQYABRL + scope: USER + credentials: + userName: saml.jackson@example.com + profile: + salesforceGroups: + - Employee + role: Developer + profile: Standard User + AppUserSSOResponse: + summary: SSO application user response example + value: + id: 00ud4tVDDXYVKPXKVLCO + externalId: null + created: '2024-01-27T03:52:45.000Z' + lastUpdated: '2024-01-27T03:52:45.000Z' + scope: USER + status: ACTIVE + statusChanged: '2024-01-27T03:52:45.000Z' + passwordChanged: null + syncState: DISABLED + credentials": + userName: rae.cloud@example.com + profile: + street_address: null + country: null + website: null + zoneinfo: America/Los_Angeles + birthdate: null + gender: null + formatted: null + profile: null + locality: null + given_name: Rae + middle_name: null + locale: en_US + picture: null + name: Rae Cloud + nickname: null + phone_number: null + region: null + postal_code: null + family_name: Cloud + email: rae.cloud@example.com + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + user: + href: https://{yourOktaDomain}/api/v1/users/00ud4tVDDXYVKPXKVLCO + AppUserProvResponse: + summary: SSO and provisioning application user response example + value: + id: 00u15s1KDETTQMQYABRL + externalId: 005o0000000ogQ9AAI + created: '2014-08-16T02:35:14.000Z' + lastUpdated: '2014-08-16T02:56:49.000Z' + scope: USER + status: PROVISIONED + statusChanged: '2014-08-16T02:56:49.000Z' + passwordChanged: null + syncState: SYNCHRONIZED + lastSync: '2014-08-16T02:56:49.000Z' + credentials: + userName: saml.jackson@example.com + profile: + secondEmail: null + lastName: Jackson + mobilePhone: null + email: saml.jackson@example.com + salesforceGroups: + - Employee + role: Developer + firstName: Saml + profile: Standard User + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + AppUserProvExpandResponse: + summary: Application user expand example + value: + id: 00u1dnq5S0CfjlkpABCD + externalId: 00u5edt3PNbbjzvIABCD + created: '2024-01-31T18:25:01.000Z' + lastUpdated: '2024-01-31T18:25:03.000Z' + scope: USER + status: PROVISIONED + statusChanged: '2024-01-31T18:25:03.000Z' + passwordChanged: null + syncState: SYNCHRONIZED + lastSync: '2024-01-31T18:25:03.000Z' + credentials: + userName: saml.test@example.com + profile: + secondEmail: null + lastName: Test + mobilePhone: null + displayName: Saml O Test + email: saml.test@example.com + salesforceGroups: [] + role: Tester + firstName: Saml + streetAddress: null + profile: Standard Platform User + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/0oajiqIRNXPPJBNZMGYL + user: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD + _embedded: + user: + id: 00u1dnq5S0CfjlkpABCD + status: ACTIVE + created: '2024-01-09T15:36:04.000Z' + activated: '2024-01-09T15:36:05.000Z' + statusChanged: '2024-01-09T15:36:05.000Z' + lastLogin: null + lastUpdated: '2024-01-09T15:36:05.000Z' + passwordChanged: '2024-01-09T15:36:05.000Z' + type: + id: otyzhh29g7Python90g3 + profile: + firstName: Saml + lastName: Test + mobilePhone: null + secondEmail: null + login: saml.test@example.com + email: saml.test@example.com + credentials: + password: {} + provider: + type: OKTA + name: OKTA + _links: + suspend: + href: >- + https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/suspend + method: POST + schema: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/user/oscarho9g7PythoN23z9 + resetPassword: + href: >- + https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/reset_password + method: POST + expirePassword: + href: >- + https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/expire_password + method: POST + changeRecoveryQuestion: + href: >- + https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/credentials/change_recovery_question + method: POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD + type: + href: >- + https://{yourOktaDomain}/api/v1/meta/types/user/otyzhh29g7Python90g3 + changePassword: + href: >- + https://rain.okta1.com/api/v1/users/00u1dnq5S0CfjlkpABCD/credentials/change_password + method: POST + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/deactivate + method: POST + AppUserUpdateCredRequest: + summary: Application User credentials update + value: + credentials: + userName: rae.cloud@example.com + password: + value: updatedP@55word + AppUserUpdateProfileRequest: + summary: Application user profile update + value: + profile: + name: Rae Mae Cloud + middle_name: Mae + AppUserCredUpdateResponse: + summary: Application user credential update + value: + id: 00ud4tVDDXYVKPXKVLCO + externalId: null + created: '2024-01-27T03:52:45.000Z' + lastUpdated: '2024-01-27T05:15:30.000Z' + scope: USER + status: ACTIVE + statusChanged: '2024-01-27T03:52:45.000Z' + passwordChanged: '2024-01-27T05:15:30.000Z' + syncState: DISABLED + credentials": + userName: rae.cloud@example.com + password: {} + profile: + street_address: null + country: null + website: null + zoneinfo: America/Los_Angeles + birthdate: null + gender: null + formatted: null + profile: null + locality: null + given_name: Rae + middle_name: null + locale: en_US + picture: null + name: Rae Cloud + nickname: null + phone_number: null + region: null + postal_code: null + family_name: Cloud + email: rae.cloud@example.com + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + user: + href: https://{yourOktaDomain}/api/v1/users/00ud4tVDDXYVKPXKVLCO + AppUserProfUpdateResponse: + summary: Application user profile update + value: + id: 00ud4tVDDXYVKPXKVLCO + externalId: null + created: '2024-01-27T03:52:45.000Z' + lastUpdated: '2024-01-27T05:05:32.000Z' + scope: USER + status: ACTIVE + statusChanged: '2024-01-27T03:52:45.000Z' + passwordChanged: null + syncState: DISABLED + credentials": + userName: rae.cloud@example.com + profile: + street_address: null + country: null + website: null + zoneinfo: America/Los_Angeles + birthdate: null + gender: null + formatted: null + profile: null + locality: null + given_name: Rae + middle_name: Mae + locale: en_US + picture: null + name: Rae Mae Cloud + nickname: null + phone_number: null + region: null + postal_code: null + family_name: Cloud + email: rae.cloud@example.com + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + user: + href: https://{yourOktaDomain}/api/v1/users/00ud4tVDDXYVKPXKVLCO + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + ErrorInvalidTokenProvided: + summary: Invalid Token Provided + value: + errorCode: E0000011 + errorSummary: Invalid token provided + errorLink: E0000011 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorAppUserForbiddenAction: + summary: Forbidden action + description: >- + If the `PUSH_NEW_USERS` or `PUSH_PROFILE_UPDATES` feature is enabled and + the request specifies a value for a profile-mapped (Universal Directory) + attribute that doesn't match the mapped value, then a 403 error is + returned. + value: + errorCode: E0000075 + errorSummary: >- + Cannot modify the firstName attribute because it has a field mapping + and profile push is enabled. + errorLink: E0000075 + errorId: sampleWXiR_K-WwaTKhlgBQ + errorCauses: [] + ErrorAppUserUpdateBadRequest: + summary: Bad request + description: >- + If you attempt to assign a username or password to an app with an + incompatible authentication scheme, then a 400 error is returned. + value: + errorCode: E0000041 + errorSummary: Credentials should not be set on this resource based on the scheme. + errorLink: E0000041 + errorId: oaeUM77NBynQQu4C_qT5ngjGQ + errorCauses: + errorSummary: User level credentials should not be provided for this scheme. + x-stackQL-resources: + applications: + id: okta.apps.applications + name: applications + title: Applications + methods: + list_applications: + operation: + $ref: '#/paths/~1api~1v1~1apps/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_application: + operation: + $ref: '#/paths/~1api~1v1~1apps/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_application: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_application: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_application: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + activate_application: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1lifecycle~1activate/post' + response: + mediaType: '' + openAPIDocKey: '200' + deactivate_application: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1lifecycle~1deactivate/post' + response: + mediaType: '' + openAPIDocKey: '200' + upload_application_logo: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1logo/post' + response: + mediaType: '' + openAPIDocKey: '201' + assign_application_policy: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1policies~1{policyId}/put' + response: + mediaType: '' + openAPIDocKey: '204' + preview_samlmetadata_for_application: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1sso~1saml~1metadata/get' + response: + mediaType: text/xml + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/applications/methods/list_applications + - $ref: >- + #/components/x-stackQL-resources/applications/methods/get_application + insert: + - $ref: >- + #/components/x-stackQL-resources/applications/methods/create_application + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/applications/methods/delete_application + replace: + - $ref: >- + #/components/x-stackQL-resources/applications/methods/replace_application + connections: + id: okta.apps.connections + name: connections + title: Connections + methods: + get_default_provisioning_connection_for_application: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1connections~1default/get' + response: + mediaType: application/json + openAPIDocKey: '200' + update_default_provisioning_connection_for_application: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1connections~1default/post' + response: + mediaType: application/json + openAPIDocKey: '200' + activate_default_provisioning_connection_for_application: + operation: + $ref: >- + #/paths/~1api~1v1~1apps~1{appId}~1connections~1default~1lifecycle~1activate/post + response: + mediaType: '' + openAPIDocKey: '204' + deactivate_default_provisioning_connection_for_application: + operation: + $ref: >- + #/paths/~1api~1v1~1apps~1{appId}~1connections~1default~1lifecycle~1deactivate/post + response: + mediaType: '' + openAPIDocKey: '204' + verify_provisioning_connection_for_application: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appName}~1{appId}~1oauth2~1callback/post' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/connections/methods/get_default_provisioning_connection_for_application + insert: [] + update: + - $ref: >- + #/components/x-stackQL-resources/connections/methods/update_default_provisioning_connection_for_application + delete: [] + replace: [] + connection_jwks: + id: okta.apps.connection_jwks + name: connection_jwks + title: Connection Jwks + methods: + get_user_provisioning_connection_jwks: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1connections~1default~1jwks/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/connection_jwks/methods/get_user_provisioning_connection_jwks + insert: [] + update: [] + delete: [] + replace: [] + csrs: + id: okta.apps.csrs + name: csrs + title: Csrs + methods: + list_csrs_for_application: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1credentials~1csrs/get' + response: + mediaType: application/json + openAPIDocKey: '200' + generate_csr_for_application: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1credentials~1csrs/post' + response: + mediaType: application/pkcs10 + openAPIDocKey: '201' + get_csr_for_application: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1credentials~1csrs~1{csrId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + revoke_csr_from_application: + operation: + $ref: >- + #/paths/~1api~1v1~1apps~1{appId}~1credentials~1csrs~1{csrId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + publish_csr_from_application: + operation: + $ref: >- + #/paths/~1api~1v1~1apps~1{appId}~1credentials~1csrs~1{csrId}~1lifecycle~1publish/post + response: + mediaType: application/json + openAPIDocKey: '201' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/csrs/methods/list_csrs_for_application + - $ref: >- + #/components/x-stackQL-resources/csrs/methods/get_csr_for_application + insert: [] + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/csrs/methods/revoke_csr_from_application + replace: [] + jwks: + id: okta.apps.jwks + name: jwks + title: Jwks + methods: + list_jwk: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1credentials~1jwks/get' + response: + mediaType: application/json + openAPIDocKey: '200' + add_jwk: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1credentials~1jwks/post' + response: + mediaType: application/json + openAPIDocKey: '201' + get_jwk: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1credentials~1jwks~1{keyId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + deletejwk: + operation: + $ref: >- + #/paths/~1api~1v1~1apps~1{appId}~1credentials~1jwks~1{keyId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + activate_oauth2_client_json_web_key: + operation: + $ref: >- + #/paths/~1api~1v1~1apps~1{appId}~1credentials~1jwks~1{keyId}~1lifecycle~1activate/post + response: + mediaType: application/json + openAPIDocKey: '200' + deactivate_oauth2_client_json_web_key: + operation: + $ref: >- + #/paths/~1api~1v1~1apps~1{appId}~1credentials~1jwks~1{keyId}~1lifecycle~1deactivate/post + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: '#/components/x-stackQL-resources/jwks/methods/list_jwk' + - $ref: '#/components/x-stackQL-resources/jwks/methods/get_jwk' + insert: + - $ref: '#/components/x-stackQL-resources/jwks/methods/add_jwk' + update: [] + delete: + - $ref: '#/components/x-stackQL-resources/jwks/methods/deletejwk' + replace: [] + keys: + id: okta.apps.keys + name: keys + title: Keys + methods: + list_application_keys: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1credentials~1keys/get' + response: + mediaType: application/json + openAPIDocKey: '200' + generate_application_key: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1credentials~1keys~1generate/post' + response: + mediaType: application/json + openAPIDocKey: '201' + get_application_key: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1credentials~1keys~1{keyId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + clone_application_key: + operation: + $ref: >- + #/paths/~1api~1v1~1apps~1{appId}~1credentials~1keys~1{keyId}~1clone/post + response: + mediaType: application/json + openAPIDocKey: '201' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/keys/methods/list_application_keys + - $ref: '#/components/x-stackQL-resources/keys/methods/get_application_key' + insert: + - $ref: >- + #/components/x-stackQL-resources/keys/methods/generate_application_key + update: [] + delete: [] + replace: [] + secrets: + id: okta.apps.secrets + name: secrets + title: Secrets + methods: + list_oauth2_client_secrets: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1credentials~1secrets/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_oauth2_client_secret: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1credentials~1secrets/post' + response: + mediaType: application/json + openAPIDocKey: '201' + get_oauth2_client_secret: + operation: + $ref: >- + #/paths/~1api~1v1~1apps~1{appId}~1credentials~1secrets~1{secretId}/get + response: + mediaType: application/json + openAPIDocKey: '200' + delete_oauth2_client_secret: + operation: + $ref: >- + #/paths/~1api~1v1~1apps~1{appId}~1credentials~1secrets~1{secretId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + activate_oauth2_client_secret: + operation: + $ref: >- + #/paths/~1api~1v1~1apps~1{appId}~1credentials~1secrets~1{secretId}~1lifecycle~1activate/post + response: + mediaType: application/json + openAPIDocKey: '200' + deactivate_oauth2_client_secret: + operation: + $ref: >- + #/paths/~1api~1v1~1apps~1{appId}~1credentials~1secrets~1{secretId}~1lifecycle~1deactivate/post + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/secrets/methods/list_oauth2_client_secrets + - $ref: >- + #/components/x-stackQL-resources/secrets/methods/get_oauth2_client_secret + insert: + - $ref: >- + #/components/x-stackQL-resources/secrets/methods/create_oauth2_client_secret + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/secrets/methods/delete_oauth2_client_secret + replace: [] + cross_app_access_connections: + id: okta.apps.cross_app_access_connections + name: cross_app_access_connections + title: Cross App Access Connections + methods: + get_all_cross_app_access_connections: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1cwo~1connections/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_cross_app_access_connection: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1cwo~1connections/post' + response: + mediaType: application/json + openAPIDocKey: '201' + get_cross_app_access_connection: + operation: + $ref: >- + #/paths/~1api~1v1~1apps~1{appId}~1cwo~1connections~1{connectionId}/get + response: + mediaType: application/json + openAPIDocKey: '200' + update_cross_app_access_connection: + operation: + $ref: >- + #/paths/~1api~1v1~1apps~1{appId}~1cwo~1connections~1{connectionId}/patch + response: + mediaType: application/json + openAPIDocKey: '200' + delete_cross_app_access_connection: + operation: + $ref: >- + #/paths/~1api~1v1~1apps~1{appId}~1cwo~1connections~1{connectionId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/cross_app_access_connections/methods/get_all_cross_app_access_connections + - $ref: >- + #/components/x-stackQL-resources/cross_app_access_connections/methods/get_cross_app_access_connection + insert: + - $ref: >- + #/components/x-stackQL-resources/cross_app_access_connections/methods/create_cross_app_access_connection + update: + - $ref: >- + #/components/x-stackQL-resources/cross_app_access_connections/methods/update_cross_app_access_connection + delete: + - $ref: >- + #/components/x-stackQL-resources/cross_app_access_connections/methods/delete_cross_app_access_connection + replace: [] + features: + id: okta.apps.features + name: features + title: Features + methods: + list_features_for_application: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1features/get' + response: + mediaType: application/json + openAPIDocKey: '200' + get_feature_for_application: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1features~1{featureName}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + update_feature_for_application: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1features~1{featureName}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/features/methods/list_features_for_application + - $ref: >- + #/components/x-stackQL-resources/features/methods/get_feature_for_application + insert: [] + update: [] + delete: [] + replace: + - $ref: >- + #/components/x-stackQL-resources/features/methods/update_feature_for_application + federated_claims: + id: okta.apps.federated_claims + name: federated_claims + title: Federated Claims + methods: + list_federated_claims: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1federated-claims/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_federated_claim: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1federated-claims/post' + response: + mediaType: application/json + openAPIDocKey: '201' + get_federated_claim: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1federated-claims~1{claimId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_federated_claim: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1federated-claims~1{claimId}/put' + response: + mediaType: application/json + openAPIDocKey: '201' + delete_federated_claim: + operation: + $ref: >- + #/paths/~1api~1v1~1apps~1{appId}~1federated-claims~1{claimId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/federated_claims/methods/list_federated_claims + - $ref: >- + #/components/x-stackQL-resources/federated_claims/methods/get_federated_claim + insert: + - $ref: >- + #/components/x-stackQL-resources/federated_claims/methods/create_federated_claim + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/federated_claims/methods/delete_federated_claim + replace: + - $ref: >- + #/components/x-stackQL-resources/federated_claims/methods/replace_federated_claim + grants: + id: okta.apps.grants + name: grants + title: Grants + methods: + list_scope_consent_grants: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1grants/get' + response: + mediaType: application/json + openAPIDocKey: '200' + grant_consent_to_scope: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1grants/post' + response: + mediaType: application/json + openAPIDocKey: '201' + get_scope_consent_grant: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1grants~1{grantId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + revoke_scope_consent_grant: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1grants~1{grantId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/grants/methods/list_scope_consent_grants + - $ref: >- + #/components/x-stackQL-resources/grants/methods/get_scope_consent_grant + insert: + - $ref: >- + #/components/x-stackQL-resources/grants/methods/grant_consent_to_scope + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/grants/methods/revoke_scope_consent_grant + replace: [] + push_mappings: + id: okta.apps.push_mappings + name: push_mappings + title: Push Mappings + methods: + list_group_push_mappings: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1group-push~1mappings/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_group_push_mapping: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1group-push~1mappings/post' + response: + mediaType: application/json + openAPIDocKey: '201' + get_group_push_mapping: + operation: + $ref: >- + #/paths/~1api~1v1~1apps~1{appId}~1group-push~1mappings~1{mappingId}/get + response: + mediaType: application/json + openAPIDocKey: '200' + update_group_push_mapping: + operation: + $ref: >- + #/paths/~1api~1v1~1apps~1{appId}~1group-push~1mappings~1{mappingId}/patch + response: + mediaType: application/json + openAPIDocKey: '200' + delete_group_push_mapping: + operation: + $ref: >- + #/paths/~1api~1v1~1apps~1{appId}~1group-push~1mappings~1{mappingId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/push_mappings/methods/list_group_push_mappings + - $ref: >- + #/components/x-stackQL-resources/push_mappings/methods/get_group_push_mapping + insert: + - $ref: >- + #/components/x-stackQL-resources/push_mappings/methods/create_group_push_mapping + update: + - $ref: >- + #/components/x-stackQL-resources/push_mappings/methods/update_group_push_mapping + delete: + - $ref: >- + #/components/x-stackQL-resources/push_mappings/methods/delete_group_push_mapping + replace: [] + group_assignments: + id: okta.apps.group_assignments + name: group_assignments + title: Group Assignments + methods: + list_application_group_assignments: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1groups/get' + response: + mediaType: application/json + openAPIDocKey: '200' + get_application_group_assignment: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1groups~1{groupId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + assign_group_to_application: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1groups~1{groupId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + update_group_assignment_to_application: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1groups~1{groupId}/patch' + response: + mediaType: application/json + openAPIDocKey: '200' + unassign_application_from_group: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1groups~1{groupId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/group_assignments/methods/list_application_group_assignments + - $ref: >- + #/components/x-stackQL-resources/group_assignments/methods/get_application_group_assignment + insert: [] + update: + - $ref: >- + #/components/x-stackQL-resources/group_assignments/methods/update_group_assignment_to_application + delete: + - $ref: >- + #/components/x-stackQL-resources/group_assignments/methods/unassign_application_from_group + replace: + - $ref: >- + #/components/x-stackQL-resources/group_assignments/methods/assign_group_to_application + tokens: + id: okta.apps.tokens + name: tokens + title: Tokens + methods: + list_oauth2_tokens_for_application: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1tokens/get' + response: + mediaType: application/json + openAPIDocKey: '200' + revoke_oauth2_tokens_for_application: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1tokens/delete' + response: + mediaType: '' + openAPIDocKey: '204' + get_oauth2_token_for_application: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1tokens~1{tokenId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + revoke_oauth2_token_for_application: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1tokens~1{tokenId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/tokens/methods/list_oauth2_tokens_for_application + - $ref: >- + #/components/x-stackQL-resources/tokens/methods/get_oauth2_token_for_application + insert: [] + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/tokens/methods/revoke_oauth2_tokens_for_application + - $ref: >- + #/components/x-stackQL-resources/tokens/methods/revoke_oauth2_token_for_application + replace: [] + application_users: + id: okta.apps.application_users + name: application_users + title: Application Users + methods: + list_application_users: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1users/get' + response: + mediaType: application/json + openAPIDocKey: '200' + assign_user_to_application: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1users/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_application_user: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1users~1{userId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + update_application_user: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1users~1{userId}/post' + response: + mediaType: application/json + openAPIDocKey: '200' + unassign_user_from_application: + operation: + $ref: '#/paths/~1api~1v1~1apps~1{appId}~1users~1{userId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/application_users/methods/list_application_users + - $ref: >- + #/components/x-stackQL-resources/application_users/methods/get_application_user + insert: + - $ref: >- + #/components/x-stackQL-resources/application_users/methods/assign_user_to_application + update: + - $ref: >- + #/components/x-stackQL-resources/application_users/methods/update_application_user + delete: + - $ref: >- + #/components/x-stackQL-resources/application_users/methods/unassign_user_from_application + replace: [] +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/attack_protection.yaml b/providers/src/okta/v00.00.00000/services/attack_protection.yaml new file mode 100644 index 00000000..8c2d359b --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/attack_protection.yaml @@ -0,0 +1,312 @@ +openapi: 3.0.3 +info: + title: attack_protection API + description: okta attack_protection API + version: 5.1.0 +paths: + /attack-protection/api/v1/authenticator-settings: + get: + summary: Retrieve the authenticator settings + description: Retrieves the Authenticator Settings for an org + operationId: getAuthenticatorSettings + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/AttackProtectionAuthenticatorSettings' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.read + tags: + - AttackProtection + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace the authenticator settings + description: Replaces the Authenticator Settings for an org + operationId: replaceAuthenticatorSettings + x-codegen-request-body-name: authenticatorSettings + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AttackProtectionAuthenticatorSettings' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/AttackProtectionAuthenticatorSettings' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - AttackProtection + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /attack-protection/api/v1/user-lockout-settings: + get: + summary: Retrieve the user lockout settings + description: Retrieves the User Lockout Settings for an org + operationId: getUserLockoutSettings + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/UserLockoutSettings' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.read + tags: + - AttackProtection + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the user lockout settings + description: Replaces the User Lockout Settings for an org + operationId: replaceUserLockoutSettings + x-codegen-request-body-name: lockoutSettings + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UserLockoutSettings' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/UserLockoutSettings' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - AttackProtection + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true +components: + schemas: + AttackProtectionAuthenticatorSettings: + type: object + properties: + verifyKnowledgeSecondWhen2faRequired: + type: boolean + description: >- + If true, requires users to verify a possession factor before + verifying a knowledge factor when the assurance requires two-factor + authentication (2FA). + default: false + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + UserLockoutSettings: + type: object + properties: + preventBruteForceLockoutFromUnknownDevices: + type: boolean + description: >- + Prevents brute-force lockout from unknown devices for the password + authenticator. + default: false + ErrorCause: + type: object + properties: + errorSummary: + type: string + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + examples: + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + x-stackQL-resources: + authenticator_settings: + id: okta.attack_protection.authenticator_settings + name: authenticator_settings + title: Authenticator Settings + methods: + get_authenticator_settings: + operation: + $ref: '#/paths/~1attack-protection~1api~1v1~1authenticator-settings/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_authenticator_settings: + operation: + $ref: '#/paths/~1attack-protection~1api~1v1~1authenticator-settings/put' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/authenticator_settings/methods/get_authenticator_settings + insert: [] + update: [] + delete: [] + replace: + - $ref: >- + #/components/x-stackQL-resources/authenticator_settings/methods/replace_authenticator_settings + lockout_settings: + id: okta.attack_protection.lockout_settings + name: lockout_settings + title: Lockout Settings + methods: + get_user_lockout_settings: + operation: + $ref: '#/paths/~1attack-protection~1api~1v1~1user-lockout-settings/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_user_lockout_settings: + operation: + $ref: '#/paths/~1attack-protection~1api~1v1~1user-lockout-settings/put' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/lockout_settings/methods/get_user_lockout_settings + insert: [] + update: [] + delete: [] + replace: + - $ref: >- + #/components/x-stackQL-resources/lockout_settings/methods/replace_user_lockout_settings +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/authenticators.yaml b/providers/src/okta/v00.00.00000/services/authenticators.yaml new file mode 100644 index 00000000..825e9f3e --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/authenticators.yaml @@ -0,0 +1,1846 @@ +openapi: 3.0.3 +info: + title: authenticators API + description: okta authenticators API + version: 5.1.0 +paths: + /api/v1/authenticators: + get: + summary: List all authenticators + description: Lists all authenticators + operationId: listAuthenticators + responses: + '200': + description: Success + content: + application/json: + schema: + items: + $ref: '#/components/schemas/AuthenticatorBase' + type: array + examples: + OrgAuthenticatorsEx: + $ref: '#/components/examples/AuthenticatorsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.read + tags: + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + post: + summary: Create an authenticator + description: Creates an authenticator + operationId: createAuthenticator + parameters: + - in: query + name: activate + description: >- + Whether to execute the activation lifecycle operation when Okta + creates the authenticator + schema: + type: boolean + default: true + x-codegen-request-body-name: authenticator + requestBody: + $ref: '#/components/requestBodies/AuthenticatorRequestBody' + responses: + '200': + $ref: '#/components/responses/AuthenticatorResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.manage + tags: + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/authenticators/{authenticatorId}: + get: + summary: Retrieve an authenticator + description: >- + Retrieves an authenticator from your Okta organization by + `authenticatorId` + operationId: getAuthenticator + responses: + '200': + $ref: '#/components/responses/AuthenticatorResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.read + tags: + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace an authenticator + description: >- + Replaces the properties for an authenticator identified by + `authenticatorId` + operationId: replaceAuthenticator + x-codegen-request-body-name: authenticator + requestBody: + $ref: '#/components/requestBodies/AuthenticatorRequestBody' + responses: + '200': + $ref: '#/components/responses/AuthenticatorResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.manage + tags: + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathAuthenticatorId' + /api/v1/authenticators/{authenticatorId}/aaguids: + get: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: List all custom AAGUIDs + description: >- + Lists all custom Authenticator Attestation Global Unique Identifiers + (AAGUIDs) in the org + + + Only custom AAGUIDs that an admin has created are returned. + operationId: listAllCustomAAGUIDs + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AllCustomAAGUIDResponseObject' + examples: + default: + $ref: '#/components/examples/AllCustomAAGUIDResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.read + tags: + - Authenticator + post: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Create a custom AAGUID + description: Creates a custom AAGUID for the WebAuthn authenticator + operationId: createCustomAAGUID + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CustomAAGUIDCreateRequestObject' + examples: + default: + $ref: '#/components/examples/CustomAAGUIDRequest' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/CustomAAGUIDResponseObject' + examples: + default: + $ref: '#/components/examples/CustomAAGUIDResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.manage + tags: + - Authenticator + parameters: + - $ref: '#/components/parameters/pathAuthenticatorId' + /api/v1/authenticators/{authenticatorId}/aaguids/{aaguid}: + get: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Retrieve a custom AAGUID + description: Retrieves a custom AAGUID + operationId: getCustomAAGUID + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/CustomAAGUIDResponseObject' + examples: + default: + $ref: '#/components/examples/CustomAAGUIDResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.read + tags: + - Authenticator + put: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Replace a custom AAGUID + description: Replaces a custom AAGUID for the specified WebAuthn authenticator + operationId: replaceCustomAAGUID + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CustomAAGUIDUpdateRequestObject' + examples: + default: + $ref: '#/components/examples/CustomAAGUIDUpdateRequest' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/CustomAAGUIDResponseObject' + examples: + default: + $ref: '#/components/examples/CustomAAGUIDResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.manage + tags: + - Authenticator + patch: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Update a custom AAGUID + description: >- + Updates the properties of a custom AAGUID by the `authenticatorId` and + `aaguid` ID + operationId: updateCustomAAGUID + requestBody: + content: + application/merge-patch+json: + schema: + $ref: '#/components/schemas/CustomAAGUIDUpdateRequestObject' + examples: + default: + $ref: '#/components/examples/CustomAAGUIDUpdateRequest' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/CustomAAGUIDResponseObject' + examples: + default: + $ref: '#/components/examples/CustomAAGUIDResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.manage + tags: + - Authenticator + delete: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Delete a custom AAGUID + description: |- + Deletes a custom AAGUID + + You can only delete custom AAGUIDs that an admin has created. + operationId: deleteCustomAAGUID + responses: + '204': + description: Deleted + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.manage + tags: + - Authenticator + parameters: + - $ref: '#/components/parameters/pathAuthenticatorId' + - $ref: '#/components/parameters/pathAAGUID' + /api/v1/authenticators/{authenticatorId}/lifecycle/activate: + post: + summary: Activate an authenticator + description: Activates an authenticator by `authenticatorId` + operationId: activateAuthenticator + responses: + '200': + $ref: '#/components/responses/AuthenticatorResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.manage + tags: + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathAuthenticatorId' + /api/v1/authenticators/{authenticatorId}/lifecycle/deactivate: + post: + summary: Deactivate an authenticator + description: Deactivates an authenticator by `authenticatorId` + operationId: deactivateAuthenticator + responses: + '200': + $ref: '#/components/responses/AuthenticatorResponseInactiveWebAuthn' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.manage + tags: + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathAuthenticatorId' + /api/v1/authenticators/{authenticatorId}/methods: + get: + summary: List all methods of an authenticator + description: Lists all methods of an authenticator identified by `authenticatorId` + operationId: listAuthenticatorMethods + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/AuthenticatorMethodBase' + examples: + Phone: + $ref: '#/components/examples/AuthenticatorMethodPhone' + TAC: + $ref: '#/components/examples/AuthenticatorMethodTac' + WebAuthn: + $ref: '#/components/examples/AuthenticatorMethodWebAuthn' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.read + tags: + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathAuthenticatorId' + /api/v1/authenticators/{authenticatorId}/methods/{methodType}: + get: + summary: Retrieve an authenticator method + description: >- + Retrieves a method identified by `methodType` of an authenticator + identified by `authenticatorId` + operationId: getAuthenticatorMethod + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AuthenticatorMethodBase' + examples: + sms: + $ref: '#/components/examples/AuthenticatorMethodSms' + tac: + $ref: '#/components/examples/AuthenticatorMethodTac' + voice: + $ref: '#/components/examples/AuthenticatorMethodInactiveVoice' + webauthn: + $ref: '#/components/examples/AuthenticatorMethodWebAuthn' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.read + tags: + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace an authenticator method + description: >- + Replaces a method of `methodType` for an authenticator identified by + `authenticatorId` + operationId: replaceAuthenticatorMethod + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AuthenticatorMethodBase' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AuthenticatorMethodBase' + examples: + sms: + $ref: '#/components/examples/AuthenticatorMethodSms' + tac: + $ref: '#/components/examples/AuthenticatorMethodTac' + voice: + $ref: '#/components/examples/AuthenticatorMethodInactiveVoice' + webauthn: + $ref: '#/components/examples/AuthenticatorMethodWebAuthn' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.manage + tags: + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathAuthenticatorId' + - $ref: '#/components/parameters/pathMethodType' + /api/v1/authenticators/{authenticatorId}/methods/{methodType}/lifecycle/activate: + post: + summary: Activate an authenticator method + description: >- + Activates a method for an authenticator identified by `authenticatorId` + and `methodType` + operationId: activateAuthenticatorMethod + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AuthenticatorMethodBase' + examples: + sms: + $ref: '#/components/examples/AuthenticatorMethodSms' + webauthn: + $ref: '#/components/examples/AuthenticatorMethodWebAuthn' + tac: + $ref: '#/components/examples/AuthenticatorMethodTac' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.manage + tags: + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathAuthenticatorId' + - $ref: '#/components/parameters/pathMethodType' + /api/v1/authenticators/{authenticatorId}/methods/{methodType}/lifecycle/deactivate: + post: + summary: Deactivate an authenticator method + description: >- + Deactivates a method for an authenticator identified by + `authenticatorId` and `methodType` + operationId: deactivateAuthenticatorMethod + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AuthenticatorMethodBase' + examples: + voice: + $ref: '#/components/examples/AuthenticatorMethodInactiveVoice' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authenticators.manage + tags: + - Authenticator + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathAuthenticatorId' + - $ref: '#/components/parameters/pathMethodType' +components: + schemas: + AuthenticatorBase: + type: object + properties: + created: + description: Timestamp when the authenticator was created + format: date-time + readOnly: true + type: string + id: + description: A unique identifier for the authenticator + readOnly: true + type: string + key: + $ref: '#/components/schemas/AuthenticatorKeyEnum' + lastUpdated: + description: Timestamp when the authenticator was last modified + format: date-time + readOnly: true + type: string + name: + description: Display name of the authenticator + type: string + status: + description: Status of the authenticator + $ref: '#/components/schemas/LifecycleStatus' + type: + $ref: '#/components/schemas/AuthenticatorType' + _links: + description: Link relations for this object + $ref: '#/components/schemas/AuthenticatorLinks' + discriminator: + propertyName: key + mapping: + custom_app: '#/components/schemas/AuthenticatorKeyCustomApp' + duo: '#/components/schemas/AuthenticatorKeyDuo' + okta_email: '#/components/schemas/AuthenticatorKeyEmail' + google_otp: '#/components/schemas/AuthenticatorKeyGoogleOtp' + external_idp: '#/components/schemas/AuthenticatorKeyExternalIdp' + okta_password: '#/components/schemas/AuthenticatorKeyPassword' + okta_verify: '#/components/schemas/AuthenticatorKeyOktaVerify' + onprem_mfa: '#/components/schemas/AuthenticatorKeyOnprem' + phone_number: '#/components/schemas/AuthenticatorKeyPhone' + security_key: '#/components/schemas/AuthenticatorKeySecurityKey' + security_question: '#/components/schemas/AuthenticatorKeySecurityQuestion' + symantec_vip: '#/components/schemas/AuthenticatorKeySymantecVip' + smart_card_idp: '#/components/schemas/AuthenticatorKeySmartCard' + webauthn: '#/components/schemas/AuthenticatorKeyWebauthn' + yubikey_token: '#/components/schemas/AuthenticatorKeyYubikey' + tac: '#/components/schemas/AuthenticatorKeyTac' + AllCustomAAGUIDResponseObject: + items: + $ref: '#/components/schemas/CustomAAGUIDResponseObject' + type: array + CustomAAGUIDCreateRequestObject: + type: object + properties: + aaguid: + description: >- + An Authenticator Attestation Global Unique Identifier (AAGUID) is a + 128-bit identifier indicating the model. + type: string + attestationRootCertificates: + $ref: '#/components/schemas/AttestationRootCertificatesRequest' + authenticatorCharacteristics: + $ref: '#/components/schemas/AAGUIDAuthenticatorCharacteristics' + CustomAAGUIDResponseObject: + type: object + properties: + aaguid: + description: >- + A unique 128-bit identifier that's assigned to a specific model of + security key or authenticator + type: string + attestationRootCertificates: + $ref: '#/components/schemas/AttestationRootCertificatesResponse' + authenticatorCharacteristics: + $ref: '#/components/schemas/AAGUIDAuthenticatorCharacteristics' + name: + description: The product name associated with the AAGUID + type: string + _links: + $ref: '#/components/schemas/LinksSelf' + CustomAAGUIDUpdateRequestObject: + type: object + properties: + attestationRootCertificates: + $ref: '#/components/schemas/AttestationRootCertificatesRequest' + authenticatorCharacteristics: + $ref: '#/components/schemas/AAGUIDAuthenticatorCharacteristics' + name: + description: The product name associated with this AAGUID. + type: string + AuthenticatorMethodBase: + type: object + properties: + status: + description: The status of the authenticator method + $ref: '#/components/schemas/LifecycleStatus' + type: + $ref: '#/components/schemas/AuthenticatorMethodType' + _links: + $ref: '#/components/schemas/LinksSelfAndLifecycle' + discriminator: + propertyName: type + mapping: + sms: '#/components/schemas/AuthenticatorMethodSimple' + voice: '#/components/schemas/AuthenticatorMethodSimple' + email: '#/components/schemas/AuthenticatorMethodSimple' + push: '#/components/schemas/AuthenticatorMethodPush' + signed_nonce: '#/components/schemas/AuthenticatorMethodSignedNonce' + totp: '#/components/schemas/AuthenticatorMethodTotp' + otp: '#/components/schemas/AuthenticatorMethodOtp' + password: '#/components/schemas/AuthenticatorMethodSimple' + webauthn: '#/components/schemas/AuthenticatorMethodWebAuthn' + security_question: '#/components/schemas/AuthenticatorMethodSimple' + idp: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties' + duo: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties' + cert: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties' + tac: '#/components/schemas/AuthenticatorMethodTac' + AuthenticatorKeyEnum: + description: A human-readable string that identifies the authenticator + type: string + enum: + - custom_app + - duo + - external_idp + - google_otp + - okta_email + - okta_password + - okta_verify + - onprem_mfa + - phone_number + - security_key + - security_question + - smart_card_idp + - symantec_vip + - webauthn + - yubikey_token + - tac + LifecycleStatus: + type: string + enum: + - ACTIVE + - INACTIVE + AuthenticatorType: + description: The type of authenticator + type: string + enum: + - app + - email + - federated + - password + - phone + - security_key + - security_question + - tac + AuthenticatorLinks: + allOf: + - $ref: '#/components/schemas/LinksSelfAndLifecycle' + - type: object + properties: + methods: + description: Link to authenticator methods + allOf: + - $ref: '#/components/schemas/HrefObject' + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + AttestationRootCertificatesRequest: + description: Contains the certificate and information about it + items: + type: object + properties: + x5c: + description: X.509 certificate chain + type: string + type: array + AAGUIDAuthenticatorCharacteristics: + description: Contains additional properties about custom AAGUID. + type: object + properties: + fipsCompliant: + description: >- + Indicates whether the authenticator meets Federal Information + Processing Standards (FIPS) compliance requirements + type: boolean + hardwareProtected: + description: >- + Indicates whether the authenticator stores the private key on a + hardware component + type: boolean + platformAttached: + description: >- + Indicates whether the custom AAGUID is built into the authenticator + (`true`) or if it's a separate, external authenticator + type: boolean + AttestationRootCertificatesResponse: + items: + type: object + properties: + x5c: + description: X.509 certificate chain + type: string + x5t#S256: + description: SHA-256 hash (thumbprint) of the X.509 certificate + type: string + iss: + description: Issuer of certificate + type: string + exp: + description: Expiry date of certificate + type: string + type: array + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + AuthenticatorMethodType: + description: The type of authenticator method + type: string + enum: + - cert + - duo + - email + - idp + - otp + - password + - push + - security_question + - signed_nonce + - sms + - totp + - voice + - webauthn + - tac + LinksSelfAndLifecycle: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + ErrorCause: + type: object + properties: + errorSummary: + type: string + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + HrefObjectActivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to activate the resource + HrefObjectDeactivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to deactivate the resource + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + AuthenticatorResponse: + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/AuthenticatorBase' + examples: + Duo: + $ref: '#/components/examples/AuthenticatorResponseDuo' + Email: + $ref: '#/components/examples/AuthenticatorResponseEmail' + Password: + $ref: '#/components/examples/AuthenticatorResponsePassword' + Phone: + $ref: '#/components/examples/AuthenticatorResponsePhone' + WebAuthn: + $ref: '#/components/examples/AuthenticatorResponseWebAuthn' + SecurityQuestion: + $ref: '#/components/examples/AuthenticatorResponseSecurityQuestion' + TAC: + $ref: '#/components/examples/AuthenticatorResponseTac' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + AuthenticatorResponseInactiveWebAuthn: + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/AuthenticatorBase' + examples: + WebAuthn: + $ref: '#/components/examples/AuthenticatorResponseInactiveWebAuthn' + parameters: + pathAuthenticatorId: + name: authenticatorId + description: '`id` of the authenticator' + in: path + required: true + schema: + type: string + example: aut1nd8PQhGcQtSxB0g4 + pathAAGUID: + name: aaguid + description: Unique ID of a custom AAGUID + in: path + required: true + schema: + type: string + example: cb69481e-8ff7-4039-93ec-0a272911111 + pathMethodType: + name: methodType + description: Type of authenticator method + in: path + required: true + schema: + $ref: '#/components/schemas/AuthenticatorMethodType' + examples: + AuthenticatorsResponse: + summary: Org authenticators + value: + - type: email + id: aut1nbsPHh7jNjjyP0g4 + key: okta_email + status: ACTIVE + name: Email + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-28T21:45:52.000Z' + settings: + allowedFor: any + tokenLifetimeInMinutes: 5 + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4 + hints: + allow: + - GET + - PUT + methods: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/methods + hints: + allow: + - GET + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/lifecycle/deactivate + hints: + allow: + - POST + - type: password + id: aut1nbtrJKKA9m45a0g4 + key: okta_password + status: ACTIVE + name: Password + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-26T21:05:23.000Z' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4 + hints: + allow: + - GET + - PUT + methods: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4/methods + hints: + allow: + - GET + - type: phone + id: aut1nbuyD8m1ckAYc0g4 + key: phone_number + status: INACTIVE + name: Phone + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-29T00:21:29.000Z' + settings: + allowedFor: none + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4 + hints: + allow: + - GET + - PUT + methods: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/methods + hints: + allow: + - GET + activate: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/lifecycle/activate + hints: + allow: + - POST + - type: security_key + id: aut1nd8PQhGcQtSxB0g4 + key: webauthn + status: ACTIVE + name: Security Key or Biometric + created: '2020-07-26T21:16:37.000Z' + lastUpdated: '2020-07-27T18:59:30.000Z' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4 + hints: + allow: + - GET + - PUT + methods: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods + hints: + allow: + - GET + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/lifecycle/deactivate + hints: + allow: + - POST + aaguids: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/aaguids + hints: + allow: + - GET + - POST + AllCustomAAGUIDResponse: + value: + - aaguid: cb69481e-8ff7-4039-93ec-0a272911111 + name: My Security Key + authenticatorCharacteristics: + platformAttached: false + fipsCompliant: false + hardwareProtected: false + attestationRootCertificates: + - x5c: X5C... + x5t#S256: SHA-256 x5t of the X.509 root certificate + iss: Yubico U2F Root CA Serial 457200631 + exp: '2035-05-26T16:04:58.000Z' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/aaguids/cb69481e-8ff7-4039-93ec-0a272911111 + hints: + allow: + - GET + - PUT + - PATCH + - DELETE + CustomAAGUIDRequest: + value: + aaguid: cb69481e-8ff7-4039-93ec-0a272911111 + name: My Security Key + authenticatorCharacteristics: + platformAttached: false + fipsCompliant: false + hardwareProtected: false + attestationRootCertificates: + - x5c: X5C... + CustomAAGUIDResponse: + value: + aaguid: cb69481e-8ff7-4039-93ec-0a272911111 + name: My Security Key + authenticatorCharacteristics: + platformAttached: false + fipsCompliant: false + hardwareProtected: false + attestationRootCertificates: + - x5c: X5C... + x5t#S256: SHA-256 x5t of the X.509 root certificate + iss: Yubico U2F Root CA Serial 457200631 + exp: '2035-05-26T16:04:58.000Z' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/aaguids/cb69481e-8ff7-4039-93ec-0a272911111 + hints: + allow: + - GET + - PUT + - PATCH + - DELETE + CustomAAGUIDUpdateRequest: + value: + name: My Security Key + authenticatorCharacteristics: + platformAttached: false + fipsCompliant: false + hardwareProtected: false + attestationRootCertificates: + - x5c: X5C... + AuthenticatorMethodPhone: + value: + - type: sms + status: ACTIVE + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/sms + hints: + allow: + - GET + - PUT + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/sms/lifecycle/deactivate + hints: + allow: + - POST + - type: voice + status: INACTIVE + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/voice + hints: + allow: + - GET + - PUT + activate: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/voice/lifecycle/activate + hints: + allow: + - POST + AuthenticatorMethodTac: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + value: + type: tac + status: ACTIVE + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut3l0cm6voCtVWK20g7/methods/tac + hints: + allow: + - GET + - PUT + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut3l0cm6voCtVWK20g7/methods/tac/lifecycle/deactivate + hints: + allow: + - POST + AuthenticatorMethodWebAuthn: + value: + type: webauthn + status: ACTIVE + settings: + userVerification: DISCOURAGED + attachment: ANY + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/webauthn + hints: + allow: + - GET + - PUT + AuthenticatorMethodSms: + value: + type: sms + status: ACTIVE + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/sms + hints: + allow: + - GET + - PUT + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/sms/lifecycle/deactivate + hints: + allow": + - POST + AuthenticatorMethodInactiveVoice: + value: + type: voice + status: INACTIVE + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/voice + hints: + allow: + - GET + - PUT + activate: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/voice/lifecycle/activate + hints: + allow: + - POST + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + AuthenticatorRequestDuo: + value: + key: duo + name: Duo Security + provider: + type: DUO + configuration: + userNameTemplate: + template: oktaId + integrationKey: testIntegrationKey + secretKey: testSecretKey + host: https://api-xxxxxxxx.duosecurity.com + AuthenticatorRequestTac: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + value: + key: tac + name: Temporary Access Code + provider: + type: tac + configuration: + minTtl: 10 + maxTtl: 14400 + defaultTtl: 120 + length: 16 + complexity: + numbers: true + letters: true + specialCharacters: true + multiUseAllowed: true + AuthenticatorResponseDuo: + value: + type: app + id: aut9gnvcjUHIWb37J0g4 + key: duo + status: ACTIVE + name: Duo Security + created: '2022-07-15T21:14:02.000Z' + lastUpdated: '2022-07-15T21:14:02.000Z' + settings: {} + provider: + type: DUO + configuration: + host: https://api-xxxxxxxx.duosecurity.com + userNameTemplate: + template: oktaId + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4 + hints: + allow: + - GET + - PUT + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4/lifecycle/deactivate + hints: + allow: + - POST + methods: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4/methods + hints: + allow: + - GET + AuthenticatorResponseEmail: + value: + type: email + id: aut1nbsPHh7jNjjyP0g4 + key: okta_email + status: ACTIVE + name: Email + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-28T21:45:52.000Z' + settings: + allowedFor: any + tokenLifetimeInMinutes: 5 + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4 + hints: + allow: + - GET + - PUT + methods: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/methods + hints: + allow: + - GET + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/lifecycle/deactivate + hints: + allow: + - POST + AuthenticatorResponsePassword: + value: + type: password + id: aut1nbtrJKKA9m45a0g4 + key: okta_password + status: ACTIVE + name: Password + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-26T21:05:23.000Z' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4 + hints: + allow: + - GET + - PUT + methods: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4/methods + hints: + allow: + - GET + AuthenticatorResponsePhone: + value: + type: phone + id: aut1nbuyD8m1ckAYc0g4 + key: phone_number + status: INACTIVE + name: Phone + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-29T00:21:29.000Z' + settings: + allowedFor: none + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4 + hints: + allow: + - GET + - PUT + methods: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/methods + hints: + allow: + - GET + activate: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/lifecycle/activate + hints: + allow: + - POST + AuthenticatorResponseWebAuthn: + value: + type: security_key + id: aut1nd8PQhGcQtSxB0g4 + key: webauthn + status: ACTIVE + name: Security Key or Biometric + created: '2020-07-26T21:16:37.000Z' + lastUpdated: '2020-07-27T18:59:30.000Z' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4 + hints: + allow: + - GET + - PUT + methods: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods + hints: + allow: + - GET + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/lifecycle/deactivate + hints: + allow: + - POST + aaguids: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/aaguids + hints: + allow: + - GET + - POST + AuthenticatorResponseSecurityQuestion: + summary: Security question + value: + type: security_question + id: aut1nbvIgEenhwE6c0g4 + key: security_question + status: ACTIVE + name: Security Question + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-26T21:05:23.000Z' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4 + hints: + allow: + - GET + methods: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4/methods + hints: + allow: + - GET + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4/lifecycle/deactivate + hints: + allow: + - POST + AuthenticatorResponseTac: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + value: + type: tac + id: aut3l0cm6voCtVWK20g7 + key: tac + status: ACTIVE + name: Temporary Access Code + created: '2022-07-15T21:14:02.000Z' + lastUpdated: '2022-07-15T21:14:02.000Z' + provider: + type: tac + configuration: + minTtl: 10 + maxTtl: 14400 + defaultTtl: 120 + length: 16 + complexity: + numbers: true + letters: true + specialCharacters: true + multiUseAllowed: true + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut3l0cm6voCtVWK20g7 + hints: + allow: + - GET + - PUT + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut3l0cm6voCtVWK20g7/lifecycle/deactivate + hints: + allow: + - POST + methods: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut3l0cm6voCtVWK20g7/methods + hints: + allow: + - GET + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + AuthenticatorResponseInactiveWebAuthn: + value: + type: security_key + id: aut1nd8PQhGcQtSxB0g4 + key: webauthn + status: INACTIVE + name: Security Key or Biometric + created: '2020-07-26T21:16:37.000Z' + lastUpdated: '2020-07-27T18:59:30.000Z' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4 + hints: + allow: + - GET + - PUT + methods: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods + hints: + allow: + - GET + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/lifecycle/deactivate + hints: + allow: + - POST + requestBodies: + AuthenticatorRequestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AuthenticatorBase' + examples: + Duo: + $ref: '#/components/examples/AuthenticatorRequestDuo' + TAC: + $ref: '#/components/examples/AuthenticatorRequestTac' + required: true + x-stackQL-resources: + authenticators: + id: okta.authenticators.authenticators + name: authenticators + title: Authenticators + methods: + list_authenticators: + operation: + $ref: '#/paths/~1api~1v1~1authenticators/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_authenticator: + operation: + $ref: '#/paths/~1api~1v1~1authenticators/post' + response: + mediaType: '' + openAPIDocKey: '200' + get_authenticator: + operation: + $ref: '#/paths/~1api~1v1~1authenticators~1{authenticatorId}/get' + response: + mediaType: '' + openAPIDocKey: '200' + replace_authenticator: + operation: + $ref: '#/paths/~1api~1v1~1authenticators~1{authenticatorId}/put' + response: + mediaType: '' + openAPIDocKey: '200' + activate_authenticator: + operation: + $ref: >- + #/paths/~1api~1v1~1authenticators~1{authenticatorId}~1lifecycle~1activate/post + response: + mediaType: '' + openAPIDocKey: '200' + deactivate_authenticator: + operation: + $ref: >- + #/paths/~1api~1v1~1authenticators~1{authenticatorId}~1lifecycle~1deactivate/post + response: + mediaType: '' + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/authenticators/methods/list_authenticators + - $ref: >- + #/components/x-stackQL-resources/authenticators/methods/get_authenticator + insert: + - $ref: >- + #/components/x-stackQL-resources/authenticators/methods/create_authenticator + update: [] + delete: [] + replace: + - $ref: >- + #/components/x-stackQL-resources/authenticators/methods/replace_authenticator + custom_aaguids: + id: okta.authenticators.custom_aaguids + name: custom_aaguids + title: Custom Aaguids + methods: + list_all_custom_aaguids: + operation: + $ref: '#/paths/~1api~1v1~1authenticators~1{authenticatorId}~1aaguids/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_custom_aaguid: + operation: + $ref: '#/paths/~1api~1v1~1authenticators~1{authenticatorId}~1aaguids/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_custom_aaguid: + operation: + $ref: >- + #/paths/~1api~1v1~1authenticators~1{authenticatorId}~1aaguids~1{aaguid}/get + response: + mediaType: application/json + openAPIDocKey: '200' + replace_custom_aaguid: + operation: + $ref: >- + #/paths/~1api~1v1~1authenticators~1{authenticatorId}~1aaguids~1{aaguid}/put + response: + mediaType: application/json + openAPIDocKey: '200' + update_custom_aaguid: + operation: + $ref: >- + #/paths/~1api~1v1~1authenticators~1{authenticatorId}~1aaguids~1{aaguid}/patch + response: + mediaType: application/json + openAPIDocKey: '200' + delete_custom_aaguid: + operation: + $ref: >- + #/paths/~1api~1v1~1authenticators~1{authenticatorId}~1aaguids~1{aaguid}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/custom_aaguids/methods/list_all_custom_aaguids + - $ref: >- + #/components/x-stackQL-resources/custom_aaguids/methods/get_custom_aaguid + insert: + - $ref: >- + #/components/x-stackQL-resources/custom_aaguids/methods/create_custom_aaguid + update: + - $ref: >- + #/components/x-stackQL-resources/custom_aaguids/methods/update_custom_aaguid + delete: + - $ref: >- + #/components/x-stackQL-resources/custom_aaguids/methods/delete_custom_aaguid + replace: + - $ref: >- + #/components/x-stackQL-resources/custom_aaguids/methods/replace_custom_aaguid + authenticator_methods: + id: okta.authenticators.authenticator_methods + name: authenticator_methods + title: Authenticator Methods + methods: + list_authenticator_methods: + operation: + $ref: '#/paths/~1api~1v1~1authenticators~1{authenticatorId}~1methods/get' + response: + mediaType: application/json + openAPIDocKey: '200' + get_authenticator_method: + operation: + $ref: >- + #/paths/~1api~1v1~1authenticators~1{authenticatorId}~1methods~1{methodType}/get + response: + mediaType: application/json + openAPIDocKey: '200' + replace_authenticator_method: + operation: + $ref: >- + #/paths/~1api~1v1~1authenticators~1{authenticatorId}~1methods~1{methodType}/put + response: + mediaType: application/json + openAPIDocKey: '200' + activate_authenticator_method: + operation: + $ref: >- + #/paths/~1api~1v1~1authenticators~1{authenticatorId}~1methods~1{methodType}~1lifecycle~1activate/post + response: + mediaType: application/json + openAPIDocKey: '200' + deactivate_authenticator_method: + operation: + $ref: >- + #/paths/~1api~1v1~1authenticators~1{authenticatorId}~1methods~1{methodType}~1lifecycle~1deactivate/post + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/authenticator_methods/methods/list_authenticator_methods + - $ref: >- + #/components/x-stackQL-resources/authenticator_methods/methods/get_authenticator_method + insert: [] + update: [] + delete: [] + replace: + - $ref: >- + #/components/x-stackQL-resources/authenticator_methods/methods/replace_authenticator_method +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/authorizationservers.yaml b/providers/src/okta/v00.00.00000/services/authorizationservers.yaml new file mode 100644 index 00000000..c70a9844 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/authorizationservers.yaml @@ -0,0 +1,5214 @@ +openapi: 3.0.3 +info: + title: authorizationservers API + description: okta authorizationservers API + version: 5.1.0 +paths: + /api/v1/authorizationServers: + get: + summary: List all authorization servers + description: Lists all custom authorization servers in the org + operationId: listAuthorizationServers + parameters: + - name: q + in: query + description: >- + Searches the `name` and `audiences` of authorization servers for + matching values + example: customasone + schema: + type: string + - name: limit + in: query + description: >- + Specifies the number of authorization server results on a page. + Maximum value: 200 + schema: + type: integer + format: int32 + default: 200 + - name: after + in: query + description: >- + Specifies the pagination cursor for the next page of authorization + servers. Treat as an opaque value and obtain through the next link + relationship. + schema: + type: string + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/AuthorizationServer' + examples: + ListAuthServers: + $ref: '#/components/examples/ListAuthServersResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.read + tags: + - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + post: + summary: Create an authorization server + description: Creates an authorization server + operationId: createAuthorizationServer + x-codegen-request-body-name: authorizationServer + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AuthorizationServer' + examples: + CreateAuthServer: + $ref: '#/components/examples/CreateAuthServerBody' + CreateAuthServerWithAccessTokenEncryption: + $ref: >- + #/components/examples/CreateAuthServerWithAccessTokenEncryptionBody + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/AuthorizationServer' + examples: + CreateAuthServer: + $ref: '#/components/examples/CreateAuthServerResponse' + CreateAuthServerWithAccessTokenEncryption: + $ref: >- + #/components/examples/CreateAuthServerWithAccessTokenEncryptionResponse + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + /api/v1/authorizationServers/{authServerId}: + get: + summary: Retrieve an authorization server + description: Retrieves an authorization server + operationId: getAuthorizationServer + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AuthorizationServer' + examples: + RetrieveAuthServer: + $ref: '#/components/examples/RetrieveAuthServerResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.read + tags: + - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + put: + summary: Replace an authorization server + description: Replaces an authorization server + operationId: replaceAuthorizationServer + x-codegen-request-body-name: authorizationServer + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AuthorizationServer' + examples: + ReplaceAuthServer: + $ref: '#/components/examples/ReplaceAuthServerBody' + ReplaceAuthServerEnableTokenEncryption: + $ref: >- + #/components/examples/ReplaceAuthServerEnableTokenEncryptionBody + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AuthorizationServer' + examples: + ReplaceAuthServer: + $ref: '#/components/examples/ReplaceAuthServerResponse' + ReplaceAuthServerEnableTokenEncryption: + $ref: >- + #/components/examples/ReplaceAuthServerEnableTokenEncryptionResponse + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + delete: + summary: Delete an authorization server + description: Deletes an authorization server + operationId: deleteAuthorizationServer + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + /api/v1/authorizationServers/{authServerId}/associatedServers: + get: + summary: List all associated authorization servers + description: >- + Lists all associated Authorization Servers by trusted type for the given + `authServerId` + operationId: listAssociatedServersByTrustedType + parameters: + - name: trusted + in: query + description: >- + Searches trusted authorization servers when `true` or searches + untrusted authorization servers when `false` + schema: + type: boolean + - name: q + in: query + description: >- + Searches for the name or audience of the associated authorization + servers + example: customasone + schema: + type: string + - name: limit + in: query + description: Specifies the number of results for a page + schema: + type: integer + format: int32 + default: 200 + - name: after + in: query + description: >- + Specifies the pagination cursor for the next page of the associated + authorization servers + schema: + type: string + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/AuthorizationServer' + examples: + ListAssocAuthServer: + $ref: '#/components/examples/ListAssocAuthServerResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.read + tags: + - AuthorizationServerAssoc + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + post: + summary: Create an associated authorization server + description: >- + Creates trusted relationships between the given authorization server and + other authorization servers + operationId: createAssociatedServers + x-codegen-request-body-name: associatedServerMediated + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AssociatedServerMediated' + examples: + CreateAssocAuthServer: + $ref: '#/components/examples/CreateAssocAuthServerBody' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/AuthorizationServer' + examples: + CreateAssocAuthServer: + $ref: '#/components/examples/CreateAssocAuthServerResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerAssoc + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + /api/v1/authorizationServers/{authServerId}/associatedServers/{associatedServerId}: + delete: + summary: Delete an associated authorization server + description: Deletes an associated Authorization Server + operationId: deleteAssociatedServer + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerAssoc + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathAssociatedServerId' + /api/v1/authorizationServers/{authServerId}/claims: + get: + summary: List all custom token claims + description: >- + Lists all custom token Claims defined for a specified custom + authorization server + operationId: listOAuth2Claims + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/OAuth2Claim' + examples: + ListCustomTokenClaims: + $ref: '#/components/examples/ListCustomTokenClaimsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.read + tags: + - AuthorizationServerClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + post: + summary: Create a custom token claim + description: Creates a custom token Claim for a custom authorization server + operationId: createOAuth2Claim + x-codegen-request-body-name: oAuth2Claim + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2Claim' + examples: + CreateCustomTokenClaim: + $ref: '#/components/examples/CreateCustomTokenClaimBody' + required: true + responses: + '201': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2Claim' + examples: + CreateCustomTokenClaim: + $ref: '#/components/examples/CreateCustomTokenClaimResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + /api/v1/authorizationServers/{authServerId}/claims/{claimId}: + get: + summary: Retrieve a custom token claim + description: Retrieves a custom token Claim by the specified `claimId` + operationId: getOAuth2Claim + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2Claim' + examples: + RetrieveCustomTokenClaim: + $ref: '#/components/examples/RetrieveCustomTokenClaimResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.read + tags: + - AuthorizationServerClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + put: + summary: Replace a custom token claim + description: Replaces a custom token Claim specified by the `claimId` + operationId: replaceOAuth2Claim + x-codegen-request-body-name: oAuth2Claim + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2Claim' + examples: + ReplaceCustomTokenClaim: + $ref: '#/components/examples/ReplaceCustomTokenClaimBody' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2Claim' + examples: + ReplaceCustomTokenClaim: + $ref: '#/components/examples/ReplaceCustomTokenClaimResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + delete: + summary: Delete a custom token claim + description: Deletes a custom token Claim specified by the `claimId` + operationId: deleteOAuth2Claim + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerClaims + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathClaimId' + /api/v1/authorizationServers/{authServerId}/clients: + get: + summary: List all client resources for an authorization server + description: >- + Lists all client resources for which the specified authorization server + has tokens. + + + > **Note:** To list a specific user's client resources for which they + have tokens or grants, use the [List all clients endpoint in the User + Resources + API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserResources/#tag/UserResources/operation/listUserClients). + operationId: listOAuth2ClientsForAuthorizationServer + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/OAuth2Client' + examples: + ListClients: + $ref: '#/components/examples/ListClientsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.read + tags: + - AuthorizationServerClients + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + /api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens: + get: + summary: List all refresh tokens for a client + description: >- + Lists all refresh tokens issued by an authorization server for a + specific Client + operationId: listRefreshTokensForAuthorizationServerAndClient + parameters: + - name: expand + in: query + description: >- + Valid value: `scope`. If specified, scope details are included in + the `_embedded` attribute. + schema: + type: string + - name: after + in: query + description: Specifies the pagination cursor for the next page of tokens + schema: + type: string + - name: limit + in: query + description: The maximum number of tokens to return (maximum 200) + schema: + type: integer + format: int32 + default: -1 + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/OAuth2RefreshToken' + examples: + ListRefreshTokenClients: + $ref: '#/components/examples/ListRefreshTokensClientsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.read + tags: + - AuthorizationServerClients + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + delete: + summary: Revoke all refresh tokens for a client + description: Revokes all refresh tokens for a Client + operationId: revokeRefreshTokensForAuthorizationServerAndClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerClients + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathClientId' + /api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens/{tokenId}: + get: + summary: Retrieve a refresh token for a client + description: Retrieves a refresh token for a Client + operationId: getRefreshTokenForAuthorizationServerAndClient + parameters: + - name: expand + in: query + description: >- + Valid value: `scope`. If specified, scope details are included in + the `_embedded` attribute. + schema: + type: string + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2RefreshToken' + examples: + RetrieveRefreshTokenClient: + $ref: '#/components/examples/RetrieveRefreshTokenClientResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.read + tags: + - AuthorizationServerClients + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + delete: + summary: Revoke a refresh token for a client + description: Revokes a refresh token for a Client + operationId: revokeRefreshTokenForAuthorizationServerAndClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerClients + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathClientId' + - $ref: '#/components/parameters/pathTokenId' + /api/v1/authorizationServers/{authServerId}/credentials/keys: + get: + summary: List all credential keys + description: >- + Lists all of the current, future, and expired Keys used by the Custom + Authorization Server + operationId: listAuthorizationServerKeys + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/AuthorizationServerJsonWebKey' + examples: + ListAuthorizationServerKeys: + $ref: '#/components/examples/ListAuthorizationServerKeys' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.read + tags: + - AuthorizationServerKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + /api/v1/authorizationServers/{authServerId}/credentials/keys/{keyId}: + get: + summary: Retrieve an authorization server key + description: Retrieves an Authorization Server Key specified by the `keyId` + operationId: getAuthorizationServerKey + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AuthorizationServerJsonWebKey' + examples: + ActiveAuthorizationServerKey: + $ref: '#/components/examples/ActiveAuthorizationServerKey' + NextAuthorizationServerKey: + $ref: '#/components/examples/NextAuthorizationServerKey' + ExpiredAuthorizationServerKey: + $ref: '#/components/examples/ExpiredAuthorizationServerKey' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.read + tags: + - AuthorizationServerKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathCredentialKeyId' + /api/v1/authorizationServers/{authServerId}/credentials/lifecycle/keyRotate: + post: + summary: Rotate all credential keys + description: >- + Rotates the current Keys for a Custom Authorization Server. If you + rotate Keys, + + the `ACTIVE` Key becomes the `EXPIRED` Key, the `NEXT` Key becomes the + `ACTIVE` Key, + + and the Custom Authorization Server immediately begins using the new + active + + Key to sign tokens. + + + > **Note:** Okta rotates your Keys automatically in `AUTO` mode. You can + rotate Keys + + yourself in either mode. If Keys are rotated manually, you should + invalidate any intermediate cache. + + and fetch the Keys again using the Keys endpoint. + operationId: rotateAuthorizationServerKeys + x-codegen-request-body-name: use + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/JwkUse' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/AuthorizationServerJsonWebKey' + examples: + RotateAuthorizationServerKeys: + $ref: '#/components/examples/ListAuthorizationServerKeys' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + InvalidRotateUse: + $ref: '#/components/examples/InvalidRotateUse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + /api/v1/authorizationServers/{authServerId}/lifecycle/activate: + post: + summary: Activate an authorization server + description: Activates an authorization server + operationId: activateAuthorizationServer + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + /api/v1/authorizationServers/{authServerId}/lifecycle/deactivate: + post: + summary: Deactivate an authorization server + description: Deactivates an authorization server + operationId: deactivateAuthorizationServer + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + /api/v1/authorizationServers/{authServerId}/policies: + get: + summary: List all policies + description: Lists all policies + operationId: listAuthorizationServerPolicies + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/AuthorizationServerPolicy' + examples: + ListAuthorizationServerPolicies: + $ref: '#/components/examples/ListAuthorizationServerPolicies' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.read + tags: + - AuthorizationServerPolicies + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + post: + summary: Create a policy + description: Creates a policy + operationId: createAuthorizationServerPolicy + x-codegen-request-body-name: policy + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AuthorizationServerPolicy' + examples: + CreateAuthorizationServerPolicyRule: + $ref: '#/components/examples/CreateAuthorizationServerPolicyRequest' + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/AuthorizationServerPolicy' + examples: + AuthorizationServerPolicy: + $ref: '#/components/examples/AuthorizationServerPolicy' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerPolicies + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + /api/v1/authorizationServers/{authServerId}/policies/{policyId}: + get: + summary: Retrieve a policy + description: Retrieves a policy + operationId: getAuthorizationServerPolicy + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AuthorizationServerPolicy' + examples: + AuthorizationServerPolicy: + $ref: '#/components/examples/AuthorizationServerPolicy' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.read + tags: + - AuthorizationServerPolicies + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + put: + summary: Replace a policy + description: Replaces a policy + operationId: replaceAuthorizationServerPolicy + x-codegen-request-body-name: policy + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AuthorizationServerPolicy' + examples: + UpdateAuthorizationServerPolicyRule: + $ref: '#/components/examples/UpdateAuthorizationServerPolicyRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AuthorizationServerPolicy' + examples: + AuthorizationServerPolicy: + $ref: '#/components/examples/AuthorizationServerPolicy' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerPolicies + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + delete: + summary: Delete a policy + description: Deletes a policy + operationId: deleteAuthorizationServerPolicy + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerPolicies + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathPolicyId' + /api/v1/authorizationServers/{authServerId}/policies/{policyId}/lifecycle/activate: + post: + summary: Activate a policy + description: Activates an authorization server policy + operationId: activateAuthorizationServerPolicy + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerPolicies + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathPolicyId' + /api/v1/authorizationServers/{authServerId}/policies/{policyId}/lifecycle/deactivate: + post: + summary: Deactivate a policy + description: Deactivates an authorization server policy + operationId: deactivateAuthorizationServerPolicy + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerPolicies + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathPolicyId' + /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules: + get: + summary: List all policy rules + description: >- + Lists all policy rules for the specified Custom Authorization Server and + Policy + operationId: listAuthorizationServerPolicyRules + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/AuthorizationServerPolicyRule' + examples: + ListAuthorizationServerPolicyRules: + $ref: '#/components/examples/ListAuthorizationServerPolicyRules' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.read + tags: + - AuthorizationServerRules + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + post: + summary: Create a policy rule + description: >- + Creates a policy rule for the specified Custom Authorization Server and + Policy + operationId: createAuthorizationServerPolicyRule + x-codegen-request-body-name: policyRule + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AuthorizationServerPolicyRuleRequest' + examples: + CreateAuthorizationServerPolicyRule: + $ref: >- + #/components/examples/CreateAuthorizationServerPolicyRuleRequest + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/AuthorizationServerPolicyRule' + examples: + AuthorizationServerPolicyRule: + $ref: '#/components/examples/AuthorizationServerPolicyRule' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerRules + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathPolicyId' + /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}: + get: + summary: Retrieve a policy rule + description: Retrieves a policy rule by `ruleId` + operationId: getAuthorizationServerPolicyRule + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AuthorizationServerPolicyRule' + examples: + AuthorizationServerPolicyRule: + $ref: '#/components/examples/AuthorizationServerPolicyRule' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.read + tags: + - AuthorizationServerRules + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + put: + summary: Replace a policy rule + description: >- + Replaces the configuration of the Policy Rule defined in the specified + Custom Authorization Server and Policy + operationId: replaceAuthorizationServerPolicyRule + x-codegen-request-body-name: policyRule + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AuthorizationServerPolicyRuleRequest' + examples: + UpdateAuthorizationServerPolicyRule: + $ref: >- + #/components/examples/UpdateAuthorizationServerPolicyRuleRequest + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AuthorizationServerPolicyRule' + examples: + AuthorizationServerPolicyRule: + $ref: '#/components/examples/AuthorizationServerPolicyRule' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerRules + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + delete: + summary: Delete a policy rule + description: >- + Deletes a Policy Rule defined in the specified Custom Authorization + Server and Policy + operationId: deleteAuthorizationServerPolicyRule + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerRules + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/pathRuleId' + /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}/lifecycle/activate: + post: + summary: Activate a policy rule + description: Activates an authorization server policy rule + operationId: activateAuthorizationServerPolicyRule + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerRules + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/pathRuleId' + /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate: + post: + summary: Deactivate a policy rule + description: Deactivates an authorization server policy rule + operationId: deactivateAuthorizationServerPolicyRule + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerRules + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/pathRuleId' + /api/v1/authorizationServers/{authServerId}/resourceservercredentials/keys: + get: + summary: List all Custom Authorization Server Public JSON Web Keys + description: Lists all the public keys used by the custom authorization server + operationId: listOAuth2ResourceServerJsonWebKeys + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/OAuth2ResourceServerJsonWebKey' + examples: + ListOAuth2ResourceServerJsonWebKeys: + $ref: '#/components/examples/ListOAuth2ResourceServerJsonWebKeys' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.read + tags: + - OAuth2ResourceServerCredentialsKeys + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: true + post: + summary: Add a JSON Web Key + description: >- + Adds a new JSON Web Key to the custom authorization server`s JSON web + keys. + + > **Note:** This API doesn't allow you to add a key if the existing key + doesn't have a `kid`. Use the [Replace an Authorization + Server](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/AuthorizationServer/#tag/AuthorizationServer/operation/replaceAuthorizationServer) + operation to update the JWKS or [Delete a Custom Authorization Server + Public JSON Web + Key](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/OAuth2ResourceServerCredentialsKeys/#tag/OAuth2ResourceServerCredentialsKeys/operation/deleteOAuth2ResourceServerJsonWebKey) + and re-add the key with a `kid`. + + > **Note:** This API doesn't allow you to add a key with an ACTIVE + status. You need to add an INACTIVE key first, and then ACTIVATE the + key. + operationId: addOAuth2ResourceServerJsonWebKey + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ResourceServerJsonWebKeyRequestBody' + examples: + addOAuth2ResourceServerJsonWebKeyRequestBody: + $ref: '#/components/examples/AddOAuth2ResourceServerJsonWebKeyRequest' + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ResourceServerJsonWebKey' + examples: + getOAuth2ResourceServerKey: + $ref: '#/components/examples/OAuth2ResourceServerJsonWebKey' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorJsonWebKeyNonUniqueKid: + $ref: '#/components/examples/ErrorJsonWebKeyNonUniqueKid' + ErrorJsonWebKeyKidLengthTooShort: + $ref: '#/components/examples/ErrorJsonWebKeyKidLengthTooShort' + ErrorJsonWebKeyTooManyKids: + $ref: '#/components/examples/ErrorJsonWebKeyTooManyKids' + ErrorJsonWebKeyCannotAddActiveKey: + $ref: '#/components/examples/ErrorJsonWebKeyCannotAddActiveKey' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - OAuth2ResourceServerCredentialsKeys + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + /api/v1/authorizationServers/{authServerId}/resourceservercredentials/keys/{keyId}: + get: + summary: Retrieve a Custom Authorization Server Public JSON Web Key + description: Retrieves a custom authorization server public JSON web key by key `id` + operationId: getOAuth2ResourceServerJsonWebKey + responses: + '200': + description: OK + content: + application/json: + schema: + type: object + $ref: '#/components/schemas/OAuth2ResourceServerJsonWebKey' + examples: + OAuthResourceServerJsonWebKeyResponseExample: + $ref: '#/components/examples/OAuth2ResourceServerJsonWebKey' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.read + tags: + - OAuth2ResourceServerCredentialsKeys + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: true + delete: + summary: Delete a Custom Authorization Server Public JSON Web Key + description: >- + Deletes a custom authorization server public JSON web key by key `id`. + You can only delete an inactive key. + operationId: deleteOAuth2ResourceServerJsonWebKey + responses: + '204': + description: No Content + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorDeleteActiveJsonWebKey: + $ref: '#/components/examples/ErrorDeleteActiveJsonWebKey' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - OAuth2ResourceServerCredentialsKeys + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathJsonWebKeyId' + /api/v1/authorizationServers/{authServerId}/resourceservercredentials/keys/{keyId}/lifecycle/activate: + post: + summary: Activate a Custom Authorization Server Public JSON Web Key + description: >- + Activates a custom authorization server public JSON web key by key `id`. + + > **Note:** You can have only one active key at any given time for the + authorization server. When you activate an inactive key, Okta + automatically deactivates the current active key. + operationId: activateOAuth2ResourceServerJsonWebKey + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ResourceServerJsonWebKey' + examples: + activateOAuth2ResourceServerJsonWebKeyResponse: + $ref: '#/components/examples/OAuth2ResourceServerJsonWebKey' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - OAuth2ResourceServerCredentialsKeys + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathJsonWebKeyId' + /api/v1/authorizationServers/{authServerId}/resourceservercredentials/keys/{keyId}/lifecycle/deactivate: + post: + summary: Deactivate a Custom Authorization Server Public JSON Web Key + description: >- + Deactivates a custom authorization server public JSON web key by key + `id`. + + > **Note:** Deactivating the active key isn't allowed if the + authorization server has access token encryption enabled. You can + activate another key, which makes the current key inactive. + operationId: deactivateOAuth2ResourceServerJsonWebKey + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ResourceServerJsonWebKey' + examples: + deactivateOAuth2ResourceServerJsonWebKeyResponse: + $ref: '#/components/examples/OAuth2ResourceServerJsonWebKey' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorDeactivateActiveKey: + $ref: '#/components/examples/ErrorDeactivateActiveKey' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - OAuth2ResourceServerCredentialsKeys + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathJsonWebKeyId' + /api/v1/authorizationServers/{authServerId}/scopes: + get: + summary: List all custom token scopes + description: Lists all custom token scopes + operationId: listOAuth2Scopes + parameters: + - name: q + in: query + description: Searches the `name` of Custom Token Scopes for matching values + schema: + type: string + - name: filter + in: query + description: Filter expression for Custom Token Scopes + schema: + type: string + - name: after + in: query + description: >- + Specifies the pagination cursor for the next page of scopes. + + Treat the after cursor as an opaque value and obtain it through the + next link relationship. See + [Pagination](https://developer.okta.com/docs/api/#pagination). + schema: + type: string + - name: limit + in: query + description: >- + Specifies the number of objects to return per page. + + If there are multiple pages of results, the Link header contains a + `next` link that you need to use as an opaque value (follow it, + don't parse it). See + [Pagination](https://developer.okta.com/docs/api/#pagination). + schema: + type: integer + maximum: 200 + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/OAuth2Scope' + examples: + ExampleScopes: + $ref: '#/components/examples/ExampleOAuth2Scopes' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.read + tags: + - AuthorizationServerScopes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + post: + summary: Create a custom token scope + description: Creates a custom token scope + operationId: createOAuth2Scope + x-codegen-request-body-name: oAuth2Scope + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2Scope' + examples: + CreateOAuth2ScopeRequest: + $ref: '#/components/examples/CreateOAuth2ScopeRequest' + required: true + responses: + '201': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2Scope' + examples: + ExampleOAuth2Scope: + $ref: '#/components/examples/ExampleOAuth2Scope' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerScopes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + /api/v1/authorizationServers/{authServerId}/scopes/{scopeId}: + get: + summary: Retrieve a custom token scope + description: Retrieves a custom token scope + operationId: getOAuth2Scope + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2Scope' + examples: + ExampleOAuth2Scope: + $ref: '#/components/examples/ExampleOAuth2Scope' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.read + tags: + - AuthorizationServerScopes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + put: + summary: Replace a custom token scope + description: Replaces a custom token scope + operationId: replaceOAuth2Scope + x-codegen-request-body-name: oAuth2Scope + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2Scope' + examples: + UpdateOAuth2Scope: + $ref: '#/components/examples/UpdateOAuth2ScopeRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2Scope' + examples: + UpdatedOAuth2Scope: + $ref: '#/components/examples/UpdatedOAuth2ScopeResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerScopes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + delete: + summary: Delete a custom token scope + description: Deletes a custom token scope + operationId: deleteOAuth2Scope + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.authorizationServers.manage + tags: + - AuthorizationServerScopes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - API Access Management + parameters: + - $ref: '#/components/parameters/pathAuthServerId' + - $ref: '#/components/parameters/pathScopeId' +components: + schemas: + AuthorizationServer: + type: object + properties: + accessTokenEncryptedResponseAlgorithm: + $ref: '#/components/schemas/KeyEncryptionAlgorithm' + audiences: + type: array + description: >- + The recipients that the tokens are intended for. This becomes the + `aud` claim in an access token. Okta currently supports only one + audience. + items: + type: string + created: + type: string + format: date-time + readOnly: true + credentials: + $ref: '#/components/schemas/AuthorizationServerCredentials' + description: + type: string + description: The description of the custom authorization server + id: + type: string + description: The ID of the custom authorization server + readOnly: true + issuer: + type: string + description: >- + The complete URL for the custom authorization server. This becomes + the `iss` claim in an access token. + issuerMode: + type: string + description: >- + Indicates which value is specified in the issuer of the tokens that + a custom authorization server returns: the Okta org domain URL or a + custom domain URL. + + + `issuerMode` is visible if you have a custom URL domain configured + or the Dynamic Issuer Mode feature enabled. If you have a custom URL + domain configured, you can set a custom domain URL in a custom + authorization server, and this property is returned in the + appropriate responses. + + + When set to `ORG_URL`, then in responses, `issuer` is the Okta org + domain URL: `https://${yourOktaDomain}`. + + + When set to `CUSTOM_URL`, then in responses, `issuer` is the custom + domain URL configured in the administration user interface. + + + When set to `DYNAMIC`, then in responses, `issuer` is the custom + domain URL if the OAuth 2.0 request was sent to the custom domain, + or is the Okta org's domain URL if the OAuth 2.0 request was sent to + the original Okta org domain. + + + After you configure a custom URL domain, all new custom + authorization servers use `CUSTOM_URL` by default. If the Dynamic + Issuer Mode feature is enabled, then all new custom authorization + servers use `DYNAMIC` by default. All existing custom authorization + servers continue to use the original value until they're changed + using the Admin Console or the API. This way, existing integrations + with the client and resource server continue to work after the + feature is enabled. + jwks: + $ref: '#/components/schemas/ResourceServerJsonWebKeys' + jwks_uri: + description: >- + URL string that + references a JSON Web Key Set for encrypting JWTs minted by the + custom authorization server + type: string + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: true + lastUpdated: + type: string + format: date-time + readOnly: true + name: + type: string + description: The name of the custom authorization server + status: + $ref: '#/components/schemas/LifecycleStatus' + _links: + $ref: '#/components/schemas/AuthServerLinks' + AssociatedServerMediated: + type: object + properties: + trusted: + type: array + description: A list of the authorization server IDs + items: + type: string + OAuth2Claim: + type: object + properties: + alwaysIncludeInToken: + type: boolean + description: >- + Specifies whether to include Claims in the token. The value is + always `TRUE` for access token Claims. If the value is set to + `FALSE` for an ID token claim, the Claim isn't included in the ID + token when the token is requested with the access token or with the + `authorization_code`. The client instead uses the access token to + get Claims from the `/userinfo` endpoint. + claimType: + $ref: '#/components/schemas/OAuth2ClaimType' + conditions: + $ref: '#/components/schemas/OAuth2ClaimConditions' + group_filter_type: + $ref: '#/components/schemas/OAuth2ClaimGroupFilterType' + id: + type: string + description: ID of the Claim + readOnly: true + name: + type: string + description: Name of the Claim + status: + $ref: '#/components/schemas/LifecycleStatus' + system: + description: When `true`, indicates that Okta created the Claim + type: boolean + value: + description: >- + Specifies the value of the Claim. This value must be a string + literal if `valueType` is `GROUPS`, and the string literal is + matched with the selected `group_filter_type`. The value must be an + Okta EL expression if `valueType` is `EXPRESSION`. + type: string + valueType: + $ref: '#/components/schemas/OAuth2ClaimValueType' + _links: + $ref: '#/components/schemas/LinksSelf' + OAuth2Client: + type: object + properties: + client_id: + description: Unique key for the client application. The `client_id` is immutable. + type: string + readOnly: true + example: 0oabskvc6442nkvQO0h7 + client_name: + description: Human-readable string name of the client application + type: string + readOnly: true + example: My App + client_uri: + type: string + readOnly: true + example: https://www.example.com + logo_uri: + description: >- + URL string that references a logo for the client consent dialog (not + the sign-in dialog) + type: string + readOnly: true + example: https://www.example.com/logo.png + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + grants: + description: Link to the grant resources + allOf: + - $ref: '#/components/schemas/GrantResourcesHrefObject' + tokens: + description: Link to the token resources + allOf: + - $ref: '#/components/schemas/TokenResourcesHrefObject' + OAuth2RefreshToken: + type: object + properties: + clientId: + type: string + description: Client ID + created: + $ref: '#/components/schemas/createdProperty' + expiresAt: + type: string + description: Expiration time of the OAuth 2.0 Token + format: date-time + readOnly: true + id: + type: string + description: ID of the Token object + readOnly: true + example: oar579Mcp7OUsNTlo0g3 + issuer: + type: string + description: The complete URL of the authorization server that issued the Token + example: https://{yourOktaDomain}/oauth2/ausain6z9zIedDCxB0h7 + lastUpdated: + $ref: '#/components/schemas/lastUpdatedProperty' + scopes: + type: array + description: The scope names attached to the Token + items: + type: string + example: offline_access + status: + $ref: '#/components/schemas/GrantOrTokenStatus' + userId: + type: string + description: The ID of the user associated with the Token + example: 00u5t60iloOHN9pBi0h7 + _embedded: + type: object + description: >- + The embedded resources related to the object if the `expand` query + parameter is specified + properties: + scopes: + type: array + description: The scope objects attached to the Token + items: + $ref: '#/components/schemas/OAuth2RefreshTokenScope' + readOnly: true + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + app: + description: Link to the app resource + allOf: + - $ref: '#/components/schemas/AppResourceHrefObject' + revoke: + description: Link to revoke the refresh Token + allOf: + - $ref: '#/components/schemas/RevokeRefreshTokenHrefObject' + - properties: + hints: + properties: + allow: + items: + enum: + - DELETE + default: DELETE + type: object + type: object + client: + description: Link to the client resource + allOf: + - $ref: '#/components/schemas/AppResourceHrefObject' + user: + description: Link to the user resource + allOf: + - $ref: '#/components/schemas/UserResourceHrefObject' + authorizationServer: + description: Link to the Token authorization server resource + allOf: + - $ref: >- + #/components/schemas/AuthorizationServerResourceHrefObject + AuthorizationServerJsonWebKey: + type: object + properties: + alg: + description: 'The algorithm used with the Key. Valid value: `RS256`' + type: string + e: + description: RSA key value (public exponent) for Key binding + type: string + readOnly: true + kid: + description: Unique identifier for the key + type: string + readOnly: true + kty: + description: >- + Cryptographic algorithm family for the certificate's keypair. Valid + value: `RSA` + type: string + readOnly: true + 'n': + description: >- + RSA modulus value that is used by both the public and private keys + and provides a link between them + type: string + status: + description: >- + An `ACTIVE` Key is used to sign tokens issued by the authorization + server. Supported values: `ACTIVE`, `NEXT`, or `EXPIRED`
+ + A `NEXT` Key is the next Key that the authorization server uses to + sign tokens when Keys are rotated. The `NEXT` Key might not be + listed if it hasn't been generated. + + An `EXPIRED` Key is the previous Key that the authorization server + used to sign tokens. The `EXPIRED` Key might not be listed if no Key + has expired or the expired Key was deleted. + type: string + use: + description: 'Acceptable use of the key. Valid value: `sig`' + type: string + readOnly: true + _links: + $ref: '#/components/schemas/LinksSelf' + JwkUse: + type: object + properties: + use: + $ref: '#/components/schemas/JwkUseType' + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + AuthorizationServerPolicy: + allOf: + - type: object + properties: + id: + type: string + description: ID of the Policy + type: + type: string + description: Indicates that the Policy is an authorization server Policy + enum: + - OAUTH_AUTHORIZATION_POLICY + name: + type: string + description: Name of the Policy + maxLength: 100 + minLength: 1 + conditions: + $ref: '#/components/schemas/AuthorizationServerPolicyConditions' + description: + type: string + description: Description of the Policy + maxLength: 255 + minLength: 1 + priority: + type: integer + description: >- + Specifies the order in which this Policy is evaluated in + relation to the other Policies in a custom authorization server + status: + type: string + description: Specifies whether requests have access to this Policy + enum: + - ACTIVE + - INACTIVE + system: + type: boolean + description: Specifies whether Okta created this Policy + created: + type: string + format: date-time + readOnly: true + description: Timestamp when the Policy was created + lastUpdated: + type: string + format: date-time + readOnly: true + description: Timestamp when the Policy was last updated + _links: + allOf: + - $ref: '#/components/schemas/LinksSelfAndLifecycle' + - type: object + properties: + rules: + allOf: + - description: Link to the authorization server policy's rules + - $ref: '#/components/schemas/HrefObject' + AuthorizationServerPolicyRule: + type: object + properties: + actions: + $ref: '#/components/schemas/AuthorizationServerPolicyRuleActions' + conditions: + $ref: '#/components/schemas/AuthorizationServerPolicyRuleConditions' + created: + type: string + format: date-time + readOnly: true + description: Timestamp when the rule was created + id: + type: string + description: Identifier of the rule + readOnly: true + lastUpdated: + type: string + format: date-time + readOnly: true + description: Timestamp when the rule was last modified + name: + type: string + description: Name of the rule + priority: + type: integer + description: Priority of the rule + status: + type: string + description: Status of the rule + enum: + - ACTIVE + - INACTIVE + system: + type: boolean + description: Set to `true` for system rules. You can't delete system rules. + type: + type: string + description: Rule type + enum: + - RESOURCE_ACCESS + _links: + allOf: + - $ref: '#/components/schemas/LinksSelfAndLifecycle' + AuthorizationServerPolicyRuleRequest: + allOf: + - $ref: '#/components/schemas/AuthorizationServerPolicyRule' + - type: object + required: + - name + - conditions + - type + OAuth2ResourceServerJsonWebKey: + type: object + properties: + created: + type: string + description: Timestamp when the JSON Web Key was created + example: '2023-02-21T20:08:24.000Z' + readOnly: true + nullable: false + e: + type: string + description: RSA key value (exponent) for key binding + example: AQAB + nullable: false + id: + type: string + description: The unique ID of the JSON Web Key + example: apk2f4zrZbs8nUa7p0g4 + readOnly: true + nullable: false + kid: + type: string + description: >- + Unique identifier of the JSON Web Key in the Custom Authorization + Server's Public JWKS + example: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 + nullable: true + kty: + type: string + description: Cryptographic algorithm family for the certificate's key pair + example: RSA + nullable: false + lastUpdated: + type: string + description: Timestamp when the JSON Web Key was updated + example: '2023-02-21T20:08:24.000Z' + readOnly: true + nullable: false + 'n': + type: string + description: RSA key value (modulus) for key binding + example: >- + mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ + nullable: false + status: + type: string + enum: + - ACTIVE + - INACTIVE + description: >- + The status of the encryption key. You can use only an `ACTIVE` key + to encrypt tokens issued by the authorization server. + example: ACTIVE + nullable: false + default: ACTIVE + use: + type: string + description: Acceptable use of the JSON Web Key + example: enc + nullable: false + _links: + $ref: '#/components/schemas/OAuthResourceServerKeyLinks' + readOnly: true + nullable: false + OAuth2ResourceServerJsonWebKeyRequestBody: + type: object + properties: + e: + type: string + description: RSA key value (exponent) for key binding + example: AQAB + nullable: false + kid: + type: string + description: >- + Unique identifier of the JSON web key in the custom authorization + server's public JWKS + example: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 + nullable: true + kty: + type: string + description: Cryptographic algorithm family for the certificate's key pair + example: RSA + nullable: false + 'n': + type: string + description: RSA key value (modulus) for key binding + example: >- + mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ + nullable: false + status: + type: string + enum: + - ACTIVE + - INACTIVE + description: Status of the JSON Web Key + example: ACTIVE + use: + type: string + description: Acceptable use of the JSON Web Key + example: enc + nullable: false + OAuth2Scope: + type: object + properties: + consent: + $ref: '#/components/schemas/OAuth2ScopeConsentType' + default: + type: boolean + description: Indicates if this Scope is a default scope + default: false + description: + type: string + description: Description of the Scope + displayName: + type: string + description: Name of the end user displayed in a consent dialog + id: + type: string + description: Scope object ID + readOnly: true + metadataPublish: + $ref: '#/components/schemas/OAuth2ScopeMetadataPublish' + name: + type: string + description: Scope name + optional: + type: boolean + description: >- + Indicates whether the Scope is optional. When set to `true`, the + user can skip consent for the scope. + default: false + system: + type: boolean + description: Indicates if Okta created the Scope + default: false + _links: + $ref: '#/components/schemas/LinksSelf' + required: + - name + KeyEncryptionAlgorithm: + description: >- + The algorithm for + encrypting access tokens issued by this authorization server. If this is + requested, the response is signed, and then encrypted. The result is a + nested JWT. The default, if omitted, is that no encryption is performed. + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: true + type: string + enum: + - RSA-OAEP-256 + - RSA-OAEP-384 + - RSA-OAEP-512 + AuthorizationServerCredentials: + type: object + properties: + signing: + $ref: '#/components/schemas/AuthorizationServerCredentialsSigningConfig' + ResourceServerJsonWebKeys: + description: >- + A [JSON Web Key + Set](https://tools.ietf.org/html/rfc7517#section-5) for encrypting JWTs + minted by the custom authorization server + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: true + type: object + properties: + keys: + type: array + items: + $ref: '#/components/schemas/ResourceServerJsonWebKey' + LifecycleStatus: + type: string + enum: + - ACTIVE + - INACTIVE + AuthServerLinks: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + claims: + allOf: + - description: Link to the authorization server claims + - $ref: '#/components/schemas/HrefObject' + deactivate: + allOf: + - $ref: '#/components/schemas/HrefObjectDeactivateLink' + metadata: + description: Link to the authorization server metadata + type: array + items: + $ref: '#/components/schemas/HrefObject' + policies: + allOf: + - description: Link to the authorization server policies + - $ref: '#/components/schemas/HrefObject' + rotateKey: + allOf: + - description: Link to the authorization server key rotation + - $ref: '#/components/schemas/HrefObject' + scopes: + allOf: + - description: Link to the authorization server scopes + - $ref: '#/components/schemas/HrefObject' + OAuth2ClaimType: + description: >- + Specifies whether the Claim is for an access token (`RESOURCE`) or an ID + token (`IDENTITY`) + type: string + enum: + - IDENTITY + - RESOURCE + OAuth2ClaimConditions: + description: Specifies the scopes for the Claim + type: object + properties: + scopes: + type: array + items: + type: string + OAuth2ClaimGroupFilterType: + description: >- + Specifies the type of group filter if `valueType` is `GROUPS` + + + If `valueType` is `GROUPS`, then the groups returned are filtered + according to the value of `group_filter_type`. + + + If you have complex filters for Groups, you can [create a Groups + allowlist](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/) + to put them all in a Claim. + type: string + enum: + - CONTAINS + - EQUALS + - REGEX + - STARTS_WITH + x-enumDescriptions: + STARTS_WITH: >- + Group names start with `value` (not case-sensitive). For example, if + `value` is `group1`, then `group123` and `Group123` are included. + EQUALS: >- + Group name is the same as `value` (not case-sensitive). For example, + if `value` is `group1`, then `group1` and `Group1` are included, but + `group123` isn't. + CONTAINS: >- + Group names contain `value` (not case-sensitive). For example, if + `value` is `group1`, then `MyGroup123` and `group1` are included. + REGEX: >- + Group names match the regular expression in `value` (case-sensitive). + For example if `value` is `/^[a-z0-9_-]{3,16}$/`, then any Group name + that has at least three letters, no more than 16, and contains + lowercase letters, a hyphen, or numbers is a match. + OAuth2ClaimValueType: + description: >- + Specifies whether the Claim is an Okta Expression Language (EL) + expression (`EXPRESSION`), a set of groups (`GROUPS`), or a system claim + (`SYSTEM`) + type: string + enum: + - EXPRESSION + - GROUPS + - SYSTEM + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + GrantResourcesHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: >- + https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/grants + TokenResourcesHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: >- + https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/tokens + createdProperty: + description: Timestamp when the object was created + format: date-time + example: '2017-03-28T01:11:10.000Z' + type: string + readOnly: true + lastUpdatedProperty: + format: date-time + description: Timestamp when the object was last updated + type: string + readOnly: true + GrantOrTokenStatus: + description: Status + example: ACTIVE + type: string + enum: + - ACTIVE + - REVOKED + readOnly: true + OAuth2RefreshTokenScope: + type: object + properties: + description: + type: string + description: Description of the Scope + example: >- + Requests a refresh token by default, used to obtain more access + tokens without re-prompting the user for authentication + displayName: + type: string + description: Name of the end user displayed in a consent dialog + id: + type: string + description: Scope object ID + readOnly: true + example: scppb56cIl4GvGxy70g3 + name: + type: string + description: Scope name + example: offline_access + _links: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the + current status of an application using the [JSON Hypertext + Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + scope: + description: Link to Scope resource + allOf: + - $ref: '#/components/schemas/OfflineAccessScopeResourceHrefObject' + AppResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7 + title: + type: string + description: Link name + example: My App + RevokeRefreshTokenHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: >- + https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 + UserResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7 + title: + type: string + description: Link name + example: SAML Jackson + AuthorizationServerResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: >- + https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7 + title: + type: string + description: Link name + example: Example Authorization Server + JwkUseType: + description: Purpose of the certificate. The only supported value is `sig`. + type: string + enum: + - sig + ErrorCause: + type: object + properties: + errorSummary: + type: string + AuthorizationServerPolicyConditions: + type: object + properties: + clients: + $ref: '#/components/schemas/ClientPolicyCondition' + LinksSelfAndLifecycle: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + AuthorizationServerPolicyRuleActions: + allOf: + - $ref: '#/components/schemas/PolicyRuleActions' + - type: object + properties: + token: + $ref: '#/components/schemas/TokenAuthorizationServerPolicyRuleAction' + AuthorizationServerPolicyRuleConditions: + type: object + properties: + grantTypes: + $ref: '#/components/schemas/GrantTypePolicyRuleCondition' + people: + $ref: '#/components/schemas/AuthorizationServerPolicyPeopleCondition' + scopes: + $ref: '#/components/schemas/OAuth2ScopesMediationPolicyRuleCondition' + OAuthResourceServerKeyLinks: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the + current status of a JSON Web Key using the [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + properties: + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + delete: + $ref: '#/components/schemas/HrefObjectDeleteLink' + readOnly: true + type: object + OAuth2ScopeConsentType: + description: Indicates whether a consent dialog is needed for the Scope + default: IMPLICIT + type: string + enum: + - FLEXIBLE + - IMPLICIT + - REQUIRED + OAuth2ScopeMetadataPublish: + description: Indicates whether the Scope is included in the metadata + default: NO_CLIENTS + type: string + enum: + - ALL_CLIENTS + - NO_CLIENTS + AuthorizationServerCredentialsSigningConfig: + type: object + properties: + kid: + type: string + description: >- + The ID of the JSON Web Key used for signing tokens issued by the + authorization server + readOnly: true + lastRotated: + type: string + description: >- + The timestamp when the authorization server started using the `kid` + for signing tokens + format: date-time + readOnly: true + nextRotation: + type: string + description: >- + The timestamp when the authorization server changes the Key for + signing tokens. This is only returned when `rotationMode` is set to + `AUTO`. + format: date-time + readOnly: true + rotationMode: + $ref: '#/components/schemas/AuthorizationServerCredentialsRotationMode' + use: + $ref: '#/components/schemas/AuthorizationServerCredentialsUse' + ResourceServerJsonWebKey: + description: >- + A [JSON Web Key (JWK)](https://tools.ietf.org/html/rfc7517) is a JSON + representation of a cryptographic key. Okta can use the active key to + encrypt the access token minted by the authorization server. Okta + supports only RSA keys with 'use: enc'. + type: object + properties: + e: + type: string + description: The key exponent of a RSA key + kid: + type: string + description: The unique identifier of the key + kty: + $ref: '#/components/schemas/JsonWebKeyType' + 'n': + type: string + description: The modulus of the RSA key + status: + $ref: '#/components/schemas/JsonWebKeyStatus' + use: + $ref: '#/components/schemas/JsonWebKeyUse' + HrefObjectDeactivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to deactivate the resource + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + OfflineAccessScopeResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: >- + https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scppb56cIl4GvGxy70g3 + title: + type: string + description: Link name + example: offline_access + ClientPolicyCondition: + description: Specifies which clients are included in the Policy + type: object + properties: + include: + type: array + description: Which clients are included in the Policy + items: + type: string + HrefObjectActivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to activate the resource + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + PolicyRuleActions: + type: object + TokenAuthorizationServerPolicyRuleAction: + type: object + properties: + accessTokenLifetimeMinutes: + type: integer + description: >- + Lifetime of the access token in minutes. The minimum is five + minutes. The maximum is one day. + inlineHook: + $ref: >- + #/components/schemas/TokenAuthorizationServerPolicyRuleActionInlineHook + refreshTokenLifetimeMinutes: + type: integer + description: Lifetime of the refresh token is the minimum access token lifetime. + refreshTokenWindowMinutes: + type: integer + description: >- + Timeframe when the refresh token is valid. The minimum is 10 + minutes. The maximum is five years (2,628,000 minutes). + GrantTypePolicyRuleCondition: + description: >- + Array of grant types that this condition includes. Determines the + mechanism that Okta uses to authorize the creation of the tokens. + type: object + properties: + include: + type: array + description: Array of grant types that this condition includes. + items: + type: string + AuthorizationServerPolicyPeopleCondition: + description: Identifies Users and Groups that are used together + type: object + properties: + groups: + $ref: '#/components/schemas/AuthorizationServerPolicyRuleGroupCondition' + users: + $ref: '#/components/schemas/AuthorizationServerPolicyRuleUserCondition' + OAuth2ScopesMediationPolicyRuleCondition: + description: Array of scopes that the condition includes + type: object + properties: + include: + type: array + items: + type: string + HrefObjectDeleteLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to delete the resource + AuthorizationServerCredentialsRotationMode: + description: The Key rotation mode for the authorization server + type: string + enum: + - AUTO + - MANUAL + AuthorizationServerCredentialsUse: + description: How the key is used + type: string + enum: + - sig + JsonWebKeyType: + description: The type of public key + type: string + enum: + - RSA + JsonWebKeyStatus: + description: The status of the public key + type: string + enum: + - ACTIVE + - INACTIVE + JsonWebKeyUse: + description: The intended use of the public key + type: string + enum: + - enc + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + TokenAuthorizationServerPolicyRuleActionInlineHook: + type: object + properties: + id: + type: string + readOnly: false + AuthorizationServerPolicyRuleGroupCondition: + description: Specifies a set of Groups whose Users are to be included + type: object + properties: + include: + type: array + description: Groups to be included + items: + type: string + AuthorizationServerPolicyRuleUserCondition: + description: Specifies a set of Users to be included + type: object + properties: + include: + description: Users to be included + type: array + items: + type: string + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + ErrorInvalidToken401: + description: Unauthorized + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + InvalidTokenProvided: + $ref: '#/components/examples/ErrorInvalidTokenProvided' + parameters: + pathAuthServerId: + name: authServerId + description: '`id` of the Authorization Server' + in: path + required: true + schema: + type: string + example: GeGRTEr7f3yu2n7grw22 + pathAssociatedServerId: + name: associatedServerId + description: '`id` of the associated Authorization Server' + in: path + required: true + schema: + type: string + example: aus6xt9jKPmCyn6kg0g4 + pathClaimId: + name: claimId + description: '`id` of Claim' + in: path + required: true + schema: + type: string + example: hNJ3Uk76xLagWkGx5W3N + pathClientId: + name: clientId + description: Client app ID + in: path + required: true + schema: + type: string + example: 52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD + pathTokenId: + name: tokenId + description: '`id` of Token' + in: path + required: true + schema: + type: string + example: sHHSth53yJAyNSTQKDJZ + pathCredentialKeyId: + name: keyId + description: '`id` of the certificate key' + in: path + required: true + schema: + type: string + example: P7jXpG-LG2ObNgY9C0Mn2uf4InCQTmRZMDCZoVNxdrk + pathPolicyId: + name: policyId + description: '`id` of the Policy' + in: path + required: true + schema: + type: string + example: 00plrilJ7jZ66Gn0X0g3 + pathRuleId: + name: ruleId + description: '`id` of the policy rule' + in: path + required: true + schema: + type: string + example: ruld3hJ7jZh4fn0st0g3 + pathJsonWebKeyId: + name: keyId + in: path + schema: + type: string + required: true + description: Unique `id` of the Custom Authorization Server JSON Web Key + example: apk2f4zrZbs8nUa7p0g4 + pathScopeId: + name: scopeId + description: '`id` of Scope' + in: path + required: true + schema: + type: string + example: 0TMRpCWXRKFjP7HiPFNM + examples: + ListAuthServersResponse: + summary: List all custom authorization servers in your org + value: + - id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + _links: + scopes: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes + hints: + allow: + - GET + claims: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims + hints: + allow: + - GET + policies: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies + hints: + allow: + - GET + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - GET + - DELETE + - PUT + metadata: + - name: oauth-authorization-server + href: >- + https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server + hints: + allow: + - GET + - name: openid-configuration + href: >- + https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration + hints: + allow: + - GET + rotateKey: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate + hints: + allow: + - POST + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate + hints: + allow: + - POST + CreateAuthServerBody: + summary: Create a custom authorization server + value: + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - api://default + CreateAuthServerWithAccessTokenEncryptionBody: + summary: >- + Create a custom authorization server with access token encryption + enabled + value: + name: Sample Authorization Server + description: Sample authorization server description + audiences: + - api://default + accessTokenEncryptedResponseAlgorithm: RSA-OAEP-256 + jwks: + keys: + - kty: RSA + id: apk2g3sd6bqV5YZxu0h8 + status: ACTIVE + kid: encKey + use: enc + e: AQAB + 'n': >- + iHYyA5KXL82veBfNP81D7Q1GMRWIixNTu5jY03Z19DN7qTg1xYPRyPEPuMJ5Xjdhrm3dJdW7p1woRa6CHfw8FS7aosXUZkplxPs0NICP32nCkwpX3U3CltgVWrpMEUrd-JljKm0AgrervZuLkgBEfwY3BXP_SCKjF0JtbQjcK9MOKFNUUUK3_xTrFcyZThlSOtiOmhjDHTfHzeG2Q0NG2Opom1kfKWLDUVy5qrzYJWgcCaPOyEE1xnk4u5syH_8APOi2tKwKBCgS_D-kXzZ_379VhVuEpo2CGBU20t9Ys_m8KLqMCOyJaoQ3R1r6cWHfnYSab31L1my3rLwuippXkQ + CreateAuthServerResponse: + summary: Create a custom authorization server + value: + id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + _links: + scopes: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes + hints: + allow: + - GET + claims: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims + hints: + allow: + - GET + policies: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies + hints: + allow: + - GET + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - GET + - DELETE + - PUT + metadata: + - name: oauth-authorization-server + href: >- + https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server + hints: + allow: + - GET + - name: openid-configuration + href: >- + https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration + hints: + allow: + - GET + rotateKey: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate + hints: + allow: + - POST + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate + hints: + allow: + - POST + CreateAuthServerWithAccessTokenEncryptionResponse: + summary: >- + Create a custom authorization server with access token encryption + enabled + value: + id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample authorization server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + accessTokenEncryptedResponseAlgorithm: RSA-OAEP-256 + jwks: + keys: + - kty: RSA + id: apk2g3sd6bqV5YZxu0h8 + status: ACTIVE + kid: encKey + use: enc + e: AQAB + 'n': >- + iHYyA5KXL82veBfNP81D7Q1GMRWIixNTu5jY03Z19DN7qTg1xYPRyPEPuMJ5Xjdhrm3dJdW7p1woRa6CHfw8FS7aosXUZkplxPs0NICP32nCkwpX3U3CltgVWrpMEUrd-JljKm0AgrervZuLkgBEfwY3BXP_SCKjF0JtbQjcK9MOKFNUUUK3_xTrFcyZThlSOtiOmhjDHTfHzeG2Q0NG2Opom1kfKWLDUVy5qrzYJWgcCaPOyEE1xnk4u5syH_8APOi2tKwKBCgS_D-kXzZ_379VhVuEpo2CGBU20t9Ys_m8KLqMCOyJaoQ3R1r6cWHfnYSab31L1my3rLwuippXkQ + _links: + scopes: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes + hints: + allow: + - GET + claims: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims + hints: + allow: + - GET + policies: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies + hints: + allow: + - GET + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - GET + - DELETE + - PUT + metadata: + - name: oauth-authorization-server + href: >- + https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server + hints: + allow: + - GET + - name: openid-configuration + href: >- + https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration + hints: + allow: + - GET + rotateKey: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate + hints: + allow: + - POST + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate + hints: + allow: + - POST + RetrieveAuthServerResponse: + summary: Retrieve a custom authorization server + value: + id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + _links: + scopes: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes + hints: + allow: + - GET + claims: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims + hints: + allow: + - GET + policies: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies + hints: + allow: + - GET + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - GET + - DELETE + - PUT + metadata: + - name: oauth-authorization-server + href: >- + https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server + hints: + allow: + - GET + - name: openid-configuration + href: >- + https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration + hints: + allow: + - GET + rotateKey: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate + hints: + allow: + - POST + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate + hints: + allow: + - POST + ReplaceAuthServerBody: + summary: Replace a custom authorization server + value: + name: New Authorization Server + description: Authorization Server description + audiences: + - api://default + credentials: + signing: + rotationMode: AUTO + use: sig + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + ReplaceAuthServerEnableTokenEncryptionBody: + summary: Rotate the active encryption key for access token encryption + value: + name: New Authorization Server + description: Authorization server description + audiences: + - api://default + credentials: + signing: + rotationMode: AUTO + use: sig + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + accessTokenEncryptedResponseAlgorithm: RSA-OAEP-256 + jwks: + keys: + - kty: RSA + id: apk2g3sd6bqV5YZxu0h8 + status: ACTIVE + kid: encKey1 + use: enc + e: AQAB + 'n': >- + iHYyA5KXL82veBfNP81D7Q1GMRWIixNTu5jY03Z19DN7qTg1xYPRyPEPuMJ5Xjdhrm3dJdW7p1woRa6CHfw8FS7aosXUZkplxPs0NICP32nCkwpX3U3CltgVWrpMEUrd-JljKm0AgrervZuLkgBEfwY3BXP_SCKjF0JtbQjcK9MOKFNUUUK3_xTrFcyZThlSOtiOmhjDHTfHzeG2Q0NG2Opom1kfKWLDUVy5qrzYJWgcCaPOyEE1xnk4u5syH_8APOi2tKwKBCgS_D-kXzZ_379VhVuEpo2CGBU20t9Ys_m8KLqMCOyJaoQ3R1r6cWHfnYSab31L1my3rLwuippXkQ + - kty: RSA + id: apk5f3fg7kkG4TUzv0h8 + status: INACTIVE + kid: encKey2 + use: enc + e: AQAB + 'n': >- + iHYyA5KXL82veBfNP81D7Q1GMRWIixNTu5jY03Z19DN7qTg1xYPRyPEPuMJ5Xjdhrm3dJdW7p1woRa6CHfw8FS7aosXUZkplxPs0NICP32nCkwpX3U3CltgVWrpMEUrd-JljKm0AgrervZuLkgBEfwY3BXP_SCKjF0JtbQjcK9MOKFNUUUK3_xTrFcyZThlSOtiOmhjDHTfHzeG2Q0NG2Opom1kfKWLDUVy5qrzYJWgcCaPOyEE1xnk4u5syH_8APOi2tKwKBCgS_D-kXzZ_379VhVuEpo2CGBU20t9Ys_m8KLqMCOyJaoQ3R1r6cWHfnYSab31L1my3rLwuippXkQ + ReplaceAuthServerResponse: + summary: Replace a custom authorization server + value: + id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + _links: + scopes: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes + hints: + allow: + - GET + claims: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims + hints: + allow: + - GET + policies: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies + hints: + allow: + - GET + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - GET + - DELETE + - PUT + metadata: + - name: oauth-authorization-server + href: >- + https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server + hints: + allow: + - GET + - name: openid-configuration + href: >- + https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration + hints: + allow: + - GET + rotateKey: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate + hints: + allow: + - POST + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate + hints: + allow: + - POST + ReplaceAuthServerEnableTokenEncryptionResponse: + summary: Rotate the active encryption key for access token encryption + value: + id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample authorization server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: ORG_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + accessTokenEncryptedResponseAlgorithm: RSA-OAEP-256 + jwks: + keys: + - kty: RSA + id: apk2g3sd6bqV5YZxu0h8 + status: ACTIVE + kid: encKey1 + use: enc + e: AQAB + 'n': >- + iHYyA5KXL82veBfNP81D7Q1GMRWIixNTu5jY03Z19DN7qTg1xYPRyPEPuMJ5Xjdhrm3dJdW7p1woRa6CHfw8FS7aosXUZkplxPs0NICP32nCkwpX3U3CltgVWrpMEUrd-JljKm0AgrervZuLkgBEfwY3BXP_SCKjF0JtbQjcK9MOKFNUUUK3_xTrFcyZThlSOtiOmhjDHTfHzeG2Q0NG2Opom1kfKWLDUVy5qrzYJWgcCaPOyEE1xnk4u5syH_8APOi2tKwKBCgS_D-kXzZ_379VhVuEpo2CGBU20t9Ys_m8KLqMCOyJaoQ3R1r6cWHfnYSab31L1my3rLwuippXkQ + - kty: RSA + id: apk5f3fg7kkG4TUzv0h8 + status: INACTIVE + kid: encKey2 + use: enc + e: AQAB + 'n': >- + iHYyA5KXL82veBfNP81D7Q1GMRWIixNTu5jY03Z19DN7qTg1xYPRyPEPuMJ5Xjdhrm3dJdW7p1woRa6CHfw8FS7aosXUZkplxPs0NICP32nCkwpX3U3CltgVWrpMEUrd-JljKm0AgrervZuLkgBEfwY3BXP_SCKjF0JtbQjcK9MOKFNUUUK3_xTrFcyZThlSOtiOmhjDHTfHzeG2Q0NG2Opom1kfKWLDUVy5qrzYJWgcCaPOyEE1xnk4u5syH_8APOi2tKwKBCgS_D-kXzZ_379VhVuEpo2CGBU20t9Ys_m8KLqMCOyJaoQ3R1r6cWHfnYSab31L1my3rLwuippXkQ + _links: + scopes: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes + hints: + allow: + - GET + claims: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims + hints: + allow: + - GET + policies: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies + hints: + allow: + - GET + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - GET + - DELETE + - PUT + metadata: + - name: oauth-authorization-server + href: >- + https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server + hints: + allow: + - GET + - name: openid-configuration + href: >- + https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration + hints: + allow: + - GET + rotateKey: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate + hints: + allow: + - POST + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate + hints: + allow: + - POST + ListAssocAuthServerResponse: + summary: List associated authorization servers + value: + - id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: CUSTOM_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: DYNAMIC + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + use: sig + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - DELETE + CreateAssocAuthServerBody: + summary: Create a trusted relationship between authorization servers + value: + - trusted: '{authorizationServerId}' + CreateAssocAuthServerResponse: + summary: Create a trusted relationship between authorization servers + value: + - id: '{authorizationServerId}' + name: Sample Authorization Server + description: Sample Authorization Server description + audiences: + - https://api.resource.com + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + issuerMode: CUSTOM_URL + status: ACTIVE + created: '2023-05-17T22:25:57.000Z' + lastUpdated: '2023-05-17T22:25:57.000Z' + credentials: + signing: + rotationMode: AUTO + lastRotated: '2023-05-17T22:25:57.000Z' + nextRotation: '2023-08-15T22:25:57.000Z' + kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 + use: sig + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + hints: + allow: + - DELETE + ListCustomTokenClaimsResponse: + summary: List all custom token claims for an authorization server + value: + - id: '{claimId}' + name: sub + status: ACTIVE + claimType: RESOURCE + valueType: EXPRESSION + value: '(appuser != null) ? appuser.userName : app.clientId' + conditions: + scopes: + - profile + system: true + alwaysIncludeInToken: true + apiResourceId: null + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId} + hints: + allow: + - GET + - PUT + - DELETE + CreateCustomTokenClaimBody: + summary: Create a custom token claim + value: + - alwaysIncludeInToken: true + claimType: IDENTITY + conditions: + scopes: + - profile + group_filter_type: CONTAINS + name: Support + status: ACTIVE + system: false + value: Support + valueType: GROUPS + CreateCustomTokenClaimResponse: + summary: Create a custom token claim response + value: + - id: '{claimId}' + name: Support + status: ACTIVE + claimType: IDENTITY + valueType: GROUPS + value: Support + conditions: + scopes: + - profile + system: false + alwaysIncludeInToken: true + apiResourceId: null + group_filter_type: CONTAINS + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId} + hints: + allow: + - GET + - PUT + - DELETE + RetrieveCustomTokenClaimResponse: + summary: Retrieve a custom token claim response + value: + - id: '{claimId}' + name: Support + status: ACTIVE + claimType: IDENTITY + valueType: GROUPS + value: Support + conditions: + scopes: + - profile + system: false + alwaysIncludeInToken: true + apiResourceId: null + group_filter_type: CONTAINS + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId} + hints: + allow: + - GET + - PUT + - DELETE + ReplaceCustomTokenClaimBody: + summary: Replace a custom token claim + value: + - alwaysIncludeInToken: true + claimType: IDENTITY + conditions: + scopes: + - profile + group_filter_type: CONTAINS + name: Knowledge_Base + status: ACTIVE + system: false + value: Knowledge Base + valueType: GROUPS + ReplaceCustomTokenClaimResponse: + summary: Replace a custom token claim response + value: + - id: '{claimId}' + name: Knowledge_Base + status: ACTIVE + claimType: IDENTITY + valueType: GROUPS + value: Knowledge Base + conditions: + scopes: + - profile + system: false + alwaysIncludeInToken: true + apiResourceId: null + group_filter_type: CONTAINS + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId} + hints: + allow: + - GET + - PUT + - DELETE + ListClientsResponse: + summary: List all client resources for which an authorization server has tokens + value: + - client_id: '{clientId}' + client_name: My Web App + client_uri: null, + logo_uri: null, + _links: + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} + title: My Web App + tokens: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens + hints: + allow: + - GET + - DELETE + ListRefreshTokensClientsResponse: + summary: List all refresh tokens for a client + value: + - id: '{refreshTokenId}' + status: ACTIVE + created: '2023-09-21T19:59:56.000Z' + lastUpdated: '2023-09-21T20:00:38.000Z' + expiresAt: '2023-09-28T20:00:38.000Z' + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + client_id: '{clientId}' + userId: '{userId}' + scopes: + - offline_access + - openid + _embedded: + scopes: + - id: '{scopeId}' + name: openid + displayName: openid + description: Signals that a request is an OpenID request + _links: + scope: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/{scopeId} + title: openid + - id: '{scopeID}' + name: offline_access + displayName: Keep you signed in to the app + description: >- + This keeps you signed in to the app, even when you aren't + using it. + _links: + scope: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/{scopeId} + itle: Keep you signed in to the app + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + title: My Web App + authorizationServer: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + title: Authorization Server name + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens/{tokenId} + revoke: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens/{tokenId} + hints: + allow: + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} + title: My Web App + user: + href: https://{yourOktaDomain}/api/v1/users/{userId} + title: Joe User + RetrieveRefreshTokenClientResponse: + summary: Retrieve a refresh token for a client + value: + - id: '{refreshTokenId}' + status: ACTIVE + created: '2023-09-21T19:59:56.000Z' + lastUpdated: '2023-09-21T20:00:38.000Z' + expiresAt: '2023-09-28T20:00:38.000Z' + issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} + client_id: '{clientId}' + userId: '{userId}' + scopes: + - offline_access + - openid + _embedded: + scopes: + - id: '{scopeID}' + name: offline_access + displayName: Keep you signed in to the app + description: >- + This keeps you signed in to the app, even when you aren't + using it. + _links: + scope: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/{scopeId} + title: Keep you signed in to the app + - id: '{scopeId}' + name: openid + displayName: openid + description: Signals that a request is an OpenID request + _links: + scope: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/{scopeId} + title: openid + _links: + app: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + title: My Web App + authorizationServer: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} + title: Authorization Server name + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens/{tokenId} + revoke: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens/{tokenId} + hints: + allow: + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} + title: My Web App + user: + href: https://{yourOktaDomain}/api/v1/users/{userId} + title: Joe User + ListAuthorizationServerKeys: + summary: All credential keys + value: + - status: ACTIVE + alg: RS256 + e: AQAB + 'n': >- + g0MirhrysJMPm_wK45jvMbbyanfhl-jmTBv0o69GeifPaISaXGv8LKn3-CyJvUJcjjeHE17KtumJWVxUDRzFqtIMZ1ctCZyIAuWO0n + LKilg7_EIDXJrS8k14biqkPO1lXGFwtjo3zLHeFSLw6sWf-CEN9zv6Ff3IAXb-RMYpfh-bVrxIgWsWCxjLW-UKI3la-gs0nWHH2PJr5HLJuI + JIOL5HLJuIJIOLWahqTnm_r1LSCSYr6N4C-fh--w2_BW8DzTHalBYe76bNr0d7AqtR4tGazmrvrc79Wa2bjyxmhhN1u9jSaZQqq-3VZEod8q3, + WHH2PJ5v1LoXniJQ4a2W8nDVqb6h4E8MUKYOpljTfQ + kid: RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc + kty: RSA + use: sig + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc + hints: + allow: + - GET + - status: NEXT + alg: RS256 + e: AQAB + 'n': >- + l1hZ_g2sgBE3oHvu34T-5XP18FYJWgtul_nRNg-5xra5ySkaXEOJUDRERUG0HrR42uqf9jYrUTwg9fp-SqqNIdHRaN8EwRSDRsKAwK + 3 + HIJ2NJfgmrrO2ABkeyUq6rzHxAumiKv1iLFpSawSIiTEBJERtUCDcjbbqyHVFuivIFgH8L37 + - XDIDb0XG - R8DOoOHLJPTpsgH - rJe + M5w96VIRZInsGC5OGWkFdtgk6OkbvVd7_TXcxLCpWeg1vlbmX - 0 + TmG5yjSj7ek05txcpxIqYu - 7 FIGT0KKvXge_BOSEUlJpBhLKU28 + OtsOnmc3NLIGXB - GeDiUZiBYQdPR - myB4ZoQ + kid: Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo + kty: RSA + use: sig + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo + hints: + allow: + - GET + - status: EXPIRED + alg: RS256 + e: AQAB + 'n': >- + lC4ehVB6W0OCtNPnz8udYH9Ao83B6EKnHA5eTcMOap_lQZ-nKtS1lZwBj4wXRVc1XmS0d2OQFA1VMQ-dHLDE3CiGfsGqWbaiZFdW7U + GLO1nAwfDdH6xp3xwpKOMewDXbAHJlXdYYAe2ap - + CE9c5WLTUBU6JROuWcorHCNJisj1aExyiY5t3JQQVGpBz2oUIHo7NRzQoKimvp + dMvMzcYnTlk1dhlG11b1GTkBclprm1BmOP7Ltjd7aEumOJWS67nKcAZzl48Zyg5KtV11V9F9dkGt25qHauqFKL7w3wu + - DYhT0hmyFc wn - tXS6e6HQbfHhR_MQxysLtDGOk2ViWv8AQ + kid: h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU + kty: RSA + use: sig + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU + hints: + allow: + - GET + ActiveAuthorizationServerKey: + summary: Active authorization server key + value: + status: ACTIVE + alg: RS256 + e: AQAB + 'n': >- + g0MirhrysJMPm_wK45jvMbbyanfhl-jmTBv0o69GeifPaISaXGv8LKn3-CyJvUJcjjeHE17KtumJWVxUDRzFqtIMZ1ctCZyIAuWO0n + LKilg7_EIDXJrS8k14biqkPO1lXGFwtjo3zLHeFSLw6sWf-CEN9zv6Ff3IAXb-RMYpfh-bVrxIgWsWCxjLW-UKI3la-gs0nWHH2PJr5HLJuI + JIOL5HLJuIJIOLWahqTnm_r1LSCSYr6N4C-fh--w2_BW8DzTHalBYe76bNr0d7AqtR4tGazmrvrc79Wa2bjyxmhhN1u9jSaZQqq-3VZEod8q3, + WHH2PJ5v1LoXniJQ4a2W8nDVqb6h4E8MUKYOpljTfQ + kid: RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc + kty: RSA + use: sig + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc + hints: + allow: + - GET + NextAuthorizationServerKey: + summary: Next authorization server key + value: + status: NEXT + alg: RS256 + e: AQAB + 'n': >- + l1hZ_g2sgBE3oHvu34T-5XP18FYJWgtul_nRNg-5xra5ySkaXEOJUDRERUG0HrR42uqf9jYrUTwg9fp-SqqNIdHRaN8EwRSDRsKAwK + 3 + HIJ2NJfgmrrO2ABkeyUq6rzHxAumiKv1iLFpSawSIiTEBJERtUCDcjbbqyHVFuivIFgH8L37 + - XDIDb0XG - R8DOoOHLJPTpsgH - rJe + M5w96VIRZInsGC5OGWkFdtgk6OkbvVd7_TXcxLCpWeg1vlbmX - 0 + TmG5yjSj7ek05txcpxIqYu - 7 FIGT0KKvXge_BOSEUlJpBhLKU28 OtsOnmc3NLIGXB + - GeDiUZiBYQdPR - myB4ZoQ + kid: Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo + kty: RSA + use: sig + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo + hints: + allow: + - GET + ExpiredAuthorizationServerKey: + summary: Expired authorization server key + value: + status: EXPIRED + alg: RS256 + e: AQAB + 'n': >- + lC4ehVB6W0OCtNPnz8udYH9Ao83B6EKnHA5eTcMOap_lQZ-nKtS1lZwBj4wXRVc1XmS0d2OQFA1VMQ-dHLDE3CiGfsGqWbaiZFdW7U + GLO1nAwfDdH6xp3xwpKOMewDXbAHJlXdYYAe2ap - + CE9c5WLTUBU6JROuWcorHCNJisj1aExyiY5t3JQQVGpBz2oUIHo7NRzQoKimvp + dMvMzcYnTlk1dhlG11b1GTkBclprm1BmOP7Ltjd7aEumOJWS67nKcAZzl48Zyg5KtV11V9F9dkGt25qHauqFKL7w3wu + - DYhT0hmyFc wn - tXS6e6HQbfHhR_MQxysLtDGOk2ViWv8AQ + kid: h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU + kty: RSA + use: sig + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU + hints: + allow: + - GET + InvalidRotateUse: + summary: Invalid use + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: rotateKeys' + errorLink: E0000001 + errorId: oaeprak9qKHRlaWiclJ4oPJRQ + errorCauses: + - errorSummary: Invalid value specified for key 'use' parameter + ListAuthorizationServerPolicies: + summary: List authorization server policies + value: + - type: OAUTH_AUTHORIZATION_POLICY + id: 00palyaappA22DPkj0h7 + status: ACTIVE + name: Vendor2 Policy + description: Vendor2 policy description + priority: 1 + system: false + conditions: + clients: + include: + - ALL_CLIENTS + created: '2017-05-26T19:43:53.000Z' + lastUpdated: '2017-06-07T15:28:17.000Z' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/lifecycle/deactivate + hints: + allow: + - POST + rules: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/rules + hints: + allow: + - GET + CreateAuthorizationServerPolicyRequest: + summary: Create an authorization server policy + value: + type: OAUTH_AUTHORIZATION_POLICY + status: ACTIVE + name: Default Policy + description: Default policy description + priority: 1 + system: false + conditions: + clients": + include": + - ALL_CLIENTS + AuthorizationServerPolicy: + summary: Authorization server policy + value: + type: OAUTH_AUTHORIZATION_POLICY + id: 00palyaappA22DPkj0h7 + status: ACTIVE + name: Vendor2 Policy + description: Vendor2 policy description + priority: 1 + system: false + conditions: + clients: + include: + - ALL_CLIENTS + created: '2017-05-26T19:43:53.000Z' + lastUpdated: '2017-06-07T15:28:17.000Z' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/lifecycle/deactivate + hints: + allow: + - POST + rules: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/rules + hints: + allow: + - GET + UpdateAuthorizationServerPolicyRequest: + summary: Update an authorization server policy + value: + id: 00p5m9xrrBffPd9ah0g4 + type: OAUTH_AUTHORIZATION_POLICY + status: ACTIVE + name: Default Policy + description: Default policy description + priority: 1 + system: false + conditions: + clients": + include": + - ALL_CLIENTS + ListAuthorizationServerPolicyRules: + summary: List authorization server policy rules + value: + - type: RESOURCE_ACCESS + id: 0prbsjfyl01zfSZ9K0h7 + status: ACTIVE + name: Default Policy Rule + priority: 1 + created: '2017-08-25T16:57:02.000Z' + lastUpdated: '2017-08-30T14:51:05.000Z' + system: false + conditions: + people: + users: + include: [] + exclude: [] + groups: + include: + - EVERYONE + exclude: [] + grantTypes: + include: + - implicit + - client_credentials + - authorization_code + - password + scopes: + include: + - '*' + actions: + token: + accessTokenLifetimeMinutes: 60 + refreshTokenLifetimeMinutes: 0 + refreshTokenWindowMinutes: 10080 + inlineHook: + id: cal4egvp1mbMldrYN0g7 + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7/lifecycle/deactivate + hints: + allow: + - POST + CreateAuthorizationServerPolicyRuleRequest: + summary: Create authorization server policy rule + value: + type: RESOURCE_ACCESS + name: Default Policy Rule + priority: 1 + conditions: + people: + groups: + include: + - EVERYONE + grantTypes: + include: + - implicit + - client_credentials + - authorization_code + - password + scopes: + include: + - '*' + actions: + token: + accessTokenLifetimeMinutes: 60 + refreshTokenLifetimeMinutes: 0 + refreshTokenWindowMinutes: 10080 + inlineHook: + id: cal4egvp1mbMldrYN0g7 + AuthorizationServerPolicyRule: + summary: Authorization server policy rule + value: + type: RESOURCE_ACCESS + id: 0prbsjfyl01zfSZ9K0h7 + status: ACTIVE + name: Default Policy Rule + priority: 1 + created: '2017-08-25T16:57:02.000Z' + lastUpdated: '2017-08-30T14:51:05.000Z' + system: false + conditions: + people: + users: + include: [] + exclude: [] + groups: + include: + - EVERYONE + exclude: [] + grantTypes: + include: + - implicit + - client_credentials + - authorization_code + - password + scopes: + include: + - '*' + actions: + token: + accessTokenLifetimeMinutes: 60 + refreshTokenLifetimeMinutes: 0 + refreshTokenWindowMinutes: 10080 + inlineHook: + id: cal4egvp1mbMldrYN0g7 + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7/lifecycle/deactivate + hints: + allow: + - POST + UpdateAuthorizationServerPolicyRuleRequest: + summary: Update authorization server policy rule + value: + type: RESOURCE_ACCESS + name: Default Policy Rule + priority: 1 + status: ACTIVE + conditions: + people: + groups: + include: + - EVERYONE + grantTypes: + include: + - implicit + - client_credentials + - authorization_code + - password + scopes: + include: + - '*' + actions: + token: + accessTokenLifetimeMinutes: 60 + refreshTokenLifetimeMinutes: 0 + refreshTokenWindowMinutes: 10080 + inlineHook: + id: cal4egvp1mbMldrYN0g7 + ListOAuth2ResourceServerJsonWebKeys: + summary: All OAuth2 Resource Server JSON Web Keys + value: + - status: ACTIVE + id: apk40n33xfjbPaf6D0g5 + e: AQAB + 'n': >- + g0MirhrysJMPm_wK45jvMbbyanfhl-jmTBv0o69GeifPaISaXGv8LKn3-CyJvUJcjjeHE17KtumJWVxUDRzFqtIMZ1ctCZyIAuWO0n + LKilg7_EIDXJrS8k14biqkPO1lXGFwtjo3zLHeFSLw6sWf-CEN9zv6Ff3IAXb-RMYpfh-bVrxIgWsWCxjLW-UKI3la-gs0nWHH2PJr5HLJuI + JIOL5HLJuIJIOLWahqTnm_r1LSCSYr6N4C-fh--w2_BW8DzTHalBYe76bNr0d7AqtR4tGazmrvrc79Wa2bjyxmhhN1u9jSaZQqq-3VZEod8q3, + WHH2PJ5v1LoXniJQ4a2W8nDVqb6h4E8MUKYOpljTfQ + kid: RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc + kty: RSA + use: enc + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/resourceservercredentials/keys/RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc + hints: + allow: + - GET + - status: INACTIVE + id: apk33a45xfjbDfg6D0g5 + e: AQAB + 'n': >- + l1hZ_g2sgBE3oHvu34T-5XP18FYJWgtul_nRNg-5xra5ySkaXEOJUDRERUG0HrR42uqf9jYrUTwg9fp-SqqNIdHRaN8EwRSDRsKAwK + 3 + HIJ2NJfgmrrO2ABkeyUq6rzHxAumiKv1iLFpSawSIiTEBJERtUCDcjbbqyHVFuivIFgH8L37 + - XDIDb0XG - R8DOoOHLJPTpsgH - rJe + M5w96VIRZInsGC5OGWkFdtgk6OkbvVd7_TXcxLCpWeg1vlbmX - 0 + TmG5yjSj7ek05txcpxIqYu - 7 FIGT0KKvXge_BOSEUlJpBhLKU28 + OtsOnmc3NLIGXB - GeDiUZiBYQdPR - myB4ZoQ + kid: Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo + kty: RSA + use: enc + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/resourceservercredentials/keys/Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo + hints: + allow: + - GET + AddOAuth2ResourceServerJsonWebKeyRequest: + summary: JSON Web Key request example + value: + kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + use: enc + e: AQAB + 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= + status: INACTIVE + OAuth2ResourceServerJsonWebKey: + summary: JSON Web Key example + value: + id: apk2f4zrZbs8nUa7p0g4 + kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B + kty: RSA + alg: RS256 + use: enc + e: AQAB + 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= + status: INACTIVE + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + delete: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/resourceservercredentials/keys/RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc/lifecycle/delete + hints: + allow: + - DELETE + ErrorJsonWebKeyNonUniqueKid: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: Each key must have a unique ''kid''. + ErrorJsonWebKeyKidLengthTooShort: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: >- + RSA key length in the 'jwks' is less than '2,048' bits for the + given key. + ErrorJsonWebKeyTooManyKids: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: >- + You can't create a new key. You have reached the maximum number of + keys allowed (5). To add another key, you must first delete an + existing one. + ErrorJsonWebKeyCannotAddActiveKey: + value: + errorCode: E0000001, + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001, + errorId: sampleQPivGUj_ND5v78vbYWW, + errorCauses: + - errorSummary: >- + Keys cannot be created with an ''ACTIVE'' status. Create an + ''INACTIVE'' key and then activate it. + ErrorDeleteActiveJsonWebKey: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: >- + ''ACTIVE'' keys cannot be deleted. Activate another key before + deleting this one. + ErrorDeactivateActiveKey: + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: JsonWebKey' + errorLink: E0000001 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: + - errorSummary: >- + You cannot deactivate the active key when access token encryption + is enabled. + ExampleOAuth2Scopes: + summary: All scopes + value: + - id: scp5yu8kLOnDzo7lh0g4 + name: car:drive + description: Drive car + system: false + default: false + displayName: Saml Jackson + consent: REQUIRED + optional: false + metadataPublish: NO_CLIENTS + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/scp5yu8kLOnDzo7lh0g4 + hints: + allow: + - GET + - PUT + - DELETE + CreateOAuth2ScopeRequest: + summary: Example scope + value: + name: car:drive + description: Drive car + consent: REQUIRED + displayName: Saml Jackson + ExampleOAuth2Scope: + summary: Example scope + value: + id: scp5yu8kLOnDzo7lh0g4 + name: car:drive + description: Drive car + system: false + default: false + displayName: Saml Jackson + consent: REQUIRED + optional: false + metadataPublish: NO_CLIENTS + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/scp5yu8kLOnDzo7lh0g4 + hints: + allow: + - GET + - PUT + - DELETE + UpdateOAuth2ScopeRequest: + summary: Example scope + value: + description: Order car + name: car:order + metadataPublish: ALL_CLIENTS + UpdatedOAuth2ScopeResponse: + summary: Updated scope + value: + id: scp5yu8kLOnDzo7lh0g4 + name: car:order + description: Order car + system: false + default: false + displayName: Saml Jackson + consent: REQUIRED + optional: false + metadataPublish: ALL_CLIENTS + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/scp5yu8kLOnDzo7lh0g4 + hints: + allow: + - GET + - PUT + - DELETE + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + ErrorInvalidTokenProvided: + summary: Invalid Token Provided + value: + errorCode: E0000011 + errorSummary: Invalid token provided + errorLink: E0000011 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + x-stackQL-resources: + authorization_servers: + id: okta.authorizationservers.authorization_servers + name: authorization_servers + title: Authorization Servers + methods: + list_authorization_servers: + operation: + $ref: '#/paths/~1api~1v1~1authorizationServers/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_authorization_server: + operation: + $ref: '#/paths/~1api~1v1~1authorizationServers/post' + response: + mediaType: application/json + openAPIDocKey: '201' + get_authorization_server: + operation: + $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_authorization_server: + operation: + $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_authorization_server: + operation: + $ref: '#/paths/~1api~1v1~1authorizationServers~1{authServerId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + activate_authorization_server: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1lifecycle~1activate/post + response: + mediaType: '' + openAPIDocKey: '204' + deactivate_authorization_server: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1lifecycle~1deactivate/post + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/authorization_servers/methods/list_authorization_servers + - $ref: >- + #/components/x-stackQL-resources/authorization_servers/methods/get_authorization_server + insert: + - $ref: >- + #/components/x-stackQL-resources/authorization_servers/methods/create_authorization_server + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/authorization_servers/methods/delete_authorization_server + replace: + - $ref: >- + #/components/x-stackQL-resources/authorization_servers/methods/replace_authorization_server + associated_servers: + id: okta.authorizationservers.associated_servers + name: associated_servers + title: Associated Servers + methods: + list_associated_servers_by_trusted_type: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1associatedServers/get + response: + mediaType: application/json + openAPIDocKey: '200' + create_associated_servers: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1associatedServers/post + response: + mediaType: application/json + openAPIDocKey: '200' + delete_associated_server: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1associatedServers~1{associatedServerId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/associated_servers/methods/list_associated_servers_by_trusted_type + insert: + - $ref: >- + #/components/x-stackQL-resources/associated_servers/methods/create_associated_servers + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/associated_servers/methods/delete_associated_server + replace: [] + claims: + id: okta.authorizationservers.claims + name: claims + title: Claims + methods: + list_oauth2_claims: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1claims/get + response: + mediaType: application/json + openAPIDocKey: '200' + create_oauth2_claim: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1claims/post + response: + mediaType: application/json + openAPIDocKey: '201' + get_oauth2_claim: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1claims~1{claimId}/get + response: + mediaType: application/json + openAPIDocKey: '200' + replace_oauth2_claim: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1claims~1{claimId}/put + response: + mediaType: application/json + openAPIDocKey: '200' + delete_oauth2_claim: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1claims~1{claimId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: '#/components/x-stackQL-resources/claims/methods/list_oauth2_claims' + - $ref: '#/components/x-stackQL-resources/claims/methods/get_oauth2_claim' + insert: + - $ref: >- + #/components/x-stackQL-resources/claims/methods/create_oauth2_claim + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/claims/methods/delete_oauth2_claim + replace: + - $ref: >- + #/components/x-stackQL-resources/claims/methods/replace_oauth2_claim + clients: + id: okta.authorizationservers.clients + name: clients + title: Clients + methods: + list_oauth2_clients_for_authorization_server: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1clients/get + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/clients/methods/list_oauth2_clients_for_authorization_server + insert: [] + update: [] + delete: [] + replace: [] + refresh_tokens: + id: okta.authorizationservers.refresh_tokens + name: refresh_tokens + title: Refresh Tokens + methods: + list_refresh_tokens_for_authorization_server_and_client: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1clients~1{clientId}~1tokens/get + response: + mediaType: application/json + openAPIDocKey: '200' + revoke_refresh_tokens_for_authorization_server_and_client: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1clients~1{clientId}~1tokens/delete + response: + mediaType: '' + openAPIDocKey: '204' + get_refresh_token_for_authorization_server_and_client: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1clients~1{clientId}~1tokens~1{tokenId}/get + response: + mediaType: application/json + openAPIDocKey: '200' + revoke_refresh_token_for_authorization_server_and_client: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1clients~1{clientId}~1tokens~1{tokenId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/refresh_tokens/methods/list_refresh_tokens_for_authorization_server_and_client + - $ref: >- + #/components/x-stackQL-resources/refresh_tokens/methods/get_refresh_token_for_authorization_server_and_client + insert: [] + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/refresh_tokens/methods/revoke_refresh_tokens_for_authorization_server_and_client + - $ref: >- + #/components/x-stackQL-resources/refresh_tokens/methods/revoke_refresh_token_for_authorization_server_and_client + replace: [] + keys: + id: okta.authorizationservers.keys + name: keys + title: Keys + methods: + list_authorization_server_keys: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1credentials~1keys/get + response: + mediaType: application/json + openAPIDocKey: '200' + get_authorization_server_key: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1credentials~1keys~1{keyId}/get + response: + mediaType: application/json + openAPIDocKey: '200' + rotate_authorization_server_keys: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1credentials~1lifecycle~1keyRotate/post + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/keys/methods/list_authorization_server_keys + - $ref: >- + #/components/x-stackQL-resources/keys/methods/get_authorization_server_key + insert: [] + update: [] + delete: [] + replace: [] + policies: + id: okta.authorizationservers.policies + name: policies + title: Policies + methods: + list_authorization_server_policies: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies/get + response: + mediaType: application/json + openAPIDocKey: '200' + create_authorization_server_policy: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies/post + response: + mediaType: application/json + openAPIDocKey: '201' + get_authorization_server_policy: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies~1{policyId}/get + response: + mediaType: application/json + openAPIDocKey: '200' + replace_authorization_server_policy: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies~1{policyId}/put + response: + mediaType: application/json + openAPIDocKey: '200' + delete_authorization_server_policy: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies~1{policyId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + activate_authorization_server_policy: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies~1{policyId}~1lifecycle~1activate/post + response: + mediaType: '' + openAPIDocKey: '204' + deactivate_authorization_server_policy: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies~1{policyId}~1lifecycle~1deactivate/post + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/policies/methods/list_authorization_server_policies + - $ref: >- + #/components/x-stackQL-resources/policies/methods/get_authorization_server_policy + insert: + - $ref: >- + #/components/x-stackQL-resources/policies/methods/create_authorization_server_policy + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/policies/methods/delete_authorization_server_policy + replace: + - $ref: >- + #/components/x-stackQL-resources/policies/methods/replace_authorization_server_policy + rules: + id: okta.authorizationservers.rules + name: rules + title: Rules + methods: + list_authorization_server_policy_rules: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies~1{policyId}~1rules/get + response: + mediaType: application/json + openAPIDocKey: '200' + create_authorization_server_policy_rule: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies~1{policyId}~1rules/post + response: + mediaType: application/json + openAPIDocKey: '201' + get_authorization_server_policy_rule: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies~1{policyId}~1rules~1{ruleId}/get + response: + mediaType: application/json + openAPIDocKey: '200' + replace_authorization_server_policy_rule: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies~1{policyId}~1rules~1{ruleId}/put + response: + mediaType: application/json + openAPIDocKey: '200' + delete_authorization_server_policy_rule: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies~1{policyId}~1rules~1{ruleId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + activate_authorization_server_policy_rule: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies~1{policyId}~1rules~1{ruleId}~1lifecycle~1activate/post + response: + mediaType: '' + openAPIDocKey: '204' + deactivate_authorization_server_policy_rule: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1policies~1{policyId}~1rules~1{ruleId}~1lifecycle~1deactivate/post + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/rules/methods/list_authorization_server_policy_rules + - $ref: >- + #/components/x-stackQL-resources/rules/methods/get_authorization_server_policy_rule + insert: + - $ref: >- + #/components/x-stackQL-resources/rules/methods/create_authorization_server_policy_rule + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/rules/methods/delete_authorization_server_policy_rule + replace: + - $ref: >- + #/components/x-stackQL-resources/rules/methods/replace_authorization_server_policy_rule + oauth2_resource_server_jwks: + id: okta.authorizationservers.oauth2_resource_server_jwks + name: oauth2_resource_server_jwks + title: Oauth2 Resource Server Jwks + methods: + list_oauth2_resource_server_json_web_keys: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1resourceservercredentials~1keys/get + response: + mediaType: application/json + openAPIDocKey: '200' + add_oauth2_resource_server_json_web_key: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1resourceservercredentials~1keys/post + response: + mediaType: application/json + openAPIDocKey: '201' + get_oauth2_resource_server_json_web_key: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1resourceservercredentials~1keys~1{keyId}/get + response: + mediaType: application/json + openAPIDocKey: '200' + delete_oauth2_resource_server_json_web_key: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1resourceservercredentials~1keys~1{keyId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + activate_oauth2_resource_server_json_web_key: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1resourceservercredentials~1keys~1{keyId}~1lifecycle~1activate/post + response: + mediaType: application/json + openAPIDocKey: '200' + deactivate_oauth2_resource_server_json_web_key: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1resourceservercredentials~1keys~1{keyId}~1lifecycle~1deactivate/post + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/oauth2_resource_server_jwks/methods/list_oauth2_resource_server_json_web_keys + - $ref: >- + #/components/x-stackQL-resources/oauth2_resource_server_jwks/methods/get_oauth2_resource_server_json_web_key + insert: + - $ref: >- + #/components/x-stackQL-resources/oauth2_resource_server_jwks/methods/add_oauth2_resource_server_json_web_key + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/oauth2_resource_server_jwks/methods/delete_oauth2_resource_server_json_web_key + replace: [] + scopes: + id: okta.authorizationservers.scopes + name: scopes + title: Scopes + methods: + list_oauth2_scopes: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1scopes/get + response: + mediaType: application/json + openAPIDocKey: '200' + create_oauth2_scope: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1scopes/post + response: + mediaType: application/json + openAPIDocKey: '201' + get_oauth2_scope: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1scopes~1{scopeId}/get + response: + mediaType: application/json + openAPIDocKey: '200' + replace_oauth2_scope: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1scopes~1{scopeId}/put + response: + mediaType: application/json + openAPIDocKey: '200' + delete_oauth2_scope: + operation: + $ref: >- + #/paths/~1api~1v1~1authorizationServers~1{authServerId}~1scopes~1{scopeId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: '#/components/x-stackQL-resources/scopes/methods/list_oauth2_scopes' + - $ref: '#/components/x-stackQL-resources/scopes/methods/get_oauth2_scope' + insert: + - $ref: >- + #/components/x-stackQL-resources/scopes/methods/create_oauth2_scope + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/scopes/methods/delete_oauth2_scope + replace: + - $ref: >- + #/components/x-stackQL-resources/scopes/methods/replace_oauth2_scope +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/behaviors.yaml b/providers/src/okta/v00.00.00000/services/behaviors.yaml new file mode 100644 index 00000000..89c18096 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/behaviors.yaml @@ -0,0 +1,575 @@ +openapi: 3.0.3 +info: + title: behaviors API + description: okta behaviors API + version: 5.1.0 +paths: + /api/v1/behaviors: + get: + summary: List all behavior detection rules + description: Lists all behavior detection rules with pagination support + operationId: listBehaviorDetectionRules + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/BehaviorRule' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.behaviors.read + tags: + - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a behavior detection rule + description: Creates a new behavior detection rule + operationId: createBehaviorDetectionRule + x-codegen-request-body-name: rule + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/BehaviorRule' + examples: + Behavior Rule Request: + $ref: '#/components/examples/BehaviorRuleRequest' + required: true + responses: + '200': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/BehaviorRule' + examples: + Behavior Rule Response: + $ref: '#/components/examples/BehaviorRuleResponse' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + API Validation Failed: + $ref: '#/components/examples/ErrorApiValidationFailed' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.behaviors.manage + tags: + - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/behaviors/{behaviorId}: + get: + summary: Retrieve a behavior detection rule + description: Retrieves a Behavior Detection Rule by `behaviorId` + operationId: getBehaviorDetectionRule + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/BehaviorRule' + examples: + Behavior Rule Response: + $ref: '#/components/examples/BehaviorRuleResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Resource Not Found: + $ref: '#/components/examples/ErrorResourceNotFound' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.behaviors.read + tags: + - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a behavior detection rule + description: Replaces a Behavior Detection Rule by `behaviorId` + operationId: replaceBehaviorDetectionRule + x-codegen-request-body-name: rule + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/BehaviorRule' + examples: + Behavior Rule Request: + $ref: '#/components/examples/BehaviorRuleRequest' + required: true + responses: + '200': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/BehaviorRule' + examples: + Behavior Rule Response: + $ref: '#/components/examples/BehaviorRuleResponse' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + API Validation Failed: + $ref: '#/components/examples/ErrorApiValidationFailed' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Resource Not Found: + $ref: '#/components/examples/ErrorResourceNotFound' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.behaviors.manage + tags: + - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a behavior detection rule + description: Deletes a Behavior Detection Rule by `behaviorId` + operationId: deleteBehaviorDetectionRule + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Resource Not Found: + $ref: '#/components/examples/ErrorResourceNotFound' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.behaviors.manage + tags: + - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBehaviorId' + /api/v1/behaviors/{behaviorId}/lifecycle/activate: + post: + summary: Activate a behavior detection rule + description: Activates a behavior detection rule + operationId: activateBehaviorDetectionRule + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/BehaviorRule' + examples: + Behavior Rule Response: + $ref: '#/components/examples/BehaviorRuleResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.behaviors.manage + tags: + - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBehaviorId' + /api/v1/behaviors/{behaviorId}/lifecycle/deactivate: + post: + summary: Deactivate a behavior detection rule + description: Deactivates a behavior detection rule + operationId: deactivateBehaviorDetectionRule + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/BehaviorRule' + examples: + Behavior Rule Response: + $ref: '#/components/examples/BehaviorRuleResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.behaviors.manage + tags: + - Behavior + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBehaviorId' +components: + schemas: + BehaviorRule: + title: Behavior Detection Rule + type: object + properties: + created: + type: string + description: Timestamp when the Behavior Detection Rule was created + readOnly: true + id: + type: string + description: ID of the Behavior Detection Rule + readOnly: true + lastUpdated: + type: string + description: Timestamp when the Behavior Detection Rule was last modified + readOnly: true + name: + type: string + description: Name of the Behavior Detection Rule + maxLength: 128 + status: + $ref: '#/components/schemas/LifecycleStatus' + type: + $ref: '#/components/schemas/BehaviorRuleType' + _link: + $ref: '#/components/schemas/LinksSelf' + required: + - name + - type + discriminator: + propertyName: type + mapping: + ANOMALOUS_LOCATION: '#/components/schemas/BehaviorRuleAnomalousLocation' + ANOMALOUS_IP: '#/components/schemas/BehaviorRuleAnomalousIP' + ANOMALOUS_DEVICE: '#/components/schemas/BehaviorRuleAnomalousDevice' + VELOCITY: '#/components/schemas/BehaviorRuleVelocity' + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + LifecycleStatus: + type: string + enum: + - ACTIVE + - INACTIVE + BehaviorRuleType: + type: string + enum: + - ANOMALOUS_DEVICE + - ANOMALOUS_IP + - ANOMALOUS_LOCATION + - VELOCITY + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + ErrorCause: + type: object + properties: + errorSummary: + type: string + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + pathBehaviorId: + name: behaviorId + in: path + schema: + type: string + example: abcd1234 + required: true + description: ID of the Behavior Detection Rule + examples: + BehaviorRuleRequest: + value: + name: My Behavior Rule + type: VELOCITY + BehaviorRuleResponse: + value: + id: abcd1234 + name: My Behavior Rule + type: VELOCITY + settings: + velocityKph: 805 + status: ACTIVE + created: '2021-11-09 20:38:10.0' + lastUpdated: '2021-11-11 20:38:10.0' + _link: + self: + href: https://your-subdomain.okta.com/api/v1/behaviors/abcd1234 + hints: + allow: + - GET + - POST + - PUT + - DELETE + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + x-stackQL-resources: + behavior_detection_rules: + id: okta.behaviors.behavior_detection_rules + name: behavior_detection_rules + title: Behavior Detection Rules + methods: + list_behavior_detection_rules: + operation: + $ref: '#/paths/~1api~1v1~1behaviors/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_behavior_detection_rule: + operation: + $ref: '#/paths/~1api~1v1~1behaviors/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_behavior_detection_rule: + operation: + $ref: '#/paths/~1api~1v1~1behaviors~1{behaviorId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_behavior_detection_rule: + operation: + $ref: '#/paths/~1api~1v1~1behaviors~1{behaviorId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_behavior_detection_rule: + operation: + $ref: '#/paths/~1api~1v1~1behaviors~1{behaviorId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + activate_behavior_detection_rule: + operation: + $ref: >- + #/paths/~1api~1v1~1behaviors~1{behaviorId}~1lifecycle~1activate/post + response: + mediaType: application/json + openAPIDocKey: '200' + deactivate_behavior_detection_rule: + operation: + $ref: >- + #/paths/~1api~1v1~1behaviors~1{behaviorId}~1lifecycle~1deactivate/post + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/behavior_detection_rules/methods/list_behavior_detection_rules + - $ref: >- + #/components/x-stackQL-resources/behavior_detection_rules/methods/get_behavior_detection_rule + insert: + - $ref: >- + #/components/x-stackQL-resources/behavior_detection_rules/methods/create_behavior_detection_rule + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/behavior_detection_rules/methods/delete_behavior_detection_rule + replace: + - $ref: >- + #/components/x-stackQL-resources/behavior_detection_rules/methods/replace_behavior_detection_rule +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/brands.yaml b/providers/src/okta/v00.00.00000/services/brands.yaml new file mode 100644 index 00000000..fa1dbda1 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/brands.yaml @@ -0,0 +1,4743 @@ +openapi: 3.0.3 +info: + title: brands API + description: okta brands API + version: 5.1.0 +paths: + /api/v1/brands: + get: + summary: List all brands + description: Lists all the brands in your org + operationId: listBrands + parameters: + - $ref: '#/components/parameters/queryExpandBrand' + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + - $ref: '#/components/parameters/queryFilter' + responses: + '200': + description: Successfully returned the list of brands + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/BrandWithEmbedded' + examples: + Get brands response: + $ref: '#/components/examples/ListBrandsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.read + tags: + - Brands + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a brand + description: Creates a new brand in your org + operationId: createBrand + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CreateBrandRequest' + examples: + Create brand request: + $ref: '#/components/examples/CreateBrandRequest' + responses: + '201': + description: Successfully created the brand + content: + application/json: + schema: + $ref: '#/components/schemas/Brand' + examples: + Create brand response: + $ref: '#/components/examples/CreateBrandResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '409': + description: Could not create the new brand because same name already exist. + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Cannot create brand with the same name: + $ref: '#/components/examples/ErrorCreateBrandExists' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - Brands + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/brands/{brandId}: + get: + summary: Retrieve a brand + description: Retrieves a brand by `brandId` + operationId: getBrand + parameters: + - $ref: '#/components/parameters/queryExpandBrand' + responses: + '200': + description: Successfully retrieved the brand + content: + application/json: + schema: + $ref: '#/components/schemas/BrandWithEmbedded' + examples: + Get brand response: + $ref: '#/components/examples/GetBrandResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.read + tags: + - Brands + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a brand + description: >+ + Replaces a brand by `brandId` + + + Passing an invalid `brandId` returns a `404 Not Found` status code with + the error code `E0000007`. + + + Not providing `agreeToCustomPrivacyPolicy` with `customPrivacyPolicyUrl` + returns a `400 Bad Request` status code with the error code `E0000001`. + + operationId: replaceBrand + x-codegen-request-body-name: brand + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/BrandRequest' + examples: + Update brand request: + $ref: '#/components/examples/UpdateBrandRequest' + required: true + responses: + '200': + description: Successfully replaced the brand + content: + application/json: + schema: + $ref: '#/components/schemas/Brand' + examples: + Update brand response: + $ref: '#/components/examples/UpdateBrandResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - Brands + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a brand + description: Deletes a brand by `brandId` + operationId: deleteBrand + responses: + '204': + description: Successfully deleted the brand. + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '409': + description: Conflict + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Cannot delete default brand: + $ref: '#/components/examples/ErrorDeleteDefaultBrand' + Cannot delete brand associated with a domain: + $ref: '#/components/examples/ErrorDeleteBrandAssociatedWithDomain' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - Brands + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + /api/v1/brands/{brandId}/domains: + get: + summary: List all domains associated with a brand + description: Lists all domains associated with a brand by `brandId` + operationId: listBrandDomains + responses: + '200': + description: Successfully returned the list of domains for the brand + content: + application/json: + schema: + $ref: '#/components/schemas/BrandDomains' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.read + tags: + - Brands + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + /api/v1/brands/{brandId}/pages/error: + get: + summary: Retrieve the error page sub-resources + description: >- + Retrieves the error page sub-resources. The `expand` query parameter + specifies which sub-resources to include in the response. + operationId: getErrorPage + responses: + '200': + description: Successfully retrieved the error page. + content: + application/json: + schema: + $ref: '#/components/schemas/PageRoot' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.read + tags: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/queryExpandPageRoot' + /api/v1/brands/{brandId}/pages/error/customized: + get: + summary: Retrieve the customized error page + description: >- + Retrieves the customized error page. The customized error page appears + in your live environment. + operationId: getCustomizedErrorPage + responses: + '200': + description: Successfully retrieved the customized error page. + headers: + Location: + schema: + type: string + format: uri + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorPage' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.read + tags: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the customized error page + description: >- + Replaces the customized error page. The customized error page appears in + your live environment. + operationId: replaceCustomizedErrorPage + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorPage' + required: true + responses: + '200': + description: Successfully replaced the customized error page. + headers: + Location: + schema: + type: string + format: uri + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorPage' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete the customized error page + description: >- + Deletes the customized error page. As a result, the default error page + appears in your live environment. + operationId: deleteCustomizedErrorPage + responses: + '204': + description: Successfully deleted the customized error page. + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + /api/v1/brands/{brandId}/pages/error/default: + get: + summary: Retrieve the default error page + description: >- + Retrieves the default error page. The default error page appears when no + customized error page exists. + operationId: getDefaultErrorPage + responses: + '200': + description: Successfully retrieved the default error page. + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorPage' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.read + tags: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + /api/v1/brands/{brandId}/pages/error/preview: + get: + summary: Retrieve the preview error page preview + description: >- + Retrieves the preview error page. The preview error page contains + unpublished changes and isn't shown in your live environment. Preview it + at `${yourOktaDomain}/error/preview`. + operationId: getPreviewErrorPage + responses: + '200': + description: Successfully retrieved the preview error page. + headers: + Location: + schema: + type: string + format: uri + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorPage' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.read + tags: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the preview error page + description: >- + Replaces the preview error page. The preview error page contains + unpublished changes and isn't shown in your live environment. Preview it + at `${yourOktaDomain}/error/preview`. + operationId: replacePreviewErrorPage + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorPage' + required: true + responses: + '200': + description: Successfully replaced the preview error page. + headers: + Location: + schema: + type: string + format: uri + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorPage' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete the preview error page + description: >- + Deletes the preview error page. The preview error page contains + unpublished changes and isn't shown in your live environment. Preview it + at `${yourOktaDomain}/error/preview`. + operationId: deletePreviewErrorPage + responses: + '204': + description: Successfully deleted the preview error page. + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + /api/v1/brands/{brandId}/pages/sign-in: + get: + summary: Retrieve the sign-in page sub-resources + description: >- + Retrieves the sign-in page sub-resources. The `expand` query parameter + specifies which sub-resources to include in the response. + operationId: getSignInPage + responses: + '200': + description: Successfully retrieved the sign-in page. + content: + application/json: + schema: + $ref: '#/components/schemas/PageRoot' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.read + tags: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/queryExpandPageRoot' + /api/v1/brands/{brandId}/pages/sign-in/customized: + get: + summary: Retrieve the customized sign-in page + description: >- + Retrieves the customized sign-in page. The customized sign-in page + appears in your live environment. + operationId: getCustomizedSignInPage + responses: + '200': + description: Successfully retrieved the customized sign-in page. + headers: + Location: + schema: + type: string + format: uri + content: + application/json: + schema: + $ref: '#/components/schemas/SignInPage' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.read + tags: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the customized sign-in page + description: >- + Replaces the customized sign-in page. The customized sign-in page + appears in your live environment. + operationId: replaceCustomizedSignInPage + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SignInPage' + required: true + responses: + '200': + description: Successfully replaced the customized sign-in page. + headers: + Location: + schema: + type: string + format: uri + content: + application/json: + schema: + $ref: '#/components/schemas/SignInPage' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete the customized sign-in page + description: >- + Deletes the customized sign-in page. As a result, the default sign-in + page appears in your live environment. + operationId: deleteCustomizedSignInPage + responses: + '204': + description: Successfully deleted the sign-in page. + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + /api/v1/brands/{brandId}/pages/sign-in/default: + get: + summary: Retrieve the default sign-in page + description: >- + Retrieves the default sign-in page. The default sign-in page appears + when no customized sign-in page exists. + operationId: getDefaultSignInPage + responses: + '200': + description: Successfully retrieved the default sign-in page. + content: + application/json: + schema: + $ref: '#/components/schemas/SignInPage' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.read + tags: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + /api/v1/brands/{brandId}/pages/sign-in/preview: + get: + summary: Retrieve the preview sign-in page preview + description: >- + Retrieves the preview sign-in page. The preview sign-in page contains + unpublished changes and isn't shown in your live environment. Preview it + at `${yourOktaDomain}/login/preview`. + operationId: getPreviewSignInPage + responses: + '200': + description: Successfully retrieved the preview sign-in page. + headers: + Location: + schema: + type: string + format: uri + content: + application/json: + schema: + $ref: '#/components/schemas/SignInPage' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.read + tags: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the preview sign-in page + description: >- + Replaces the preview sign-in page. The preview sign-in page contains + unpublished changes and isn't shown in your live environment. Preview it + at `${yourOktaDomain}/login/preview`. + operationId: replacePreviewSignInPage + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SignInPage' + required: true + responses: + '200': + description: Successfully replaced the preview sign-in page. + headers: + Location: + schema: + type: string + format: uri + content: + application/json: + schema: + $ref: '#/components/schemas/SignInPage' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete the preview sign-in page + description: >- + Deletes the preview sign-in page. The preview sign-in page contains + unpublished changes and isn't shown in your live environment. Preview it + at `${yourOktaDomain}/login/preview`. + operationId: deletePreviewSignInPage + responses: + '204': + description: Successfully deleted the preview sign-in page. + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + /api/v1/brands/{brandId}/pages/sign-in/widget-versions: + get: + summary: List all Sign-In Widget versions + description: Lists all sign-in widget versions supported by the current org + operationId: listAllSignInWidgetVersions + responses: + '200': + description: Successfully listed the sign-in widget versions. + content: + application/json: + schema: + type: array + items: + type: string + pattern: ^\d+\.\d+$ + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.read + tags: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + /api/v1/brands/{brandId}/pages/sign-out/customized: + get: + summary: Retrieve the sign-out page settings + description: Retrieves the sign-out page settings + operationId: getSignOutPageSettings + responses: + '200': + description: Successfully retrieved the sign-out page settings. + content: + application/json: + schema: + $ref: '#/components/schemas/HostedPage' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.read + tags: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the sign-out page settings + description: Replaces the sign-out page settings + operationId: replaceSignOutPageSettings + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/HostedPage' + required: true + responses: + '200': + description: Successfully replaced the sign-out page settings. + content: + application/json: + schema: + $ref: '#/components/schemas/HostedPage' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - CustomPages + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + /api/v1/brands/{brandId}/templates/email: + get: + summary: List all email templates + description: Lists all supported email templates + operationId: listEmailTemplates + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + - $ref: '#/components/parameters/queryExpandEmailTemplate' + responses: + '200': + description: Successfully returned the list of email templates. + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/EmailTemplateResponse' + examples: + List email templates response: + $ref: '#/components/examples/ListEmailTemplateResponse' + headers: + Link: + schema: + type: string + description: >- + The pagination header containing links to the current and next + page of results. See [Pagination]https://developer.okta.com/docs/api#pagination for more + information. + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.read + tags: + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + /api/v1/brands/{brandId}/templates/email/{templateName}: + get: + summary: Retrieve an email template + description: Retrieves the details of an email template by name + operationId: getEmailTemplate + parameters: + - $ref: '#/components/parameters/queryExpandEmailTemplate' + responses: + '200': + description: Successfully retrieved the email template. + content: + application/json: + schema: + $ref: '#/components/schemas/EmailTemplateResponse' + examples: + Get email template response: + $ref: '#/components/examples/GetEmailTemplateResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.read + tags: + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathTemplateName' + /api/v1/brands/{brandId}/templates/email/{templateName}/customizations: + get: + summary: List all email customizations + description: > + Lists all customizations of an email template + + + If Custom languages for Okta + Email Templates is enabled, all existing customizations are retrieved, + including customizations for additional languages. If disabled, only + customizations for Okta-supported languages are returned. + operationId: listEmailCustomizations + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + responses: + '200': + description: >- + Successfully retrieved all email customizations for the specified + email template. + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/EmailCustomization' + examples: + List Email customizations response: + $ref: '#/components/examples/ListEmailCustomizationResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.read + tags: + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create an email customization + description: > + Creates a new Email Customization + + + If Custom languages for Okta + Email Templates is enabled, you can create a customization for any BCP47 + language in addition to the Okta-supported languages. + operationId: createEmailCustomization + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/EmailCustomization' + examples: + Create email customization request: + $ref: '#/components/examples/CreateUpdateEmailCustomizationRequest' + responses: + '201': + description: Successfully created the email customization. + content: + application/json: + schema: + $ref: '#/components/schemas/EmailCustomization' + examples: + Create email customization response: + $ref: '#/components/examples/CreateUpdateEmailCustomizationResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '409': + description: >- + Could not create the email customization because it conflicts with + an existing email customization. + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Default email customization already exists: + $ref: >- + #/components/examples/ErrorEmailCustomizationDefaultAlreadyExists + Email customization already exists for the specified language: + $ref: >- + #/components/examples/ErrorEmailCustomizationLanguageAlreadyExists + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.manage + tags: + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete all email customizations + description: > + Deletes all customizations for an email template + + + If Custom languages for Okta + Email Templates is enabled, all customizations are deleted, including + customizations for additional languages. If disabled, only + customizations in Okta-supported languages are deleted. + operationId: deleteAllCustomizations + responses: + '204': + description: Successfully deleted all customizations for the email template. + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.manage + tags: + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathTemplateName' + /api/v1/brands/{brandId}/templates/email/{templateName}/customizations/{customizationId}: + get: + summary: Retrieve an email customization + description: > + Retrieves an email customization by its unique identifier + + + If Custom languages for Okta + Email Templates is disabled, requests to retrieve an additional language + customization by ID result in a `404 Not Found` error response. + operationId: getEmailCustomization + responses: + '200': + description: Successfully retrieved the email customization. + content: + application/json: + schema: + $ref: '#/components/schemas/EmailCustomization' + examples: + Get email customization response: + $ref: '#/components/examples/EmailCustomizationResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.read + tags: + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace an email customization + description: > + Replaces an email customization using property values + + + If Custom languages for Okta + Email Templates is disabled, requests to update a customization for an + additional language return a `404 Not Found` error response. + operationId: replaceEmailCustomization + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/EmailCustomization' + examples: + Update email customization request: + $ref: '#/components/examples/CreateUpdateEmailCustomizationRequest' + description: Request + responses: + '200': + description: Successfully updated the email customization. + content: + application/json: + schema: + $ref: '#/components/schemas/EmailCustomization' + examples: + Update email customization response: + $ref: '#/components/examples/CreateUpdateEmailCustomizationResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '409': + description: >- + Could not update the email customization because the update would + cause a conflict with an existing email customization. + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Default email customization already exists: + $ref: >- + #/components/examples/ErrorEmailCustomizationDefaultAlreadyExists + Email customization already exists for the specified language: + $ref: >- + #/components/examples/ErrorEmailCustomizationLanguageAlreadyExists + Cannot set the default email customization's isDefault to false: + $ref: >- + #/components/examples/ErrorEmailCustomizationCannotClearDefault + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.manage + tags: + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete an email customization + description: > + Deletes an Email Customization by its unique identifier + + + If Custom languages for Okta + Email Templates is disabled, deletion of an existing additional language + customization by ID doesn't register. + operationId: deleteEmailCustomization + responses: + '204': + description: Successfully deleted the email customization. + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '409': + description: >- + Could not delete the email customization deleted because it is the + default email customization. + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Cannot delete default email customization: + $ref: >- + #/components/examples/ErrorEmailCustomizationCannotDeleteDefault + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.manage + tags: + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathTemplateName' + - $ref: '#/components/parameters/pathCustomizationId' + /api/v1/brands/{brandId}/templates/email/{templateName}/customizations/{customizationId}/preview: + get: + summary: Retrieve a preview of an email customization + description: > + Retrieves a Preview of an Email Customization. All variable references + are populated from the current user's context. For example, + `${user.profile.firstName}`. + + + If Custom languages for Okta + Email Templates is disabled, requests for the preview of an additional + language customization by ID return a `404 Not Found` error response. + operationId: getCustomizationPreview + responses: + '200': + description: Successfully generated a preview of the email customization. + content: + application/json: + schema: + $ref: '#/components/schemas/EmailPreview' + examples: + Preview email customization response: + $ref: '#/components/examples/PreviewEmailCustomizationResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.read + tags: + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathTemplateName' + - $ref: '#/components/parameters/pathCustomizationId' + /api/v1/brands/{brandId}/templates/email/{templateName}/default-content: + get: + summary: Retrieve an email template default content + description: > + Retrieves an email template's default content + + + Defaults to the current user's + language given the following: + + - Custom languages for Okta Email Templates is enabled + + - An additional language is specified for the `language` parameter + operationId: getEmailDefaultContent + parameters: + - $ref: '#/components/parameters/queryLanguage' + responses: + '200': + description: Successfully retrieved the email template's default content. + content: + application/json: + schema: + $ref: '#/components/schemas/EmailDefaultContent' + examples: + Get email template default content response: + $ref: '#/components/examples/EmailTemplateDefaultContentResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.read + tags: + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathTemplateName' + /api/v1/brands/{brandId}/templates/email/{templateName}/default-content/preview: + get: + summary: Retrieve a preview of the email template default content + description: > + Retrieves a preview of an Email Template's default content. All variable + references are populated using the current user's context. For example, + `${user.profile.firstName}`. + + + Defaults to the current user's + language given the following: + + - Custom languages for Okta Email Templates is enabled + + - An additional language is specified for the `language` parameter + operationId: getEmailDefaultPreview + parameters: + - $ref: '#/components/parameters/queryLanguage' + responses: + '200': + description: >- + Successfully generated a preview of the email template's default + content. + content: + application/json: + schema: + $ref: '#/components/schemas/EmailPreview' + examples: + Preview email template default content response: + $ref: >- + #/components/examples/PreviewEmailTemplateDefaultContentResponse + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.read + tags: + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathTemplateName' + /api/v1/brands/{brandId}/templates/email/{templateName}/settings: + get: + summary: Retrieve the email template settings + description: Retrieves an email template's settings + operationId: getEmailSettings + responses: + '200': + description: Successfully retrieved the email template's settings. + content: + application/json: + schema: + $ref: '#/components/schemas/EmailSettingsResponse' + examples: + Get email template settings response: + $ref: '#/components/examples/EmailSettingsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.read + tags: + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the email template settings + description: Replaces an email template's settings + operationId: replaceEmailSettings + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/EmailSettings' + responses: + '200': + description: Successfully updated the email template's settings. + content: + application/json: + schema: + $ref: '#/components/schemas/EmailSettings' + examples: + Update email template settings: + $ref: '#/components/examples/EmailSettingsResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '409': + description: Conflict + content: + application/json: + schema: + $ref: '#/components/schemas/Error409' + examples: + Conflict: + $ref: '#/components/examples/ErrorEmailSettingsRaceCondition' + '422': + description: >- + Could not update the email template's settings due to an invalid + setting value. + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Invalid email template recipients: + $ref: '#/components/examples/ErrorInvalidEmailTemplateRecipients' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.manage + tags: + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathTemplateName' + /api/v1/brands/{brandId}/templates/email/{templateName}/test: + post: + summary: Send a test email + description: >- + Sends a test email to the current user's primary and secondary email + addresses. The email content is selected based on the following + priority: + + 1. The email customization for the language specified in the `language` + query parameter + + If Custom languages for Okta + Email Templates is enabled and the `language` parameter is an additional + language, the test email uses the customization corresponding to the + language. + + 2. The email template's default customization + + 3. The email template's default content, translated to the current + user's language + + + > **Note:** Super admins can view customized email templates with the + **Send a test email** request. However, when custom email templates are + sent to super admins as part of actual email notification flows, the + customizations aren't applied. Instead, the default email template is + used. This only applies to super admins. + operationId: sendTestEmail + parameters: + - $ref: '#/components/parameters/queryLanguage' + responses: + '204': + description: Successfully sent a test email. + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.read + tags: + - CustomTemplates + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathTemplateName' + /api/v1/brands/{brandId}/themes: + get: + summary: List all themes + description: >- + Lists all the themes in your brand. + + + > **Important:** Currently each org supports only one theme, therefore + this contains a single object only. + operationId: listBrandThemes + responses: + '200': + description: Successfully returned the list of themes + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/ThemeResponse' + examples: + Get themes response: + $ref: '#/components/examples/ListThemesResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.read + tags: + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + /api/v1/brands/{brandId}/themes/{themeId}: + get: + summary: Retrieve a theme + description: Retrieves a theme for a brand + operationId: getBrandTheme + responses: + '200': + description: Successfully retrieved the theme + content: + application/json: + schema: + $ref: '#/components/schemas/ThemeResponse' + examples: + Get theme response: + $ref: '#/components/examples/GetThemeResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.read + tags: + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a theme + description: Replaces a theme for a brand + operationId: replaceBrandTheme + x-codegen-request-body-name: theme + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UpdateThemeRequest' + examples: + Update theme request: + $ref: '#/components/examples/UpdateThemeRequest' + required: true + responses: + '200': + description: Successfully replaced the theme + content: + application/json: + schema: + $ref: '#/components/schemas/ThemeResponse' + examples: + Update theme response: + $ref: '#/components/examples/UpdateThemeResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathThemeId' + /api/v1/brands/{brandId}/themes/{themeId}/background-image: + post: + summary: Upload the background image + description: >- + Uploads and replaces the background image for the theme. The file must + be in PNG, JPG, or GIF format and less than 2 MB in size. + operationId: uploadBrandThemeBackgroundImage + requestBody: + content: + multipart/form-data: + schema: + type: object + description: >- + The file must be in PNG, JPG, or GIF format and less than 2 MB + in size. + properties: + file: + type: string + format: binary + required: + - file + description: background image file + responses: + '201': + description: Content Created + content: + application/json: + schema: + $ref: '#/components/schemas/ImageUploadResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete the background image + description: Deletes a theme background image + operationId: deleteBrandThemeBackgroundImage + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathThemeId' + /api/v1/brands/{brandId}/themes/{themeId}/favicon: + post: + summary: Upload the favicon + description: Uploads and replaces the favicon for the theme + operationId: uploadBrandThemeFavicon + requestBody: + content: + multipart/form-data: + schema: + type: object + description: >- + The file must be in PNG or ICO format and have a 1:1 ratio with + a maximum dimension of 512 x 512 + properties: + file: + type: string + format: binary + required: + - file + description: favicon file + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/ImageUploadResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete the favicon + description: Deletes a theme favicon. The theme will use the default Okta favicon. + operationId: deleteBrandThemeFavicon + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathThemeId' + /api/v1/brands/{brandId}/themes/{themeId}/logo: + post: + summary: Upload the logo + description: >- + Uploads and replaces the logo for the theme. The file must be in PNG, + JPG, or GIF format and less than 100kB in size. For best results use + landscape orientation, a transparent background, and a minimum size of + 300px by 50px to prevent upscaling. + operationId: uploadBrandThemeLogo + requestBody: + content: + multipart/form-data: + schema: + description: >- + The file must be in PNG, JPG, or GIF format and less than 100kB + in size. For best results use landscape orientation, a + transparent background, and a minimum size of 300px by 50px to + prevent upscaling. + type: object + properties: + file: + type: string + format: binary + required: + - file + description: logo file + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ImageUploadResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete the logo + description: Deletes a Theme logo. The theme will use the default Okta logo. + operationId: deleteBrandThemeLogo + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - Themes + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathThemeId' + /api/v1/brands/{brandId}/well-known-uris: + get: + summary: Retrieve all the well-known URIs + description: >- + Retrieves the content from each of the well-known URIs for a specified + brand + operationId: getAllWellKnownURIs + responses: + '200': + description: Successfully retrieved all the well-known URIs + content: + application/json: + schema: + $ref: '#/components/schemas/WellKnownURIsRoot' + examples: + Retrieve all URIs response: + $ref: '#/components/examples/WellKnownURIsRootResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.read + tags: + - AssociatedDomainCustomizations + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/queryExpandWellKnownUris' + /api/v1/brands/{brandId}/well-known-uris/{path}: + get: + summary: Retrieve the well-known URI of a specific brand + description: Retrieves the well-known URI of a specific brand and well-known URI path + operationId: getRootBrandWellKnownURI + responses: + '200': + description: Successfully retrieved the well-known URI + content: + application/json: + schema: + $ref: '#/components/schemas/WellKnownURIObjectResponse' + examples: + Retrieve well-known URI of a specific brand: + $ref: '#/components/examples/WellKnownURIRootResponse' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Invalid path: + $ref: '#/components/examples/ErrorInvalidWellKnownPath' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.read + tags: + - AssociatedDomainCustomizations + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathWellKnownUriPath' + - $ref: '#/components/parameters/queryExpandWellKnownUri' + /api/v1/brands/{brandId}/well-known-uris/{path}/customized: + get: + summary: Retrieve the customized content of the specified well-known URI + description: >- + Retrieves the customized content of a well-known URI for a specific + brand and well-known URI path + operationId: getBrandWellKnownURI + responses: + '200': + description: Successfully retrieved the customized well-known URI content + content: + application/json: + schema: + $ref: '#/components/schemas/WellKnownURIObjectResponse' + examples: + Retrieve the customized well-known URI: + $ref: '#/components/examples/WellKnownURIResponse' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Invalid path: + $ref: '#/components/examples/ErrorInvalidWellKnownPath' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.read + tags: + - AssociatedDomainCustomizations + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace the customized well-known URI of the specific path + description: >- + Replaces the content of a customized well-known URI that you specify. + + + There are endpoint-specific format requirements when you update the + content of a customized well-known URI. See [Customize associated + domains](https://developer.okta.com/docs/guides/custom-well-known-uri/main/). + operationId: replaceBrandWellKnownURI + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/WellKnownURIRequest' + examples: + Update well-known URI request: + $ref: '#/components/examples/UpdateWellKnownURIRequest' + responses: + '200': + description: Successfully updated the well-known URI of the specified path + content: + application/json: + schema: + $ref: '#/components/schemas/WellKnownURIObjectResponse' + examples: + Update well-known URI response: + $ref: '#/components/examples/WellKnownURIResponse' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Invalid path: + $ref: '#/components/examples/ErrorInvalidWellKnownPath' + apple-app-site-association representation contains authsrv: + $ref: >- + #/components/examples/InvalidWellKnownAppleAppSiteRepresentationError + webauthn representation doesn't contain origins: + $ref: >- + #/components/examples/InvalidWellKnownWebauthnRepresentationError + webauthn representation origins is not string array: + $ref: >- + #/components/examples/InvalidWellKnownWebauthnRepresentationOriginStringError + Invalid content type for apple-app-site-association and webauthn: + $ref: '#/components/examples/InvalidWellKnownJsonTypeError' + Invalid content type for assetlinks.json: + $ref: '#/components/examples/InvalidWellKnownArrayTypeError' + Cannot update well-known URI for default brand: + $ref: >- + #/components/examples/CannotUpdateWellKnownUriForDefaultBrandError + size limit exceeded: + $ref: >- + #/components/examples/WellKnownRepresentationSizeLimitExceededError + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.brands.manage + tags: + - AssociatedDomainCustomizations + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathBrandId' + - $ref: '#/components/parameters/pathWellKnownUriPath' +components: + schemas: + BrandWithEmbedded: + allOf: + - $ref: '#/components/schemas/Brand' + type: object + properties: + _embedded: + type: object + properties: + themes: + type: array + items: + $ref: '#/components/schemas/ThemeResponse' + domains: + items: + $ref: '#/components/schemas/DomainResponse' + type: array + emailDomain: + $ref: '#/components/schemas/EmailDomainResponse' + readOnly: true + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + themes: + $ref: '#/components/schemas/HrefObject' + type: object + CreateBrandRequest: + title: CreateBrandRequest + type: object + properties: + name: + type: string + description: The name of the Brand + required: + - name + Brand: + type: object + properties: + agreeToCustomPrivacyPolicy: + type: boolean + description: >- + Consent for updating the custom privacy URL. Not required when + resetting the URL. + customPrivacyPolicyUrl: + type: string + description: Custom privacy policy URL + default: null + defaultApp: + $ref: '#/components/schemas/DefaultApp' + emailDomainId: + type: string + description: The ID of the email domain + id: + readOnly: true + type: string + description: The Brand ID + isDefault: + readOnly: true + type: boolean + description: If `true`, the Brand is used for the Okta subdomain + locale: + $ref: '#/components/schemas/Language' + name: + type: string + description: The name of the Brand + removePoweredByOkta: + type: boolean + default: false + description: >- + Removes "Powered by Okta" from the sign-in page in redirect + authentication deployments, and "© [current year] Okta, Inc." from + the Okta End-User Dashboard + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + BrandRequest: + type: object + properties: + agreeToCustomPrivacyPolicy: + type: boolean + description: >- + Consent for updating the custom privacy URL. Not required when + resetting the URL. + customPrivacyPolicyUrl: + type: string + description: Custom privacy policy URL + defaultApp: + $ref: '#/components/schemas/DefaultApp' + emailDomainId: + type: string + description: The ID of the email domain + locale: + $ref: '#/components/schemas/Language' + name: + type: string + description: The name of the Brand + removePoweredByOkta: + type: boolean + default: false + description: >- + Removes "Powered by Okta" from the sign-in page in redirect + authentication deployments, and "© [current year] Okta, Inc." from + the Okta End-User Dashboard + required: + - name + BrandDomains: + title: BrandDomains + items: + $ref: '#/components/schemas/DomainResponse' + type: array + PageRoot: + type: object + properties: + _embedded: + type: object + properties: + default: + $ref: '#/components/schemas/CustomizablePage' + customized: + $ref: '#/components/schemas/CustomizablePage' + customizedUrl: + type: string + format: uri + preview: + $ref: '#/components/schemas/CustomizablePage' + previewUrl: + type: string + format: uri + readOnly: true + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + default: + $ref: '#/components/schemas/HrefObject' + customized: + $ref: '#/components/schemas/HrefObject' + preview: + $ref: '#/components/schemas/HrefObject' + type: object + ErrorPage: + allOf: + - $ref: '#/components/schemas/CustomizablePage' + - type: object + properties: + contentSecurityPolicySetting: + $ref: '#/components/schemas/ContentSecurityPolicySetting' + SignInPage: + allOf: + - $ref: '#/components/schemas/CustomizablePage' + - type: object + properties: + contentSecurityPolicySetting: + $ref: '#/components/schemas/ContentSecurityPolicySetting' + widgetCustomizations: + type: object + properties: + signInLabel: + type: string + description: The label for the sign in widget + usernameLabel: + type: string + description: The label for the username field + usernameInfoTip: + type: string + description: The label for the username information tip + passwordLabel: + type: string + description: The label for the password field + passwordInfoTip: + type: string + description: The label for the password information tip + showPasswordVisibilityToggle: + type: boolean + description: Allows users to see their passwords as they type + showUserIdentifier: + type: boolean + description: >- + Allows the user's identifier to appear on authentication and + enrollment pages + forgotPasswordLabel: + type: string + description: The label for the forgot password page + forgotPasswordUrl: + type: string + description: The forgot password URL + unlockAccountLabel: + type: string + description: The label for the unlock account link + unlockAccountUrl: + type: string + description: The unlock account URL + helpLabel: + type: string + description: The label for the help link + helpUrl: + type: string + description: The help link URL + customLink1Label: + type: string + description: The label for the first custom link + customLink1Url: + type: string + description: The URL for the first custom link + customLink2Label: + type: string + description: The label for the second custom link + customLink2Url: + type: string + description: The URL for the second custom link + authenticatorPageCustomLinkLabel: + type: string + description: The label for the authenticator page custom link + authenticatorPageCustomLinkUrl: + type: string + description: The URL for the authenticator page custom link + classicRecoveryFlowEmailOrUsernameLabel: + type: string + description: >- + The label for the username field in the classic recovery + flow + widgetGeneration: + $ref: '#/components/schemas/WidgetGeneration' + postAuthKeepMeSignedInPrompt: + $ref: '#/components/schemas/PostAuthKeepMeSignedInPrompt' + classicFooterHelpTitle: + type: string + description: >- + The title of the footer link on the sign-in page. Only + applicable for Classic Engine orgs. + widgetVersion: + $ref: '#/components/schemas/Version' + HostedPage: + type: object + properties: + type: + $ref: '#/components/schemas/HostedPageType' + url: + type: string + required: + - type + EmailTemplateResponse: + type: object + properties: + name: + type: string + readOnly: true + description: The name of this email template + _embedded: + type: object + properties: + settings: + $ref: '#/components/schemas/EmailSettingsResponse' + customizationCount: + type: integer + readOnly: true + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + settings: + $ref: '#/components/schemas/HrefObject' + defaultContent: + $ref: '#/components/schemas/HrefObject' + customizations: + $ref: '#/components/schemas/HrefObject' + test: + $ref: '#/components/schemas/HrefObject' + type: object + EmailCustomization: + allOf: + - $ref: '#/components/schemas/EmailContent' + - type: object + properties: + created: + type: string + format: date-time + readOnly: true + description: The UTC time at which this email customization was created. + id: + type: string + readOnly: true + description: A unique identifier for this email customization + isDefault: + type: boolean + description: >- + Whether this is the default customization for the email + template. Each customized email template must have exactly one + default customization. Defaults to `true` for the first + customization and `false` thereafter. + language: + $ref: '#/components/schemas/Language' + lastUpdated: + type: string + format: date-time + readOnly: true + description: The UTC time at which this email customization was last updated. + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + self: + $ref: '#/components/schemas/HrefObject' + template: + $ref: '#/components/schemas/HrefObject' + preview: + $ref: '#/components/schemas/HrefObject' + test: + $ref: '#/components/schemas/HrefObject' + type: object + required: + - language + EmailPreview: + type: object + properties: + body: + type: string + readOnly: true + description: The email's HTML body + subject: + type: string + readOnly: true + description: The email's subject + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + contentSource: + $ref: '#/components/schemas/HrefObject' + template: + $ref: '#/components/schemas/HrefObject' + test: + $ref: '#/components/schemas/HrefObject' + defaultContent: + $ref: '#/components/schemas/HrefObject' + type: object + EmailDefaultContent: + allOf: + - $ref: '#/components/schemas/EmailContent' + - type: object + properties: + _links: + type: object + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + template: + $ref: '#/components/schemas/HrefObject' + preview: + $ref: '#/components/schemas/HrefObject' + test: + $ref: '#/components/schemas/HrefObject' + type: object + EmailSettingsResponse: + type: object + properties: + recipients: + type: string + enum: + - ALL_USERS + - ADMINS_ONLY + - NO_USERS + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + self: + $ref: '#/components/schemas/HrefObject' + template: + $ref: '#/components/schemas/HrefObject' + type: object + EmailSettings: + type: object + properties: + recipients: + type: string + enum: + - ALL_USERS + - ADMINS_ONLY + - NO_USERS + required: + - recipients + Error409: + description: Conflict error object + type: object + properties: + errorCauses: + type: array + description: >- + Another request has already been received for the settings for this + email template + readOnly: true + errorCode: + type: string + description: E0000254 + readOnly: true + errorId: + type: string + description: sampleH3iLB6bpBcbnV9E09Fy + readOnly: true + errorLink: + type: string + description: E0000254 + readOnly: true + errorSummary: + type: string + description: >- + Another request has already been received for the settings for this + email template + readOnly: true + ThemeResponse: + type: object + properties: + backgroundImage: + readOnly: true + type: string + emailTemplateTouchPointVariant: + $ref: '#/components/schemas/EmailTemplateTouchPointVariant' + endUserDashboardTouchPointVariant: + $ref: '#/components/schemas/EndUserDashboardTouchPointVariant' + errorPageTouchPointVariant: + $ref: '#/components/schemas/ErrorPageTouchPointVariant' + favicon: + readOnly: true + type: string + id: + readOnly: true + type: string + loadingPageTouchPointVariant: + $ref: '#/components/schemas/LoadingPageTouchPointVariant' + logo: + readOnly: true + type: string + primaryColorContrastHex: + type: string + description: Primary color contrast hex code + primaryColorHex: + type: string + description: Primary color hex code + secondaryColorContrastHex: + type: string + description: Secondary color contrast hex code + secondaryColorHex: + type: string + description: Secondary color hex code + signInPageTouchPointVariant: + $ref: '#/components/schemas/SignInPageTouchPointVariant' + _links: + $ref: '#/components/schemas/LinksSelf' + UpdateThemeRequest: + type: object + properties: + emailTemplateTouchPointVariant: + $ref: '#/components/schemas/EmailTemplateTouchPointVariant' + endUserDashboardTouchPointVariant: + $ref: '#/components/schemas/EndUserDashboardTouchPointVariant' + errorPageTouchPointVariant: + $ref: '#/components/schemas/ErrorPageTouchPointVariant' + loadingPageTouchPointVariant: + $ref: '#/components/schemas/LoadingPageTouchPointVariant' + primaryColorContrastHex: + type: string + description: Primary color contrast hex code + default: null + primaryColorHex: + type: string + description: Primary color hex code + default: null + secondaryColorContrastHex: + type: string + description: Secondary color contrast hex code + default: null + secondaryColorHex: + type: string + description: Secondary color hex code + default: null + signInPageTouchPointVariant: + $ref: '#/components/schemas/SignInPageTouchPointVariant' + _links: + $ref: '#/components/schemas/LinksSelf' + required: + - primaryColorHex + - secondaryColorHex + - signInPageTouchPointVariant + - endUserDashboardTouchPointVariant + - errorPageTouchPointVariant + - emailTemplateTouchPointVariant + ImageUploadResponse: + type: object + properties: + url: + readOnly: true + type: string + WellKnownURIsRoot: + type: object + properties: + _embedded: + type: object + properties: + apple-app-site-association: + type: object + description: Contains the customized well-known URI content and links + properties: + customized: + $ref: '#/components/schemas/WellKnownURIObjectResponse' + assetlinks.json: + type: object + description: Contains the customized well-known URI content and links + properties: + customized: + $ref: '#/components/schemas/WellKnownURIArrayResponse' + webauthn: + type: object + description: Contains the customized well-known URI content and links + properties: + customized: + $ref: '#/components/schemas/WellKnownURIObjectResponse' + readOnly: true + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + apple-app-site-association: + $ref: '#/components/schemas/HrefObject' + assetlinks.json: + $ref: '#/components/schemas/HrefObject' + webauthn: + $ref: '#/components/schemas/HrefObject' + type: object + WellKnownURIObjectResponse: + type: object + properties: + representation: + type: object + description: The well-known URI content in JSON format + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + self: + $ref: '#/components/schemas/HrefObject' + type: object + WellKnownURIRequest: + type: object + properties: + representation: + type: object + description: The well-known URI content in JSON object format + required: + - representation + DomainResponse: + description: The properties that define an individual domain. + type: object + properties: + brandId: + description: The ID number of the brand + type: string + example: bndul904tTZ6kWVhP0g3 + certificateSourceType: + $ref: '#/components/schemas/DomainCertificateSourceType' + dnsRecords: + type: array + items: + $ref: '#/components/schemas/DNSRecord' + domain: + description: Custom domain name + type: string + example: login.example.com + id: + description: Unique ID of the domain + type: string + example: OcDz6iRyjkaCTXkdo0g3 + publicCertificate: + $ref: '#/components/schemas/DomainCertificateMetadata' + validationStatus: + $ref: '#/components/schemas/DomainValidationStatus' + _links: + $ref: '#/components/schemas/DomainLinks' + EmailDomainResponse: + allOf: + - $ref: '#/components/schemas/BaseEmailDomain' + type: object + properties: + dnsValidationRecords: + type: array + items: + $ref: '#/components/schemas/EmailDomainDNSRecord' + domain: + type: string + id: + type: string + validationStatus: + $ref: '#/components/schemas/EmailDomainStatus' + validationSubdomain: + type: string + description: The subdomain for the email sender's custom mail domain + default: mail + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + DefaultApp: + type: object + properties: + appInstanceId: + type: string + description: ID for the App instance + appLinkName: + type: string + description: Name for the app instance + classicApplicationUri: + type: string + description: Application URI for classic Orgs + Language: + description: >- + The language specified as an [IETF BCP 47 language + tag](https://datatracker.ietf.org/doc/html/rfc5646) + type: string + ErrorCause: + type: object + properties: + errorSummary: + type: string + CustomizablePage: + type: object + properties: + pageContent: + type: string + description: The HTML for the page + ContentSecurityPolicySetting: + type: object + properties: + mode: + type: string + enum: + - enforced + - report_only + reportUri: + type: string + srcList: + type: array + items: + type: string + WidgetGeneration: + description: The generation of the Sign-in Widget + type: string + enum: + - G2 + - G3 + PostAuthKeepMeSignedInPrompt: + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + type: object + properties: + acceptButtonText: + type: string + description: The label on the accept button when prompting for Stay signed in + rejectButtonText: + type: string + description: The label on the reject button when prompting for Stay signed in + subtitle: + type: string + description: The subtitle on the Sign-In Widget when prompting for Stay signed in + title: + type: string + description: The title on the Sign-In Widget when prompting for Stay signed in + Version: + description: The version specified as a [Semantic Version](https://semver.org/). + type: string + pattern: >- + ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$ + HostedPageType: + type: string + enum: + - EXTERNALLY_HOSTED + - OKTA_DEFAULT + EmailContent: + type: object + properties: + body: + type: string + description: > + The HTML body of the email. May contain [variable + references](https://velocity.apache.org/engine/1.7/user-guide.html#references). + + + Not required if Custom + languages for Okta Email Templates is enabled. A `null` body is + replaced with a default value from one of the following in priority + order: + + + 1. An existing default email customization, if one exists + + 2. Okta-provided translated content for the specified language, if + one exists + + 3. Okta-provided translated content for the brand locale, if it's + set + + 4. Okta-provided content in English + subject: + type: string + description: > + The email subject. May contain [variable + references](https://velocity.apache.org/engine/1.7/user-guide.html#references). + + + Not required if Custom + languages for Okta Email Templates is enabled. A `null` subject is + replaced with a default value from one of the following in priority + order: + + + 1. An existing default email customization, if one exists + + 2. Okta-provided translated content for the specified language, if + one exists + + 3. Okta-provided translated content for the brand locale, if it's + set + + 4. Okta-provided content in English + required: + - subject + - body + EmailTemplateTouchPointVariant: + description: > + Variant for email templates. You can publish a theme for email templates + with different combinations of assets. Variants are preset combinations + of those assets. + default: OKTA_DEFAULT + type: string + enum: + - FULL_THEME + - OKTA_DEFAULT + x-enumDescriptions: + FULL_THEME: Uses the Okta logo and Okta colors in email templates + OKTA_DEFAULT: >- + Uses the logo from the theme. Uses `primaryColorHex` as the background + color for buttons. + EndUserDashboardTouchPointVariant: + description: > + Variant for the Okta End-User Dashboard. You can publish a theme for + end-user dashboard with different combinations of assets. Variants are + preset combinations of those assets. + default: OKTA_DEFAULT + type: string + enum: + - FULL_THEME + - LOGO_ON_FULL_WHITE_BACKGROUND + - OKTA_DEFAULT + - WHITE_LOGO_BACKGROUND + x-enumDescriptions: + FULL_THEME: >- + Uses the logo and favicon from the theme. Uses `primaryColorHex` for + the logo and the side navigation bar background color. + LOGO_ON_FULL_WHITE_BACKGROUND: >- + Uses the logo and favicon from the theme. Uses white background color + for the logo and the side navigation bar background color. + OKTA_DEFAULT: >- + Uses the Okta logo and favicon. Uses a white background color for the + logo and the side navigation bar background color. + WHITE_LOGO_BACKGROUND: >- + Uses the logo and favicon from the theme, with a white background + color for the logo. Uses `primaryColorHex` for the side navigation bar + background color. + ErrorPageTouchPointVariant: + description: > + Variant for the error page. You can publish a theme for error page with + different combinations of assets. Variants are preset combinations of + those assets. + default: OKTA_DEFAULT + type: string + enum: + - BACKGROUND_IMAGE + - BACKGROUND_SECONDARY_COLOR + - OKTA_DEFAULT + x-enumDescriptions: + BACKGROUND_IMAGE: Uses the logo, favicon, and background image from the theme + BACKGROUND_SECONDARY_COLOR: >- + Uses the logo and favicon from the theme. Uses `secondaryColorHex` as + the background color for the error page. + OKTA_DEFAULT: Uses the Okta logo, favicon, and background color + LoadingPageTouchPointVariant: + description: > + Variant for the Okta loading page. You can publish a theme for Okta + loading page with different combinations of assets. Variants are preset + combinations of those assets. + default: OKTA_DEFAULT + type: string + enum: + - NONE + - OKTA_DEFAULT + x-enumDescriptions: + NONE: Uses no loading page animation during the redirect + OKTA_DEFAULT: Uses the default Okta loading page animation during the redirect + SignInPageTouchPointVariant: + description: > + Variant for the Okta sign-in page. You can publish a theme for sign-in + page with different combinations of assets. Variants are preset + combinations of those assets. + + > **Note:** For a non-`OKTA_DEFAULT` variant, `primaryColorHex` is used + for button background color and `primaryColorContrastHex` is used to + optimize the opacity for button text. + type: string + enum: + - BACKGROUND_IMAGE + - BACKGROUND_SECONDARY_COLOR + - OKTA_DEFAULT + x-enumDescriptions: + BACKGROUND_IMAGE: Uses the logo, favicon, and background image from the theme + BACKGROUND_SECONDARY_COLOR: >- + Uses the logo and favicon from the theme. Uses `secondaryColorHex` as + the background color for the Okta sign-in page. + OKTA_DEFAULT: >- + Uses the Okta logo and favicon with no background image. Uses the Okta + colors on the Okta sign-in page. + WellKnownURIArrayResponse: + type: object + properties: + representation: + type: array + description: The well-known URI content in a JSON array of objects format + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + self: + $ref: '#/components/schemas/HrefObject' + type: object + DomainCertificateSourceType: + description: >- + Certificate source type that indicates whether the certificate is + provided by the user or Okta. + type: string + enum: + - MANUAL + - OKTA_MANAGED + DNSRecord: + description: DNS TXT and CNAME records to be registered for the Domain + type: object + properties: + expiration: + description: DNS TXT record expiration + type: string + fqdn: + description: DNS record name + type: string + example: _oktaverification.login.example.com + recordType: + $ref: '#/components/schemas/DNSRecordType' + values: + description: DNS record value + type: array + items: + type: string + example: + - 79496f234c814638b1cc44f51a782781 + DomainCertificateMetadata: + description: Certificate metadata for the domain + type: object + properties: + expiration: + description: Certificate expiration + type: string + example: '2021-05-11T05:13:05.000Z' + fingerprint: + description: Certificate fingerprint + type: string + example: >- + 73:68:82:7B:83:2E:48:29:A5:5E:E8:40:41:80:B3:AA:03:C4:42:43:05:73:45:BC:AA:47:00:23:A3:70:E5:C4 + subject: + description: Certificate subject + type: string + example: CN=login.example.com + DomainValidationStatus: + description: Status of the domain + example: VERIFIED + type: string + enum: + - COMPLETED + - IN_PROGRESS + - NOT_STARTED + - VERIFIED + DomainLinks: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + brand: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: The associated brand + certificate: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: The certificate link references the domain certificate + verify: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + The verify link verifies the domain and transitions the + domain status to `VERIFIED` + BaseEmailDomain: + type: object + properties: + displayName: + type: string + userName: + type: string + required: + - displayName + - userName + EmailDomainDNSRecord: + type: object + properties: + fqdn: + type: string + recordType: + $ref: '#/components/schemas/EmailDomainDNSRecordType' + verificationValue: + type: string + EmailDomainStatus: + type: string + enum: + - DELETED + - ERROR + - NOT_STARTED + - POLLING + - VERIFIED + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + DNSRecordType: + example: TXT + type: string + enum: + - CNAME + - TXT + EmailDomainDNSRecordType: + type: string + enum: + - CNAME + - TXT + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + queryExpandBrand: + name: expand + in: query + style: form + explode: false + required: false + schema: + type: array + items: + type: string + enum: + - themes + - domains + - emailDomain + description: Specifies additional metadata to be included in the response + queryAfter: + name: after + in: query + schema: + type: string + description: >- + The cursor to use for pagination. It is an opaque string that specifies + your current location in the list and is obtained from the `Link` + response header. See + [Pagination](https://developer.okta.com/docs/api/#pagination). + queryLimit: + name: limit + in: query + schema: + type: integer + minimum: 1 + maximum: 200 + default: 20 + description: A limit on the number of objects to return + queryFilter: + name: q + in: query + description: Searches the records for matching value + schema: + type: string + pathBrandId: + name: brandId + in: path + required: true + schema: + type: string + description: The ID of the brand + queryExpandPageRoot: + name: expand + in: query + style: form + explode: false + required: false + schema: + type: array + items: + type: string + enum: + - default + - customized + - customizedUrl + - preview + - previewUrl + description: Specifies additional metadata to be included in the response + queryExpandEmailTemplate: + name: expand + in: query + style: form + explode: false + required: false + schema: + type: array + items: + type: string + enum: + - settings + - customizationCount + description: Specifies additional metadata to be included in the response + pathTemplateName: + name: templateName + in: path + required: true + schema: + type: string + description: The name of the email template + pathCustomizationId: + name: customizationId + in: path + required: true + schema: + type: string + description: The ID of the email customization + queryLanguage: + name: language + schema: + $ref: '#/components/schemas/Language' + in: query + description: >- + The language to use for the email. Defaults to the current user's + language if unspecified. + pathThemeId: + name: themeId + in: path + required: true + schema: + type: string + description: The ID of the theme + queryExpandWellKnownUris: + name: expand + in: query + style: form + explode: false + required: false + schema: + type: array + items: + type: string + enum: + - all + - apple-app-site-association + - assetlinks.json + - webauthn + description: Specifies additional metadata to include in the response + pathWellKnownUriPath: + name: path + in: path + required: true + schema: + type: string + enum: + - apple-app-site-association + - assetlinks.json + - webauthn + description: The path of the well-known URI + queryExpandWellKnownUri: + name: expand + in: query + style: form + explode: false + required: false + schema: + type: array + items: + type: string + enum: + - customized + description: Specifies additional metadata to include in the response + examples: + ListBrandsResponse: + value: + - id: bnd114iNkrcN6aR680g4 + name: Okta Default + isDefault: true + agreeToCustomPrivacyPolicy: false + removePoweredByOkta: false + customPrivacyPolicyUrl: null + locale: en + emailDomainId: OeD114iNkrcN6aR680g4 + defaultApp: + appInstanceId: 0oa114iNkrcN6aR680g4 + appLinkName: null + classicApplicationUri: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4 + hints: + allow: + - GET + - PUT + - DELETE + themes: + href: >- + https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes + hints: + allow: + - GET + emailDomain: + href: >- + https://{yourOktaDomain}/api/v1/email-domains/OeD114iNkrcN6aR680g4 + hints: + allow: + - GET + - PUT + CreateBrandRequest: + value: + name: My Awesome Brand + CreateBrandResponse: + value: + id: bnd114iNkrcN6aR680g5 + removePoweredByOkta: false + customPrivacyPolicyUrl: null, + agreeToCustomPrivacyPolicy: false, + name: My Awesome Brand + locale: en + defaultApp: + appInstanceId: null + appLinkName: null + classicApplicationUri: null + isDefault: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g5 + hints: + allow: + - GET + - PUT + - DELETE + themes: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g5/themes + hints: + allow: + - GET + ErrorCreateBrandExists: + value: + errorCode: E0000202 + errorSummary: Brand name already exists. + errorLink: E0000202 + errorId: oaeKABuesTdRvCXeCTpSpXAcQ + errorCauses: [] + GetBrandResponse: + value: + id: bnd114iNkrcN6aR680g4 + agreeToCustomPrivacyPolicy: false + removePoweredByOkta: false + customPrivacyPolicyUrl: null + name: Okta Default + isDefault: true + locale: en + emailDomainId: OeD114iNkrcN6aR680g4 + defaultApp: + appInstanceId: 0oa114iNkrcN6aR680g4 + appLinkName: null + classicApplicationUri: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4 + hints: + allow: + - GET + - PUT + - DELETE + themes: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes + hints: + allow: + - GET + emailDomain: + href: https://{yourOktaDomain}/api/v1/email-domains/OeD114iNkrcN6aR680g4 + hints: + allow: + - GET + - PUT + UpdateBrandRequest: + value: + customPrivacyPolicyUrl: https://www.someHost.com/privacy-policy + agreeToCustomPrivacyPolicy: true + removePoweredByOkta: true + name: New Name For Brand + emailDomainId: OeD114iNkrcN6aR680g4 + locale: en + defaultApp: + appInstanceId: 0oa114iNkrcN6aR680g4 + appLinkName: null + classicApplicationUri: null + UpdateBrandResponse: + value: + id: bnd114iNkrcN6aR680g4 + removePoweredByOkta: true + agreeToCustomPrivacyPolicy: true + name: New Name For Brand + isDefault: true + customPrivacyPolicyUrl: https://www.someHost.com/privacy-policy + emailDomainId: OeD114iNkrcN6aR680g4 + defaultApp: + appInstanceId: 0oa114iNkrcN6aR680g4 + appLinkName: null + classicApplicationUri: null + locale: en + _links: + self: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4 + hints: + allow: + - GET + - PUT + - DELETE + themes: + href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes + hints: + allow: + - GET + emailDomain: + href: https://{yourOktaDomain}/api/v1/email-domains/OeD114iNkrcN6aR680g4 + hints: + allow: + - GET + - PUT + ErrorDeleteDefaultBrand: + value: + errorCode: E0000200 + errorSummary: A default brand cannot be deleted + errorLink: E0000200 + errorId: oaeAdRqprFuTyKokyYPbURJkA + errorCauses: [] + ErrorDeleteBrandAssociatedWithDomain: + value: + errorCode: E0000201 + errorSummary: A brand associated with a domain cannot be deleted + errorLink: E0000201 + errorId: oaeAdRqprFuTyKokyYPbURJkA + errorCauses: [] + ListEmailTemplateResponse: + value: + - name: UserActivation + _embedded: + customizationCount: 0 + settings: + recipients: ALL_USERS + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings + hints: + allow: + - GET + - PUT + template: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + settings: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings + hints: + allow: + - GET + - PUT + defaultContent: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content + hints: + allow: + - GET + customizations: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations + hints: + allow: + - GET + - POST + - DELETE + test: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + hints: + allow: + - POST + GetEmailTemplateResponse: + value: + name: UserActivation + _embedded: + customizationCount: 0 + settings: + recipients: ALL_USERS + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings + hints: + allow: + - GET + - PUT + template: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + settings: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings + hints: + allow: + - GET + - PUT + defaultContent: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content + hints: + allow: + - GET + customizations: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations + hints: + allow: + - GET + - POST + - DELETE + test: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + hints: + allow: + - POST + ListEmailCustomizationResponse: + value: + - language: en + isDefault: true + subject: Welcome to ${org.name}! + body: >- +

Hello, ${user.profile.firstName}. + Click here to activate your + account. + id: oel11u6DqUiMbQkpl0g4 + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4 + hints: + allow: + - GET + - PUT + - DELETE + template: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + preview: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview + hints: + allow: + - GET + test: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + hints: + allow: + - POST + CreateUpdateEmailCustomizationRequest: + value: + language: fr + subject: Bienvenue dans ${org.name}! + body: >- +

Bonjour ${user.profile.firstName}. Activer le compte

+ isDefault: false + CreateUpdateEmailCustomizationResponse: + value: + language: fr + subject: Bienvenue dans ${org.name}! + body: >- +

Bonjour ${user.profile.firstName}. Activer le compte

+ isDefault: false + id: oel11u6DqUiMbQkpl0g4 + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4 + hints: + allow: + - GET + - PUT + - DELETE + template: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + preview: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview + hints: + allow: + - GET + test: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + hints: + allow: + - POST + ErrorEmailCustomizationDefaultAlreadyExists: + value: + errorCode: E0000182 + errorSummary: A default email template customization already exists. + errorLink: E0000182 + errorId: oaeXYwTiMvASsC3O4HCzjFaCA + errorCauses: [] + ErrorEmailCustomizationLanguageAlreadyExists: + value: + errorCode: E0000183 + errorSummary: An email template customization for that language already exists. + errorLink: E0000183 + errorId: oaeUcGELffqRay0u1OPdnPypw + errorCauses: [] + EmailCustomizationResponse: + value: + language: en + isDefault: true + subject: Welcome to ${org.name}! + body: >- +

Hello, ${user.profile.firstName}. Click + here to activate your + account. + id: oel11u6DqUiMbQkpl0g4 + created: '2021-11-09T20:38:10.000Z' + lastUpdated: '2021-11-11T20:38:10.000Z' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4 + hints: + allow: + - GET + - PUT + - DELETE + template: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + preview: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview + hints: + allow: + - GET + test: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + hints: + allow: + - POST + ErrorEmailCustomizationCannotClearDefault: + value: + errorCode: E0000185 + errorSummary: >- + The isDefault parameter of the default email template customization + can't be set to false. + errorLink: E0000185 + errorId: oaejrB1fWL1S7mc-2KcG-SOtw + errorCauses: [] + ErrorEmailCustomizationCannotDeleteDefault: + value: + errorCode: E0000184 + errorSummary: A default email template customization can't be deleted. + errorLink: E0000184 + errorId: oaeAdRqprFuTyKokyYPbURJkA + errorCauses: [] + PreviewEmailCustomizationResponse: + value: + subject: Welcome to Okta! + body: >- +

Hello, John. Click here to activate your + account. + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel2kk1zYJBJbeaGo0g4/preview + hints: + allow: + - GET + template: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + test: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test + hints: + allow: + - POST + EmailTemplateDefaultContentResponse: + value: + subject: Welcome to ${org.name}! + body: >- +

Hello, ${user.profile.firstName}. Click + here to activate your + account. + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content + hints: + allow: + - GET + template: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + preview: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content/preview + hints: + allow: + - GET + PreviewEmailTemplateDefaultContentResponse: + value: + subject: Welcome to Okta! + body: >- +

Hello, John. Click here to activate your + account. + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content/preview + hints: + allow: + - GET + template: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + defaultContent: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test/default-content + hints: + allow: + - POST + EmailSettingsResponse: + value: + recipients: ALL_USERS + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings + hints: + allow: + - GET + - PUT + template: + href: >- + https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation + hints: + allow: + - GET + ErrorEmailSettingsRaceCondition: + value: + errorCode: E0000254 + errorSummary: >- + Another request has already been received for the settings for this + email template. Please try again later. + errorLink: E0000254 + errorId: oaeUcGELffqRay0u1OPdnPypw + errorCauses: [] + ErrorInvalidEmailTemplateRecipients: + value: + errorCode: E0000189 + errorSummary: This template does not support the recipients value. + errorLink: E0000189 + errorId: oae8L1-UkcNTeGi5xVQ28_lww + errorCauses: [] + ListThemesResponse: + value: + - id: thdul904tTZ6kWVhP0g3 + logo: >- + https://{yourOktaDomain}/assets/img/logos/okta-logo.47066819ac7db5c13f4c431b2687cef6.png + favicon: https://{yourOktaDomain}/favicon.ico + backgroundImage: null + primaryColorHex: '#1662dd' + primaryColorContrastHex: '#000000' + secondaryColorHex: '#ebebed' + secondaryColorContrastHex: '#000000' + signInPageTouchPointVariant: OKTA_DEFAULT + endUserDashboardTouchPointVariant: OKTA_DEFAULT + errorPageTouchPointVariant: OKTA_DEFAULT + emailTemplateTouchPointVariant: OKTA_DEFAULT + loadingPageTouchPointVariant: OKTA_DEFAULT + GetThemeResponse: + value: + id: thdul904tTZ6kWVhP0g3 + logo: >- + https://{yourOktaDomain}/assets/img/logos/okta-logo.47066819ac7db5c13f4c431b2687cef6.png + favicon: https://{yourOktaDomain}/favicon.ico + backgroundImage: null + primaryColorHex: '#1662dd' + primaryColorContrastHex: '#000000' + secondaryColorHex: '#ebebed' + secondaryColorContrastHex: '#000000' + signInPageTouchPointVariant: OKTA_DEFAULT + endUserDashboardTouchPointVariant: OKTA_DEFAULT + errorPageTouchPointVariant: OKTA_DEFAULT + emailTemplateTouchPointVariant: OKTA_DEFAULT + loadingPageTouchPointVariant: OKTA_DEFAULT + UpdateThemeRequest: + value: + primaryColorHex: '#1662dd' + primaryColorContrastHex: '#000000' + secondaryColorHex: '#ebebed' + secondaryColorContrastHex: '#000000' + signInPageTouchPointVariant: OKTA_DEFAULT + endUserDashboardTouchPointVariant: OKTA_DEFAULT + errorPageTouchPointVariant: OKTA_DEFAULT + emailTemplateTouchPointVariant: OKTA_DEFAULT + loadingPageTouchPointVariant: OKTA_DEFAULT + UpdateThemeResponse: + value: + id: thdul904tTZ6kWVhP0g3 + logo: >- + https://{yourOktaDomain}/assets/img/logos/okta-logo.47066819ac7db5c13f4c431b2687cef6.png + favicon: https://{yourOktaDomain}/favicon.ico + backgroundImage: null + primaryColorHex: '#1662dd' + primaryColorContrastHex: '#000000' + secondaryColorHex: '#ebebed' + secondaryColorContrastHex: '#000000' + signInPageTouchPointVariant: OKTA_DEFAULT + endUserDashboardTouchPointVariant: OKTA_DEFAULT + errorPageTouchPointVariant: OKTA_DEFAULT + emailTemplateTouchPointVariant: OKTA_DEFAULT + loadingPageTouchPointVariant: OKTA_DEFAULT + WellKnownURIsRootResponse: + value: + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/well-known-uris + hints: + allow: + - GET + apple-app-site-association: + href: >- + https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/well-known-uris/apple-app-site-association + hints: + allow: + - GET + - PUT + assetlinks.json: + href: >- + https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/well-known-uris/assetlinks.json + hints: + allow: + - GET + - PUT + webauthn: + href: >- + https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/well-known-uris/webauthn + hints: + allow: + - GET + - PUT + _embedded: + apple-app-site-association: + customized: + representation: + authsrv: + apps: + - B7F62B65BN.com.okta.mobile + - B7F62B65BN.com.okta.mobile.auth-service-extension + - B7F62B65BN.com.okta.authenticator.beta + - >- + B7F62B65BN.com.okta.authenticator.beta.auth-service-extension + - 7WXXBW6Z2Y.com.okta.mobile.internalrelease + - >- + 7WXXBW6Z2Y.com.okta.mobile.internalrelease.auth-service-extension + key1: value1 + key2: value2 + key3: + key3.1: value3.1 + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/well-known-uris/apple-app-site-association/customized + hints: + allow: + - GET + - PUT + assetlinks.json: + customized: + representation: + - key1: value1 + key2: value2 + key3: + key3.1: value3.1 + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/well-known-uris/assetlinks.json/customized + hints: + allow: + - GET + - PUT + webauthn: + customized: + representation: + origins: + - https://example1.com + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/well-known-uris/webauthn/customized + hints: + allow: + - GET + - PUT + WellKnownURIRootResponse: + value: + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/well-known-uris/apple-app-site-association + hints: + allow: + - GET + customized: + href: >- + https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/well-known-uris/apple-app-site-association/customized + hints: + allow: + - GET + - PUT + ErrorInvalidWellKnownPath: + summary: Invalid path + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: request' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: + - errorSummary: >- + The specified path is not supported. Valid values: + [apple-app-site-association, assetlinks.json, webauthn]. + WellKnownURIResponse: + value: + representation: + key1: value1 + key2: value2 + key3: + key3.1: value3.1 + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/well-known-uris/apple-app-site-association/customized + hints: + allow: + - GET + - PUT + UpdateWellKnownURIRequest: + value: + representation: + key1: value1 + key2: value2 + key3: + key3.1: value3.1 + InvalidWellKnownAppleAppSiteRepresentationError: + summary: apple-app-site-association representation contains authsrv + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: representation' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: + - errorSummary: Content must not include any `authsrv` customization. + InvalidWellKnownWebauthnRepresentationError: + summary: webauthn representation doesn't contain origins + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: representation' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: + - errorSummary: Content must only contain `origins`. + InvalidWellKnownWebauthnRepresentationOriginStringError: + summary: webauthn representation - `origins` must be array of strings + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: representation' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: + - errorSummary: The `origins` must be an array of strings. + InvalidWellKnownJsonTypeError: + summary: Invalid content type for apple-app-site-association and webauthn + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: representation' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: + - errorSummary: Content must be a JSON object. + InvalidWellKnownArrayTypeError: + summary: Invalid content type for assetlinks.json + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: representation' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: + - errorSummary: Content must be a JSON array of objects. + CannotUpdateWellKnownUriForDefaultBrandError: + summary: Cannot update well-known URI for default brand + value: + errorCode: E0000257 + errorSummary: 'Api validation failed: request' + errorLink: E0000257 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: + - errorSummary: Cannot update the content for the default brand. + WellKnownRepresentationSizeLimitExceededError: + summary: Size limit exceeded + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: request' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: + - errorSummary: Content must be less than 100KB. + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + brands: + id: okta.brands.brands + name: brands + title: Brands + methods: + list_brands: + operation: + $ref: '#/paths/~1api~1v1~1brands/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_brand: + operation: + $ref: '#/paths/~1api~1v1~1brands/post' + response: + mediaType: application/json + openAPIDocKey: '201' + get_brand: + operation: + $ref: '#/paths/~1api~1v1~1brands~1{brandId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_brand: + operation: + $ref: '#/paths/~1api~1v1~1brands~1{brandId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_brand: + operation: + $ref: '#/paths/~1api~1v1~1brands~1{brandId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: '#/components/x-stackQL-resources/brands/methods/list_brands' + - $ref: '#/components/x-stackQL-resources/brands/methods/get_brand' + insert: + - $ref: '#/components/x-stackQL-resources/brands/methods/create_brand' + update: [] + delete: + - $ref: '#/components/x-stackQL-resources/brands/methods/delete_brand' + replace: + - $ref: '#/components/x-stackQL-resources/brands/methods/replace_brand' + domains: + id: okta.brands.domains + name: domains + title: Domains + methods: + list_brand_domains: + operation: + $ref: '#/paths/~1api~1v1~1brands~1{brandId}~1domains/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/domains/methods/list_brand_domains + insert: [] + update: [] + delete: [] + replace: [] + error_page: + id: okta.brands.error_page + name: error_page + title: Error Page + methods: + get_error_page: + operation: + $ref: '#/paths/~1api~1v1~1brands~1{brandId}~1pages~1error/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: '#/components/x-stackQL-resources/error_page/methods/get_error_page' + insert: [] + update: [] + delete: [] + replace: [] + customized_error_page: + id: okta.brands.customized_error_page + name: customized_error_page + title: Customized Error Page + methods: + get_customized_error_page: + operation: + $ref: '#/paths/~1api~1v1~1brands~1{brandId}~1pages~1error~1customized/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_customized_error_page: + operation: + $ref: '#/paths/~1api~1v1~1brands~1{brandId}~1pages~1error~1customized/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_customized_error_page: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1pages~1error~1customized/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/customized_error_page/methods/get_customized_error_page + insert: [] + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/customized_error_page/methods/delete_customized_error_page + replace: + - $ref: >- + #/components/x-stackQL-resources/customized_error_page/methods/replace_customized_error_page + default_error_page: + id: okta.brands.default_error_page + name: default_error_page + title: Default Error Page + methods: + get_default_error_page: + operation: + $ref: '#/paths/~1api~1v1~1brands~1{brandId}~1pages~1error~1default/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/default_error_page/methods/get_default_error_page + insert: [] + update: [] + delete: [] + replace: [] + preview_error_page: + id: okta.brands.preview_error_page + name: preview_error_page + title: Preview Error Page + methods: + get_preview_error_page: + operation: + $ref: '#/paths/~1api~1v1~1brands~1{brandId}~1pages~1error~1preview/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_preview_error_page: + operation: + $ref: '#/paths/~1api~1v1~1brands~1{brandId}~1pages~1error~1preview/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_preview_error_page: + operation: + $ref: '#/paths/~1api~1v1~1brands~1{brandId}~1pages~1error~1preview/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/preview_error_page/methods/get_preview_error_page + insert: [] + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/preview_error_page/methods/delete_preview_error_page + replace: + - $ref: >- + #/components/x-stackQL-resources/preview_error_page/methods/replace_preview_error_page + sign_in_page: + id: okta.brands.sign_in_page + name: sign_in_page + title: Sign In Page + methods: + get_sign_in_page: + operation: + $ref: '#/paths/~1api~1v1~1brands~1{brandId}~1pages~1sign-in/get' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_customized_sign_in_page: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1pages~1sign-in~1customized/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/sign_in_page/methods/get_sign_in_page + insert: [] + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/sign_in_page/methods/delete_customized_sign_in_page + replace: [] + customized_sign_in_page: + id: okta.brands.customized_sign_in_page + name: customized_sign_in_page + title: Customized Sign In Page + methods: + get_customized_sign_in_page: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1pages~1sign-in~1customized/get + response: + mediaType: application/json + openAPIDocKey: '200' + replace_customized_sign_in_page: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1pages~1sign-in~1customized/put + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/customized_sign_in_page/methods/get_customized_sign_in_page + insert: [] + update: [] + delete: [] + replace: + - $ref: >- + #/components/x-stackQL-resources/customized_sign_in_page/methods/replace_customized_sign_in_page + default_sign_in_page: + id: okta.brands.default_sign_in_page + name: default_sign_in_page + title: Default Sign In Page + methods: + get_default_sign_in_page: + operation: + $ref: '#/paths/~1api~1v1~1brands~1{brandId}~1pages~1sign-in~1default/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/default_sign_in_page/methods/get_default_sign_in_page + insert: [] + update: [] + delete: [] + replace: [] + preview_sign_in_page: + id: okta.brands.preview_sign_in_page + name: preview_sign_in_page + title: Preview Sign In Page + methods: + get_preview_sign_in_page: + operation: + $ref: '#/paths/~1api~1v1~1brands~1{brandId}~1pages~1sign-in~1preview/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_preview_sign_in_page: + operation: + $ref: '#/paths/~1api~1v1~1brands~1{brandId}~1pages~1sign-in~1preview/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_preview_sign_in_page: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1pages~1sign-in~1preview/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/preview_sign_in_page/methods/get_preview_sign_in_page + insert: [] + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/preview_sign_in_page/methods/delete_preview_sign_in_page + replace: + - $ref: >- + #/components/x-stackQL-resources/preview_sign_in_page/methods/replace_preview_sign_in_page + sign_in_widget_versions: + id: okta.brands.sign_in_widget_versions + name: sign_in_widget_versions + title: Sign In Widget Versions + methods: + list_all_sign_in_widget_versions: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1pages~1sign-in~1widget-versions/get + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/sign_in_widget_versions/methods/list_all_sign_in_widget_versions + insert: [] + update: [] + delete: [] + replace: [] + sign_out_page_settings: + id: okta.brands.sign_out_page_settings + name: sign_out_page_settings + title: Sign Out Page Settings + methods: + get_sign_out_page_settings: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1pages~1sign-out~1customized/get + response: + mediaType: application/json + openAPIDocKey: '200' + replace_sign_out_page_settings: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1pages~1sign-out~1customized/put + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/sign_out_page_settings/methods/get_sign_out_page_settings + insert: [] + update: [] + delete: [] + replace: + - $ref: >- + #/components/x-stackQL-resources/sign_out_page_settings/methods/replace_sign_out_page_settings + email_templates: + id: okta.brands.email_templates + name: email_templates + title: Email Templates + methods: + list_email_templates: + operation: + $ref: '#/paths/~1api~1v1~1brands~1{brandId}~1templates~1email/get' + response: + mediaType: application/json + openAPIDocKey: '200' + get_email_template: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1templates~1email~1{templateName}/get + response: + mediaType: application/json + openAPIDocKey: '200' + send_test_email: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1templates~1email~1{templateName}~1test/post + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/email_templates/methods/list_email_templates + - $ref: >- + #/components/x-stackQL-resources/email_templates/methods/get_email_template + insert: [] + update: [] + delete: [] + replace: [] + email_template_customizations: + id: okta.brands.email_template_customizations + name: email_template_customizations + title: Email Template Customizations + methods: + list_email_customizations: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1templates~1email~1{templateName}~1customizations/get + response: + mediaType: application/json + openAPIDocKey: '200' + create_email_customization: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1templates~1email~1{templateName}~1customizations/post + response: + mediaType: application/json + openAPIDocKey: '201' + delete_all_customizations: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1templates~1email~1{templateName}~1customizations/delete + response: + mediaType: '' + openAPIDocKey: '204' + get_email_customization: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1templates~1email~1{templateName}~1customizations~1{customizationId}/get + response: + mediaType: application/json + openAPIDocKey: '200' + replace_email_customization: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1templates~1email~1{templateName}~1customizations~1{customizationId}/put + response: + mediaType: application/json + openAPIDocKey: '200' + delete_email_customization: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1templates~1email~1{templateName}~1customizations~1{customizationId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/email_template_customizations/methods/list_email_customizations + - $ref: >- + #/components/x-stackQL-resources/email_template_customizations/methods/get_email_customization + insert: + - $ref: >- + #/components/x-stackQL-resources/email_template_customizations/methods/create_email_customization + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/email_template_customizations/methods/delete_all_customizations + - $ref: >- + #/components/x-stackQL-resources/email_template_customizations/methods/delete_email_customization + replace: + - $ref: >- + #/components/x-stackQL-resources/email_template_customizations/methods/replace_email_customization + customization_preview: + id: okta.brands.customization_preview + name: customization_preview + title: Customization Preview + methods: + get_customization_preview: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1templates~1email~1{templateName}~1customizations~1{customizationId}~1preview/get + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/customization_preview/methods/get_customization_preview + insert: [] + update: [] + delete: [] + replace: [] + email_default_content: + id: okta.brands.email_default_content + name: email_default_content + title: Email Default Content + methods: + get_email_default_content: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1templates~1email~1{templateName}~1default-content/get + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/email_default_content/methods/get_email_default_content + insert: [] + update: [] + delete: [] + replace: [] + email_default_preview: + id: okta.brands.email_default_preview + name: email_default_preview + title: Email Default Preview + methods: + get_email_default_preview: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1templates~1email~1{templateName}~1default-content~1preview/get + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/email_default_preview/methods/get_email_default_preview + insert: [] + update: [] + delete: [] + replace: [] + email_settings: + id: okta.brands.email_settings + name: email_settings + title: Email Settings + methods: + get_email_settings: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1templates~1email~1{templateName}~1settings/get + response: + mediaType: application/json + openAPIDocKey: '200' + replace_email_settings: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1templates~1email~1{templateName}~1settings/put + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/email_settings/methods/get_email_settings + insert: [] + update: [] + delete: [] + replace: + - $ref: >- + #/components/x-stackQL-resources/email_settings/methods/replace_email_settings + themes: + id: okta.brands.themes + name: themes + title: Themes + methods: + list_brand_themes: + operation: + $ref: '#/paths/~1api~1v1~1brands~1{brandId}~1themes/get' + response: + mediaType: application/json + openAPIDocKey: '200' + get_brand_theme: + operation: + $ref: '#/paths/~1api~1v1~1brands~1{brandId}~1themes~1{themeId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_brand_theme: + operation: + $ref: '#/paths/~1api~1v1~1brands~1{brandId}~1themes~1{themeId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + upload_brand_theme_background_image: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1themes~1{themeId}~1background-image/post + response: + mediaType: application/json + openAPIDocKey: '201' + delete_brand_theme_background_image: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1themes~1{themeId}~1background-image/delete + response: + mediaType: '' + openAPIDocKey: '204' + upload_brand_theme_favicon: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1themes~1{themeId}~1favicon/post + response: + mediaType: application/json + openAPIDocKey: '201' + delete_brand_theme_favicon: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1themes~1{themeId}~1favicon/delete + response: + mediaType: '' + openAPIDocKey: '204' + upload_brand_theme_logo: + operation: + $ref: '#/paths/~1api~1v1~1brands~1{brandId}~1themes~1{themeId}~1logo/post' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_brand_theme_logo: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1themes~1{themeId}~1logo/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: '#/components/x-stackQL-resources/themes/methods/list_brand_themes' + - $ref: '#/components/x-stackQL-resources/themes/methods/get_brand_theme' + insert: [] + update: [] + delete: [] + replace: + - $ref: >- + #/components/x-stackQL-resources/themes/methods/replace_brand_theme + well_known_uris: + id: okta.brands.well_known_uris + name: well_known_uris + title: Well Known Uris + methods: + get_all_well_known_uris: + operation: + $ref: '#/paths/~1api~1v1~1brands~1{brandId}~1well-known-uris/get' + response: + mediaType: application/json + openAPIDocKey: '200' + get_root_brand_well_known_uri: + operation: + $ref: '#/paths/~1api~1v1~1brands~1{brandId}~1well-known-uris~1{path}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/well_known_uris/methods/get_all_well_known_uris + - $ref: >- + #/components/x-stackQL-resources/well_known_uris/methods/get_root_brand_well_known_uri + insert: [] + update: [] + delete: [] + replace: [] + brand_well_known_uris: + id: okta.brands.brand_well_known_uris + name: brand_well_known_uris + title: Brand Well Known Uris + methods: + get_brand_well_known_uri: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1well-known-uris~1{path}~1customized/get + response: + mediaType: application/json + openAPIDocKey: '200' + replace_brand_well_known_uri: + operation: + $ref: >- + #/paths/~1api~1v1~1brands~1{brandId}~1well-known-uris~1{path}~1customized/put + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/brand_well_known_uris/methods/get_brand_well_known_uri + insert: [] + update: [] + delete: [] + replace: + - $ref: >- + #/components/x-stackQL-resources/brand_well_known_uris/methods/replace_brand_well_known_uri +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/captchas.yaml b/providers/src/okta/v00.00.00000/services/captchas.yaml new file mode 100644 index 00000000..d796893a --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/captchas.yaml @@ -0,0 +1,596 @@ +openapi: 3.0.3 +info: + title: captchas API + description: okta captchas API + version: 5.1.0 +paths: + /api/v1/captchas: + get: + summary: List all CAPTCHA instances + description: >- + Lists all CAPTCHA instances with pagination support. A subset of CAPTCHA + instances can be returned that match a supported filter expression or + query. + operationId: listCaptchaInstances + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/CAPTCHAInstance' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.captchas.read + tags: + - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + post: + summary: Create a CAPTCHA instance + description: >- + Creates a new CAPTCHA instance. Currently, an org can only configure a + single CAPTCHA instance. + operationId: createCaptchaInstance + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CAPTCHAInstance' + examples: + HCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceRequestHCaptcha' + ReCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceRequestReCaptcha' + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/CAPTCHAInstance' + examples: + HCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceResponseHCaptcha' + ReCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceResponseReCaptcha' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + Error Limit of One CAPTCHA instance per org: + $ref: '#/components/examples/ErrorCAPTCHALimitOfOne' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.captchas.manage + tags: + - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/captchas/{captchaId}: + get: + summary: Retrieve a CAPTCHA instance + description: Retrieves the properties of a specified CAPTCHA instance + operationId: getCaptchaInstance + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/CAPTCHAInstance' + examples: + HCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceResponseHCaptcha' + ReCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceResponseReCaptcha' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.captchas.read + tags: + - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + post: + summary: Update a CAPTCHA instance + description: Partially updates the properties of a specified CAPTCHA instance + operationId: updateCaptchaInstance + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CAPTCHAInstance' + examples: + HCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceRequestHCaptcha' + ReCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceRequestReCaptcha' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/CAPTCHAInstance' + examples: + HCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceResponseHCaptcha' + ReCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceResponseReCaptcha' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.captchas.manage + tags: + - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace a CAPTCHA instance + description: Replaces the properties for a specified CAPTCHA instance + operationId: replaceCaptchaInstance + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CAPTCHAInstance' + examples: + HCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceRequestHCaptcha' + ReCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceRequestReCaptcha' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/CAPTCHAInstance' + examples: + HCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceResponseHCaptcha' + ReCaptcha: + $ref: '#/components/examples/CAPTCHAInstanceResponseReCaptcha' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.captchas.manage + tags: + - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + delete: + summary: Delete a CAPTCHA instance + description: >- + Deletes a specified CAPTCHA instance + + > **Note:** If your CAPTCHA instance is still associated with your org, + the request fails. You must first update your Org-wide CAPTCHA settings + to remove the CAPTCHA instance. + operationId: deleteCaptchaInstance + responses: + '204': + description: No Content + '403': + description: Forbidden + headers: {} + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + Cannot remove CAPTCHA in use: + $ref: '#/components/examples/ErrorCAPTCHAOrgWideSetting' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.captchas.manage + tags: + - CAPTCHA + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathCaptchaId' +components: + schemas: + CAPTCHAInstance: + title: CAPTCHAInstance + description: '' + type: object + properties: + id: + description: The unique key for the CAPTCHA instance + type: string + readOnly: true + name: + description: The name of the CAPTCHA instance + type: string + secretKey: + description: >- + The secret key issued from the CAPTCHA provider to perform + server-side validation for a CAPTCHA token + type: string + writeOnly: true + siteKey: + description: >- + The site key issued from the CAPTCHA provider to render a CAPTCHA on + a page + type: string + type: + $ref: '#/components/schemas/CAPTCHAType' + _links: + $ref: '#/components/schemas/LinksSelf' + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + CAPTCHAType: + description: The type of CAPTCHA provider + type: string + enum: + - HCAPTCHA + - RECAPTCHA_V2 + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + ErrorCause: + type: object + properties: + errorSummary: + type: string + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + pathCaptchaId: + name: captchaId + in: path + schema: + type: string + required: true + description: The unique key used to identify your CAPTCHA instance + examples: + CAPTCHAInstanceRequestHCaptcha: + value: + name: myHCaptcha + secretKey: xxxxxxxxxxx + siteKey: xxxxxxxxxxx + type: HCAPTCHA + CAPTCHAInstanceRequestReCaptcha: + value: + name: myReCaptcha + secretKey: xxxxxxxxxxx + siteKey: yyyyyyyyyyyyyyy + type: RECAPTCHA_V2 + CAPTCHAInstanceResponseHCaptcha: + value: + id: abcd1234 + name: myHCaptcha + siteKey: xxxxxxxxxxx + type: HCAPTCHA + _links: + self: + href: https://your-subdomain.okta.com/api/v1/captchas/abcd1234 + hints: + allow: + - GET + - POST + - PUT + - DELETE + CAPTCHAInstanceResponseReCaptcha: + value: + id: abcd4567 + name: myReCaptcha + siteKey: yyyyyyyyyyyyyyy + type: RECAPTCHA_V2 + _links: + self: + href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567 + hints: + allow: + - GET + - POST + - PUT + - DELETE + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorCAPTCHALimitOfOne: + value: + errorCode: E0000165 + errorSummary: >- + CAPTCHA count limit reached. At most one CAPTCHA instance is allowed + per Org. + errorLink: E0000165 + errorId: oaejrB1fWL1S7mc-2KcG-SOtw + errorCauses: [] + ErrorCAPTCHAOrgWideSetting: + value: + errorCode: E0000149 + errorSummary: >- + Current CAPTCHA is associated with org-wide settings, cannot be + removed. + errorLink: E0000149 + errorId: samplezsusshPdiTWiITwqBt8 + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + captcha_instances: + id: okta.captchas.captcha_instances + name: captcha_instances + title: Captcha Instances + methods: + list_captcha_instances: + operation: + $ref: '#/paths/~1api~1v1~1captchas/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_captcha_instance: + operation: + $ref: '#/paths/~1api~1v1~1captchas/post' + response: + mediaType: application/json + openAPIDocKey: '201' + get_captcha_instance: + operation: + $ref: '#/paths/~1api~1v1~1captchas~1{captchaId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + update_captcha_instance: + operation: + $ref: '#/paths/~1api~1v1~1captchas~1{captchaId}/post' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_captcha_instance: + operation: + $ref: '#/paths/~1api~1v1~1captchas~1{captchaId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_captcha_instance: + operation: + $ref: '#/paths/~1api~1v1~1captchas~1{captchaId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/captcha_instances/methods/list_captcha_instances + - $ref: >- + #/components/x-stackQL-resources/captcha_instances/methods/get_captcha_instance + insert: + - $ref: >- + #/components/x-stackQL-resources/captcha_instances/methods/create_captcha_instance + update: + - $ref: >- + #/components/x-stackQL-resources/captcha_instances/methods/update_captcha_instance + delete: + - $ref: >- + #/components/x-stackQL-resources/captcha_instances/methods/delete_captcha_instance + replace: + - $ref: >- + #/components/x-stackQL-resources/captcha_instances/methods/replace_captcha_instance +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/device_access.yaml b/providers/src/okta/v00.00.00000/services/device_access.yaml new file mode 100644 index 00000000..c041ca9c --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/device_access.yaml @@ -0,0 +1,326 @@ +openapi: 3.0.3 +info: + title: device_access API + description: okta device_access API + version: 5.1.0 +paths: + /device-access/api/v1/desktop-mfa/enforce-number-matching-challenge-settings: + get: + summary: Retrieve the Desktop MFA Enforce Number Matching Challenge org setting + description: >- + Retrieves the status of the Desktop MFA Enforce Number Matching + Challenge push notifications feature. That is, whether or not the + feature is enabled for your org. + operationId: getDesktopMFAEnforceNumberMatchingChallengeOrgSetting + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: >- + #/components/schemas/DesktopMFAEnforceNumberMatchingChallengeOrgSetting + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.read + tags: + - DeviceAccess + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace the Desktop MFA Enforce Number Matching Challenge org setting + description: >- + Replaces the status of the Desktop MFA Enforce Number Matching Challenge + push notifications feature. That is, whether or not the feature is + enabled for your org. + operationId: replaceDesktopMFAEnforceNumberMatchingChallengeOrgSetting + x-codegen-request-body-name: DesktopMFAEnforceNumberMatchingChallengeOrgSetting + requestBody: + content: + application/json: + schema: + $ref: >- + #/components/schemas/DesktopMFAEnforceNumberMatchingChallengeOrgSetting + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: >- + #/components/schemas/DesktopMFAEnforceNumberMatchingChallengeOrgSetting + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - DeviceAccess + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /device-access/api/v1/desktop-mfa/recovery-pin-settings: + get: + summary: Retrieve the Desktop MFA Recovery PIN org setting + description: >- + Retrieves the status of the Desktop MFA Recovery PIN feature. That is, + whether or not the feature is enabled for your org. + operationId: getDesktopMFARecoveryPinOrgSetting + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/DesktopMFARecoveryPinOrgSetting' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.read + tags: + - DeviceAccess + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace the Desktop MFA Recovery PIN org setting + description: Replaces the Desktop MFA Recovery PIN feature for your org + operationId: replaceDesktopMFARecoveryPinOrgSetting + x-codegen-request-body-name: DesktopMFARecoveryPinOrgSetting + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/DesktopMFARecoveryPinOrgSetting' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/DesktopMFARecoveryPinOrgSetting' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - DeviceAccess + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine +components: + schemas: + DesktopMFAEnforceNumberMatchingChallengeOrgSetting: + type: object + properties: + desktopMFAEnforceNumberMatchingChallengeEnabled: + type: boolean + description: >- + Indicates whether or not the Desktop MFA Enforce Number Matching + Challenge push notifications feature is enabled + default: false + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + DesktopMFARecoveryPinOrgSetting: + type: object + properties: + desktopMFARecoveryPinEnabled: + type: boolean + description: >- + Indicates whether or not the Desktop MFA Recovery PIN feature is + enabled + default: false + ErrorCause: + type: object + properties: + errorSummary: + type: string + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + examples: + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + x-stackQL-resources: + mfa_challenge_org_setting: + id: okta.device_access.mfa_challenge_org_setting + name: mfa_challenge_org_setting + title: Mfa Challenge Org Setting + methods: + get_desktop_mfaenforce_number_matching_challenge_org_setting: + operation: + $ref: >- + #/paths/~1device-access~1api~1v1~1desktop-mfa~1enforce-number-matching-challenge-settings/get + response: + mediaType: application/json + openAPIDocKey: '200' + replace_desktop_mfaenforce_number_matching_challenge_org_setting: + operation: + $ref: >- + #/paths/~1device-access~1api~1v1~1desktop-mfa~1enforce-number-matching-challenge-settings/put + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/mfa_challenge_org_setting/methods/get_desktop_mfaenforce_number_matching_challenge_org_setting + insert: [] + update: [] + delete: [] + replace: + - $ref: >- + #/components/x-stackQL-resources/mfa_challenge_org_setting/methods/replace_desktop_mfaenforce_number_matching_challenge_org_setting + mfa_recovery_pin_setting: + id: okta.device_access.mfa_recovery_pin_setting + name: mfa_recovery_pin_setting + title: Mfa Recovery Pin Setting + methods: + get_desktop_mfarecovery_pin_org_setting: + operation: + $ref: >- + #/paths/~1device-access~1api~1v1~1desktop-mfa~1recovery-pin-settings/get + response: + mediaType: application/json + openAPIDocKey: '200' + replace_desktop_mfarecovery_pin_org_setting: + operation: + $ref: >- + #/paths/~1device-access~1api~1v1~1desktop-mfa~1recovery-pin-settings/put + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/mfa_recovery_pin_setting/methods/get_desktop_mfarecovery_pin_org_setting + insert: [] + update: [] + delete: [] + replace: + - $ref: >- + #/components/x-stackQL-resources/mfa_recovery_pin_setting/methods/replace_desktop_mfarecovery_pin_org_setting +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/device_assurances.yaml b/providers/src/okta/v00.00.00000/services/device_assurances.yaml new file mode 100644 index 00000000..aced4ba1 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/device_assurances.yaml @@ -0,0 +1,2503 @@ +openapi: 3.0.3 +info: + title: device_assurances API + description: okta device_assurances API + version: 5.1.0 +paths: + /api/v1/device-assurances: + get: + summary: List all device assurance policies + description: Lists all device assurance policies + operationId: listDeviceAssurancePolicies + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/DeviceAssurance' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.deviceAssurance.read + tags: + - DeviceAssurance + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + post: + summary: Create a device assurance policy + description: Creates a new device assurance policy + operationId: createDeviceAssurancePolicy + x-codegen-request-body-name: deviceAssurance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/DeviceAssurance' + examples: + Android: + $ref: '#/components/examples/DeviceAssuranceAndroidRequest' + iOS: + $ref: '#/components/examples/DeviceAssuranceIosRequest' + MacOS: + $ref: '#/components/examples/DeviceAssuranceMacOSRequest' + Windows: + $ref: '#/components/examples/DeviceAssuranceWindowsRequest' + ChromeOSWithDeviceTrustConnectorThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceChromeOSWithDeviceTrustConnectorThirdPartySignalProvidersRequest + ChromeOSWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceChromeOSWithDevicePostureIdPThirdPartySignalProvidersRequest + MacOSWithDeviceTrustConnectorThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithDeviceTrustConnectorThirdPartySignalProvidersRequest + MacOSWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithDevicePostureIdPThirdPartySignalProvidersRequest + WindowsWithDeviceTrustConnectorThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithDeviceTrustConnectorThirdPartySignalProvidersRequest + WindowsWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithDevicePostureIdPThirdPartySignalProvidersRequest + AndroidWithAndroidDeviceTrustThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceAndroidWithAndroidDeviceTrustThirdPartySignalProvidersRequest + AndroidWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceAndroidWithDevicePostureIdPThirdPartySignalProvidersRequest + iOSWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceIosWithDevicePostureIdPSignalProvidersRequest + AndroidWithDynamicVersionRequirement: + $ref: >- + #/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementRequest + iOSWithDynamicVersionRequirement: + $ref: >- + #/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementRequest + MacOSWithDynamicVersionRequirement: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementRequest + WindowsWithDynamicVersionRequirements: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsRequest + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringRequest + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementRequest + AndroidWithGracePeriod: + $ref: >- + #/components/examples/DeviceAssuranceAndroidWithGracePeriodRequest + iOSWithGracePeriod: + $ref: '#/components/examples/DeviceAssuranceIosWithGracePeriodRequest' + MacOSWithGracePeriod: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithGracePeriodRequest + WindowsWithGracePeriod: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithGracePeriodRequest + ChromeOSWithGracePeriod: + $ref: >- + #/components/examples/DeviceAssuranceChromeOSWithGracePeriodRequest + MacOSWithDevicePostureChecks: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithDevicePostureChecksRequest + WindowsWithDevicePostureChecks: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithDevicePostureChecksRequest + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/DeviceAssurance' + examples: + Android: + $ref: '#/components/examples/DeviceAssuranceAndroidResponse' + iOS: + $ref: '#/components/examples/DeviceAssuranceIosResponse' + MacOS: + $ref: '#/components/examples/DeviceAssuranceMacOSResponse' + Windows: + $ref: '#/components/examples/DeviceAssuranceWindowsResponse' + ChromeOSWithDeviceTrustConnectorThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceChromeOSWithDeviceTrustConnectorThirdPartySignalProvidersResponse + ChromeOSWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceChromeOSWithDevicePostureIdPThirdPartySignalProvidersResponse + MacOSWithDeviceTrustConnectorThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithDeviceTrustConnectorThirdPartySignalProvidersResponse + MacOSWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithDevicePostureIdPThirdPartySignalProvidersResponse + WindowsWithDeviceTrustConnectorThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithDeviceTrustConnectorThirdPartySignalProvidersResponse + WindowsWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithDevicePostureIdPThirdPartySignalProvidersResponse + AndroidWithAndroidDeviceTrustThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceAndroidWithAndroidDeviceTrustThirdPartySignalProvidersResponse + AndroidWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceAndroidWithDevicePostureIdPThirdPartySignalProvidersResponse + iOSWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceIosWithDevicePostureIdPSignalProvidersResponse + AndroidWithDynamicVersionRequirement: + $ref: >- + #/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementResponse + iOSWithDynamicVersionRequirement: + $ref: >- + #/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementResponse + MacOSWithDynamicVersionRequirement: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementResponse + WindowsWithDynamicVersionRequirements: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse + AndroidWithGracePeriod: + $ref: >- + #/components/examples/DeviceAssuranceAndroidWithGracePeriodResponse + iOSWithGracePeriod: + $ref: >- + #/components/examples/DeviceAssuranceIosWithGracePeriodResponse + MacOSWithGracePeriod: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithGracePeriodResponse + WindowsWithGracePeriod: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithGracePeriodResponse + ChromeOSWithGracePeriod: + $ref: >- + #/components/examples/DeviceAssuranceChromeOSWithGracePeriodResponse + MacOSWithDevicePostureChecks: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithDevicePostureChecksResponse + WindowsWithDevicePostureChecks: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithDevicePostureChecksResponse + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.deviceAssurance.manage + tags: + - DeviceAssurance + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/device-assurances/{deviceAssuranceId}: + get: + summary: Retrieve a device assurance policy + description: Retrieves a device assurance policy by `deviceAssuranceId` + operationId: getDeviceAssurancePolicy + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/DeviceAssurance' + examples: + Android: + $ref: '#/components/examples/DeviceAssuranceAndroidResponse' + iOS: + $ref: '#/components/examples/DeviceAssuranceIosResponse' + MacOS: + $ref: '#/components/examples/DeviceAssuranceMacOSResponse' + Windows: + $ref: '#/components/examples/DeviceAssuranceWindowsResponse' + ChromeOSWithDeviceTrustConnectorThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceChromeOSWithDeviceTrustConnectorThirdPartySignalProvidersResponse + ChromeOSWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceChromeOSWithDevicePostureIdPThirdPartySignalProvidersResponse + MacOSWithDeviceTrustConnectorThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithDeviceTrustConnectorThirdPartySignalProvidersResponse + MacOSWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithDevicePostureIdPThirdPartySignalProvidersResponse + WindowsWithDeviceTrustConnectorThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithDeviceTrustConnectorThirdPartySignalProvidersResponse + WindowsWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithDevicePostureIdPThirdPartySignalProvidersResponse + AndroidWithAndroidDeviceTrustThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceAndroidWithAndroidDeviceTrustThirdPartySignalProvidersResponse + AndroidWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceAndroidWithDevicePostureIdPThirdPartySignalProvidersResponse + iOSWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceIosWithDevicePostureIdPSignalProvidersResponse + AndroidWithDynamicVersionRequirement: + $ref: >- + #/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementResponse + iOSWithDynamicVersionRequirement: + $ref: >- + #/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementResponse + MacOSWithDynamicVersionRequirement: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementResponse + WindowsWithDynamicVersionRequirements: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse + AndroidWithGracePeriod: + $ref: >- + #/components/examples/DeviceAssuranceAndroidWithGracePeriodResponse + iOSWithGracePeriod: + $ref: >- + #/components/examples/DeviceAssuranceIosWithGracePeriodResponse + MacOSWithGracePeriod: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithGracePeriodResponse + WindowsWithGracePeriod: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithGracePeriodResponse + ChromeOSWithGracePeriod: + $ref: >- + #/components/examples/DeviceAssuranceChromeOSWithGracePeriodResponse + MacOSWithDevicePostureChecks: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithDevicePostureChecksResponse + WindowsWithDevicePostureChecks: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithDevicePostureChecksResponse + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.deviceAssurance.read + tags: + - DeviceAssurance + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace a device assurance policy + description: Replaces a device assurance policy by `deviceAssuranceId` + operationId: replaceDeviceAssurancePolicy + x-codegen-request-body-name: deviceAssurance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/DeviceAssurance' + examples: + Android: + $ref: '#/components/examples/DeviceAssuranceAndroidRequest' + iOS: + $ref: '#/components/examples/DeviceAssuranceIosRequest' + MacOS: + $ref: '#/components/examples/DeviceAssuranceMacOSRequest' + Windows: + $ref: '#/components/examples/DeviceAssuranceWindowsRequest' + ChromeOSWithDeviceTrustConnectorThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceChromeOSWithDeviceTrustConnectorThirdPartySignalProvidersRequest + ChromeOSWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceChromeOSWithDevicePostureIdPThirdPartySignalProvidersRequest + MacOSWithDeviceTrustConnectorThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithDeviceTrustConnectorThirdPartySignalProvidersRequest + MacOSWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithDevicePostureIdPThirdPartySignalProvidersRequest + WindowsWithDeviceTrustConnectorThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithDeviceTrustConnectorThirdPartySignalProvidersRequest + WindowsWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithDevicePostureIdPThirdPartySignalProvidersRequest + AndroidWithAndroidDeviceTrustThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceAndroidWithAndroidDeviceTrustThirdPartySignalProvidersRequest + AndroidWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceAndroidWithDevicePostureIdPThirdPartySignalProvidersRequest + iOSWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceIosWithDevicePostureIdPSignalProvidersRequest + AndroidWithDynamicVersionRequirement: + $ref: >- + #/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementRequest + iOSWithDynamicVersionRequirement: + $ref: >- + #/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementRequest + MacOSWithDynamicVersionRequirement: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementRequest + WindowsWithDynamicVersionRequirements: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsRequest + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringRequest + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementRequest + AndroidWithGracePeriod: + $ref: >- + #/components/examples/DeviceAssuranceAndroidWithGracePeriodRequest + iOSWithGracePeriod: + $ref: '#/components/examples/DeviceAssuranceIosWithGracePeriodRequest' + MacOSWithGracePeriod: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithGracePeriodRequest + WindowsWithGracePeriod: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithGracePeriodRequest + ChromeOSWithGracePeriod: + $ref: >- + #/components/examples/DeviceAssuranceChromeOSWithGracePeriodRequest + MacOSWithDevicePostureChecks: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithDevicePostureChecksRequest + WindowsWithDevicePostureChecks: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithDevicePostureChecksRequest + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/DeviceAssurance' + examples: + Android: + $ref: '#/components/examples/DeviceAssuranceAndroidResponse' + iOS: + $ref: '#/components/examples/DeviceAssuranceIosResponse' + MacOS: + $ref: '#/components/examples/DeviceAssuranceMacOSResponse' + Windows: + $ref: '#/components/examples/DeviceAssuranceWindowsResponse' + ChromeOSWithDeviceTrustConnectorThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceChromeOSWithDeviceTrustConnectorThirdPartySignalProvidersResponse + ChromeOSWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceChromeOSWithDevicePostureIdPThirdPartySignalProvidersResponse + MacOSWithDeviceTrustConnectorThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithDeviceTrustConnectorThirdPartySignalProvidersResponse + MacOSWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithDevicePostureIdPThirdPartySignalProvidersResponse + WindowsWithDeviceTrustConnectorThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithDeviceTrustConnectorThirdPartySignalProvidersResponse + WindowsWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithDevicePostureIdPThirdPartySignalProvidersResponse + AndroidWithAndroidDeviceTrustThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceAndroidWithAndroidDeviceTrustThirdPartySignalProvidersResponse + AndroidWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceAndroidWithDevicePostureIdPThirdPartySignalProvidersResponse + iOSWithDevicePostureIdPThirdPartySignalProviders: + $ref: >- + #/components/examples/DeviceAssuranceIosWithDevicePostureIdPSignalProvidersResponse + AndroidWithDynamicVersionRequirement: + $ref: >- + #/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementResponse + iOSWithDynamicVersionRequirement: + $ref: >- + #/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementResponse + MacOSWithDynamicVersionRequirement: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementResponse + WindowsWithDynamicVersionRequirements: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse + WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse + WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse + AndroidWithGracePeriod: + $ref: >- + #/components/examples/DeviceAssuranceAndroidWithGracePeriodResponse + iOSWithGracePeriod: + $ref: >- + #/components/examples/DeviceAssuranceIosWithGracePeriodResponse + MacOSWithGracePeriod: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithGracePeriodResponse + WindowsWithGracePeriod: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithGracePeriodResponse + ChromeOSWithGracePeriod: + $ref: >- + #/components/examples/DeviceAssuranceChromeOSWithGracePeriodResponse + MacOSWithDevicePostureChecks: + $ref: >- + #/components/examples/DeviceAssuranceMacOSWithDevicePostureChecksResponse + WindowsWithDevicePostureChecks: + $ref: >- + #/components/examples/DeviceAssuranceWindowsWithDevicePostureChecksResponse + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.deviceAssurance.manage + tags: + - DeviceAssurance + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + delete: + summary: Delete a device assurance policy + description: >- + Deletes a device assurance policy by `deviceAssuranceId`. If the device + assurance policy is currently being used in the org Authentication + Policies, the delete will not be allowed. + operationId: deleteDeviceAssurancePolicy + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '409': + description: Conflict + headers: {} + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorDeviceAssuranceInUse: + $ref: '#/components/examples/ErrorDeviceAssuranceInUse' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.deviceAssurance.manage + tags: + - DeviceAssurance + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathDeviceAssuranceId' +components: + schemas: + DeviceAssurance: + title: DeviceAssurance + type: object + properties: + createdBy: + type: string + readOnly: true + createdDate: + type: string + readOnly: true + devicePostureChecks: + $ref: '#/components/schemas/DevicePostureChecks' + displayRemediationMode: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + description: >- + Represents the + remediation mode of this device assurance policy when users are + denied access due to device noncompliance + type: string + enum: + - HIDE + - SHOW + example: SHOW + x-enumDescriptions: + HIDE: Hide remediation instructions in the Sign-In Widget + SHOW: Display remediation instructions in the Sign-In Widget + gracePeriod: + $ref: '#/components/schemas/GracePeriod' + id: + type: string + readOnly: true + lastUpdate: + type: string + readOnly: true + lastUpdatedBy: + type: string + readOnly: true + name: + type: string + description: Display name of the device assurance policy + platform: + $ref: '#/components/schemas/Platform' + _links: + $ref: '#/components/schemas/LinksSelf' + discriminator: + propertyName: platform + mapping: + WINDOWS: '#/components/schemas/DeviceAssuranceWindowsPlatform' + MACOS: '#/components/schemas/DeviceAssuranceMacOSPlatform' + CHROMEOS: '#/components/schemas/DeviceAssuranceChromeOSPlatform' + IOS: '#/components/schemas/DeviceAssuranceIOSPlatform' + ANDROID: '#/components/schemas/DeviceAssuranceAndroidPlatform' + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + DevicePostureChecks: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + description: >- + Represents the Device + Posture Checks configuration for the device assurance policy + type: object + properties: + include: + type: array + description: >- + An array of key value pairs including Device Posture Check + `variableNames` + example: + - variableName: macOSFirewall + value: '1' + - variableName: windowsFirewall + value: '1' + GracePeriod: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + description: >- + Represents the Grace + Period configuration for the device assurance policy + type: object + properties: + expiry: + oneOf: + - $ref: '#/components/schemas/ByDateTimeExpiry' + - $ref: '#/components/schemas/ByDurationExpiry' + type: + description: >- + Represents the type of Grace Period configured for the device + assurance policy + type: string + enum: + - BY_DATE_TIME + - BY_DURATION + example: BY_DATE_TIME + x-enumDescriptions: + BY_DATE_TIME: >- + The Grace Period configured for this device assurance policy + expires at a specified date and time + BY_DURATION: >- + The Grace Period configured for this device assurance policy + expires after a specified duration + Platform: + type: string + enum: + - ANDROID + - CHROMEOS + - IOS + - MACOS + - WINDOWS + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + ErrorCause: + type: object + properties: + errorSummary: + type: string + ByDateTimeExpiry: + allOf: + - $ref: '#/components/schemas/DateTime' + ByDurationExpiry: + allOf: + - $ref: '#/components/schemas/TimeDuration' + description: >- + A time duration specified as an [ISO 8601 + duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). + + Must be between 1 and 180 days inclusive. + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + DateTime: + description: >- + An [ISO + 8601](https://en.wikipedia.org/wiki/ISO_8601#Combined_date_and_time_representations) + formatted date and time. + format: date-time + example: '2024-12-01T00:00:00Z' + type: string + TimeDuration: + description: >- + A time duration specified as an [ISO 8601 + duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). + type: string + pattern: ^P(?:$)(\d+Y)?(\d+M)?(\d+W)?(\d+D)?(T(?:\d)(\d+H)?(\d+M)?(\d+S)?)?$ + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + pathDeviceAssuranceId: + in: path + name: deviceAssuranceId + required: true + description: Id of the device assurance policy + schema: + type: string + examples: + DeviceAssuranceAndroidRequest: + summary: Android request + value: + name: Device assurance Android + osVersion: + minimum: 12 + diskEncryptionType: + include: + - USER + - FULL + jailbreak: false + platform: ANDROID + screenLockType: + include: + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceIosRequest: + summary: iOS request + value: + name: Device assurance iOS + osVersion: + minimum: 12.4.5 + jailbreak: false + platform: IOS + screenLockType: + include: + - BIOMETRIC + DeviceAssuranceMacOSRequest: + summary: macOS request + value: + name: Device assurance macOS + osVersion: + minimum: 12.4.5 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceWindowsRequest: + summary: Windows request + value: + name: Device assurance Windows + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceChromeOSWithDeviceTrustConnectorThirdPartySignalProvidersRequest: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: >- + ChromeOS with Device Trust Connector as third-party signal provider + request + value: + name: Device assurance ChromeOS + platform: CHROMEOS + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + allowScreenLock: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain: testDomain + builtInDnsClientEnabled: true + chromeRemoteDesktopAppBlocked: true + safeBrowsingProtectionLevel: ENHANCED_PROTECTION + siteIsolationEnabled: true + passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode: true + keyTrustLevel: CHROME_OS_VERIFIED_MODE + DeviceAssuranceChromeOSWithDevicePostureIdPThirdPartySignalProvidersRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: ChromeOS with Device Posture IdP as third-party signal provider request + value: + name: Device assurance ChromeOS + platform: CHROMEOS + thirdPartySignalProviders: + devicePostureIdP: + managed: true + compliant: true + DeviceAssuranceMacOSWithDeviceTrustConnectorThirdPartySignalProvidersRequest: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: macOS with Device Trust Connector as third-party signal provider request + value: + name: Device assurance macOS + osVersion: + minimum: 12.4.5 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain": testDomain + builtInDnsClientEnabled": true + chromeRemoteDesktopAppBlocked": true + safeBrowsingProtectionLevel": true + siteIsolationEnabled": true + passwordProtectionWarningTrigger": PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode": true + DeviceAssuranceMacOSWithDevicePostureIdPThirdPartySignalProvidersRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: macOS with Device Posture IdP as third-party signal provider request + value: + name: Device assurance macOS + osVersion: + minimum: 12.4.5 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + thirdPartySignalProviders: + devicePostureIdP: + managed: true + compliant: true + DeviceAssuranceWindowsWithDeviceTrustConnectorThirdPartySignalProvidersRequest: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: >- + Windows with Device Trust Connector as third-party signal provider + request + value: + name: Device assurance Windows + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain: testDomain + builtInDnsClientEnabled: true + chromeRemoteDesktopAppBlocked: true + safeBrowsingProtectionLevel: ENHANCED_PROTECTION + siteIsolationEnabled: true + passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode: true + secureBootEnabled: true + windowsMachineDomain: testMachineDomain + windowsUserDomain: testUserDomain + crowdStrikeCustomerId: testCustomerId + crowdStrikeAgentId": testAgentId + keyTrustLevel: CHROME_BROWSER_HW_KEY + DeviceAssuranceWindowsWithDevicePostureIdPThirdPartySignalProvidersRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Device Posture IdP as third-party signal provider request + value: + name: Device assurance Windows + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + thirdPartySignalProviders: + devicePostureIdP: + managed: true + compliant: true + DeviceAssuranceAndroidWithAndroidDeviceTrustThirdPartySignalProvidersRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Android with Android Device Trust as third-party signal provider request + value: + name: Device assurance Android with Android Device Trust third-party signals + osVersion: + dynamicVersionRequirement: + type: EXACT + distanceFromLatestMajor: 0 + latestSecurityPatch: true + diskEncryptionType: + include: + - USER + - FULL + jailbreak: false + platform: ANDROID + screenLockType: + include: + - BIOMETRIC + secureHardwarePresent: true + thirdPartySignalProviders: + androidDeviceTrust: + playProtectVerdict: LOW + deviceIntegrityLevel: MEETS_STRONG_INTEGRITY + screenLockComplexity: HIGH + usbDebuggingDisabled: true + networkProxyDisabled: true + wifiSecured: true + requireMajorVersionUpdate: true + DeviceAssuranceAndroidWithDevicePostureIdPThirdPartySignalProvidersRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Android with Device Posture IdP as third-party signal provider request + value: + name: Device assurance Android + osVersion: + dynamicVersionRequirement: + type: EXACT + distanceFromLatestMajor: 0 + latestSecurityPatch: true + diskEncryptionType: + include: + - USER + - FULL + jailbreak: false + platform: ANDROID + screenLockType: + include: + - BIOMETRIC + secureHardwarePresent: true + thirdPartySignalProviders: + devicePostureIdP: + managed: true + compliant: true + DeviceAssuranceIosWithDevicePostureIdPSignalProvidersRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: iOS with Device Posture IdP as third-party signal provider request + value: + name: Device assurance iOS + osVersion: + minimum: 12.4.5 + jailbreak: false + platform: IOS + screenLockType: + include: + - BIOMETRIC + thirdPartySignalProviders: + devicePostureIdP: + managed: true + compliant: true + DeviceAssuranceAndroidWithDynamicVersionRequirementRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Android with dynamic version requirement request + value: + name: Device assurance Android + osVersion: + dynamicVersionRequirement: + type: MINIMUM + distanceFromLatestMajor: 0 + diskEncryptionType: + include: + - USER + - FULL + jailbreak: false + platform: ANDROID + screenLockType: + include: + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceIosWithDynamicVersionRequirementRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: iOS with dynamic version requirement request + value: + name: Device assurance iOS + osVersion: + dynamicVersionRequirement: + type: EXACT_ANY_SUPPORTED + latestSecurityPatch: true + jailbreak: false + platform: IOS + screenLockType: + include: + - BIOMETRIC + DeviceAssuranceMacOSWithDynamicVersionRequirementRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: macOS with dynamic version requirement request + value: + name: Device assurance macOS + osVersion: + dynamicVersionRequirement: + type: EXACT + distanceFromLatestMajor: 0 + latestSecurityPatch: true + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceWindowsWithDynamicVersionRequirementsRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: >- + Windows with Windows 11 and Windows 10 dynamic version requirements + request + value: + name: Device assurance Windows + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + dynamicVersionRequirement: + type: MINIMUM + distanceFromLatestMajor: 1 + latestSecurityPatch: true + - majorVersionConstraint: WINDOWS_10 + dynamicVersionRequirement: + type: EXACT_ANY_SUPPORTED + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: >- + Windows with Windows 11 dynamic version requirement and Windows 10 + minimum version request + value: + name: Device assurance Windows + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + dynamicVersionRequirement: + type: EXACT + distanceFromLatestMajor: 1 + - majorVersionConstraint: WINDOWS_10 + minimum: 10.0.19045.0 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: >- + Windows with Windows 11 minimum version and a Windows 10 dynamic version + requirement request + value: + name: Device assurance Windows + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + minimum: 10.0.22000.0 + - majorVersionConstraint: WINDOWS_10 + dynamicVersionRequirement: + type: NOT_ALLOWED + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + DeviceAssuranceAndroidWithGracePeriodRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Android with due by date grace period request + value: + name: Device assurance Android Grace Period + osVersion: + dynamicVersionRequirement: + type: MINIMUM + distanceFromLatestMajor: 0 + diskEncryptionType: + include: + - USER + - FULL + jailbreak: false + platform: ANDROID + screenLockType: + include: + - BIOMETRIC + secureHardwarePresent: true + gracePeriod: + type: BY_DATE_TIME + expiry: '2024-12-01T00:00:00.00Z' + displayRemediationMode: SHOW + DeviceAssuranceIosWithGracePeriodRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: iOS with 30 day grace period request + value: + name: Device assurance iOS Grace Period + osVersion: + minimum: 12.4.5 + jailbreak: false + platform: IOS + screenLockType: + include: + - BIOMETRIC + gracePeriod: + type: BY_DURATION + expiry: P30D + displayRemediationMode: SHOW + DeviceAssuranceMacOSWithGracePeriodRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: macOS request with due by date grace period request + value: + name: Device assurance macOS + osVersion: + minimum: 12.4.5 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + gracePeriod: + type: BY_DATE_TIME + expiry: '2024-12-01T00:00:00.00Z' + displayRemediationMode: SHOW + DeviceAssuranceWindowsWithGracePeriodRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with 7 day grace period request + value: + name: Device assurance Windows + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + gracePeriod: + type: BY_DURATION + expiry: P7D + displayRemediationMode: SHOW + DeviceAssuranceChromeOSWithGracePeriodRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: ChromeOS with 7 day grace period request + value: + name: Device assurance ChromeOS + platform: CHROMEOS + gracePeriod: + type: BY_DURATION + expiry: P7D + displayRemediationMode: SHOW + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + allowScreenLock: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain: testDomain + builtInDnsClientEnabled: true + chromeRemoteDesktopAppBlocked: true + safeBrowsingProtectionLevel: ENHANCED_PROTECTION + siteIsolationEnabled: true + passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode: true + keyTrustLevel: CHROME_OS_VERIFIED_MODE + DeviceAssuranceMacOSWithDevicePostureChecksRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: macOS request with OSQuery device posture check + value: + name: Device assurance macOS + osVersion: + minimum: 12.4.5 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + devicePostureChecks: + include: + - variableName: macOSFirewall + value: '1' + DeviceAssuranceWindowsWithDevicePostureChecksRequest: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows request with OSQuery device posture check + value: + name: Device assurance Windows + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + devicePostureChecks: + include: + - variableName: windowsFirewall + value: '1' + DeviceAssuranceAndroidResponse: + summary: Android response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Android + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5 + diskEncryptionType: + include: + - USER + - FULL + jailbreak: false + platform: ANDROID + screenLockType: + include: + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceIosResponse: + summary: iOS response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance iOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5.9 + jailbroken: false + platform: IOS + screenLockType: + include: + - BIOMETRIC + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceMacOSResponse: + summary: macOS response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance macOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceWindowsResponse: + summary: Windows response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceChromeOSWithDeviceTrustConnectorThirdPartySignalProvidersResponse: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: >- + ChromeOS with Device Trust Connector as third-party signal provider + response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance ChromeOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + platform: CHROMEOS + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + allowScreenLock: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain: testDomain + builtInDnsClientEnabled: true + chromeRemoteDesktopAppBlocked: true + safeBrowsingProtectionLevel: ENHANCED_PROTECTION + siteIsolationEnabled: true + passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode: true + keyTrustLevel: CHROME_OS_VERIFIED_MODE + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceChromeOSWithDevicePostureIdPThirdPartySignalProvidersResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: ChromeOS with Device Posture IdP as third-party signal provider response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance ChromeOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + platform: CHROMEOS + thirdPartySignalProviders: + devicePostureIdP: + managed: true + compliant: true + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceMacOSWithDeviceTrustConnectorThirdPartySignalProvidersResponse: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: >- + macOS with Device Trust Connector as third-party signal provider + response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance macOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain: testDomain + builtInDnsClientEnabled: true + chromeRemoteDesktopAppBlocked: true + safeBrowsingProtectionLevel: ENHANCED_PROTECTION + siteIsolationEnabled: true + passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode: true + keyTrustLevel: CHROME_BROWSER_HW_KEY + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceMacOSWithDevicePostureIdPThirdPartySignalProvidersResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: macOS with Device Posture IdP as third-party signal provider response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance macOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + thirdPartySignalProviders: + devicePostureIdP: + managed: true + compliant: true + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceWindowsWithDeviceTrustConnectorThirdPartySignalProvidersResponse: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: >- + Windows with Device Trust Connector as third-party signal provider + response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain: testDomain + builtInDnsClientEnabled: true + chromeRemoteDesktopAppBlocked: true + safeBrowsingProtectionLevel: ENHANCED_PROTECTION + siteIsolationEnabled: true + passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode: true + secureBootEnabled: true + windowsMachineDomain: testMachineDomain + windowsUserDomain: testUserDomain + crowdStrikeCustomerId: testCustomerId + crowdStrikeAgentId": testAgentId + keyTrustLevel: CHROME_BROWSER_HW_KEY + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceWindowsWithDevicePostureIdPThirdPartySignalProvidersResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with Device Posture IdP as third-party signal provider response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + thirdPartySignalProviders: + devicePostureIdP: + managed: true + compliant: true + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceAndroidWithAndroidDeviceTrustThirdPartySignalProvidersResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: >- + Android with Android Device Trust as third-party signal provider + response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Android with Android Device Trust third-party signals + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + dynamicVersionRequirement: + type: EXACT + distanceFromLatestMajor: 0 + latestSecurityPatch: true + diskEncryptionType: + include: + - USER + - FULL + jailbreak: false + platform: ANDROID + screenLockType: + include: + - BIOMETRIC + secureHardwarePresent: true + thirdPartySignalProviders: + androidDeviceTrust: + playProtectVerdict: LOW + deviceIntegrityLevel: MEETS_STRONG_INTEGRITY + screenLockComplexity: HIGH + usbDebuggingDisabled: true + networkProxyDisabled: true + wifiSecured: true + requireMajorVersionUpdate: true + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceAndroidWithDevicePostureIdPThirdPartySignalProvidersResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Android with Device Posture IdP as third-party signal provider response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Android + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + dynamicVersionRequirement: + type: EXACT + distanceFromLatestMajor: 0 + latestSecurityPatch: true + diskEncryptionType: + include: + - USER + - FULL + jailbreak: false + platform: ANDROID + screenLockType: + include: + - BIOMETRIC + secureHardwarePresent: true + thirdPartySignalProviders: + devicePostureIdP: + managed: true + compliant: true + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceIosWithDevicePostureIdPSignalProvidersResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: iOS with Device Posture IdP as third-party signal provider response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance iOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5 + jailbroken: false + platform: IOS + screenLockType: + include: + - BIOMETRIC + thirdPartySignalProviders: + devicePostureIdP: + managed: true + compliant: true + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceAndroidWithDynamicVersionRequirementResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Android with dynamic version requirement response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Android + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + dynamicVersionRequirement: + type: MINIMUM + distanceFromLatestMajor: 0 + diskEncryptionType: + include: + - USER + - FULL + jailbreak: false + platform: ANDROID + screenLockType: + include: + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceIosWithDynamicVersionRequirementResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: iOS with dynamic version requirement response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance iOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + dynamicVersionRequirement: + type: EXACT_ANY_SUPPORTED + latestSecurityPatch: true + jailbroken: false + platform: IOS + screenLockType: + include: + - BIOMETRIC + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceMacOSWithDynamicVersionRequirementResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: macOS with dynamic version requirement response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance macOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + dynamicVersionRequirement: + type: EXACT + distanceFromLatestMajor: 0 + latestSecurityPatch: true + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: >- + Windows with Windows 11 and Windows 10 dynamic version requirements + response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + dynamicVersionRequirement: + type: MINIMUM + distanceFromLatestMajor: 1 + latestSecurityPatch: true + - majorVersionConstraint: WINDOWS_10 + dynamicVersionRequirement: + type: EXACT_ANY_SUPPORTED + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: >- + Windows with Windows 11 dynamic version requirement and Windows 10 + minimum version response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + dynamicVersionRequirement: + type: EXACT + distanceFromLatestMajor: 1 + - majorVersionConstraint: WINDOWS_10 + minimum: 10.0.19045.0 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: >- + Windows with Windows 11 minimum version and Windows 10 dynamic version + requirement response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersionConstraints: + - majorVersionConstraint: WINDOWS_11 + minimum: 10.0.22000.0 + - majorVersionConstraint: WINDOWS_10 + dynamicVersionRequirement: + type: NOT_ALLOWED + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceAndroidWithGracePeriodResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Android with due by date grace period response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Android + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5 + diskEncryptionType: + include: + - USER + - FULL + jailbreak: false + platform: ANDROID + screenLockType: + include: + - BIOMETRIC + secureHardwarePresent: true + gracePeriod: + type: BY_DATE_TIME + expiry: '2024-12-01T00:00:00.00Z' + displayRemediationMode: SHOW + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceIosWithGracePeriodResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: iOS with due by days grace period response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance iOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5.9 + jailbroken: false + platform: IOS + screenLockType: + include: + - BIOMETRIC + gracePeriod: + type: BY_DURATION + expiry: P30D + displayRemediationMode: SHOW + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceMacOSWithGracePeriodResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: macOS with due by date grace period response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance macOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + gracePeriod: + type: BY_DATE_TIME + expiry: '2024-12-01T00:00:00.00Z' + displayRemediationMode: SHOW + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceWindowsWithGracePeriodResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows with due by days grace period response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + gracePeriod: + type: BY_DURATION + expiry: P7D + displayRemediationMode: SHOW + secureHardwarePresent: true + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceChromeOSWithGracePeriodResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: ChromeOS with due by days grace period response + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance ChromeOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + platform: CHROMEOS + gracePeriod: + type: BY_DURATION + expiry: P7D + displayRemediationMode: SHOW + thirdPartySignalProviders: + dtc: + osVersion: + minimum: 10.0.19041.1110 + diskEncrypted: true + osFirewall: true + screenLockSecured: true + allowScreenLock: true + browserVersion: + minimum: 15393.27.0 + deviceEnrollmentDomain: testDomain + builtInDnsClientEnabled: true + chromeRemoteDesktopAppBlocked: true + safeBrowsingProtectionLevel: ENHANCED_PROTECTION + siteIsolationEnabled: true + passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF + realtimeUrlCheckMode: true + keyTrustLevel: CHROME_OS_VERIFIED_MODE + DeviceAssuranceMacOSWithDevicePostureChecksResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: macOS request with OSQuery device posture check + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance macOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: MACOS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + devicePostureChecks: + include: + - variableName: macOSFirewall + value: '1' + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DeviceAssuranceWindowsWithDevicePostureChecksResponse: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Windows request with OSQuery device posture check + value: + id: dae3m8o4rWhwReDeM1c5 + name: Device assurance Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + osVersion: + minimum: 12.4.5.9 + diskEncryptionType: + include: + - ALL_INTERNAL_VOLUMES + platform: WINDOWS + screenLockType: + include: + - PASSCODE + - BIOMETRIC + secureHardwarePresent: true + devicePostureChecks: + include: + - variableName: windowsFirewall + value: '1' + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + ErrorDeviceAssuranceInUse: + summary: Can't delete device assurance policy in use by authentication policies + value: + errorSummary: Device assurance is in use and cannot be deleted. + errorId: oaenwA1ra80S9W-pvbh4m6haA + errorCauses: [] + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + device_assurance_policies: + id: okta.device_assurances.device_assurance_policies + name: device_assurance_policies + title: Device Assurance Policies + methods: + list_device_assurance_policies: + operation: + $ref: '#/paths/~1api~1v1~1device-assurances/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_device_assurance_policy: + operation: + $ref: '#/paths/~1api~1v1~1device-assurances/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_device_assurance_policy: + operation: + $ref: '#/paths/~1api~1v1~1device-assurances~1{deviceAssuranceId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_device_assurance_policy: + operation: + $ref: '#/paths/~1api~1v1~1device-assurances~1{deviceAssuranceId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_device_assurance_policy: + operation: + $ref: '#/paths/~1api~1v1~1device-assurances~1{deviceAssuranceId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/device_assurance_policies/methods/list_device_assurance_policies + - $ref: >- + #/components/x-stackQL-resources/device_assurance_policies/methods/get_device_assurance_policy + insert: + - $ref: >- + #/components/x-stackQL-resources/device_assurance_policies/methods/create_device_assurance_policy + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/device_assurance_policies/methods/delete_device_assurance_policy + replace: + - $ref: >- + #/components/x-stackQL-resources/device_assurance_policies/methods/replace_device_assurance_policy +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/device_integrations.yaml b/providers/src/okta/v00.00.00000/services/device_integrations.yaml new file mode 100644 index 00000000..e401402d --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/device_integrations.yaml @@ -0,0 +1,640 @@ +openapi: 3.0.3 +info: + title: device_integrations API + description: okta device_integrations API + version: 5.1.0 +paths: + /api/v1/device-integrations: + get: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: List all device integrations + description: >- + Lists all device integrations for your org. Examples include Device + Posture Provider, Windows Security Center, Chrome Device Trust, OSQuery, + and Android Device Trust. + operationId: listDeviceIntegrations + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/DeviceIntegrations' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.deviceIntegrations.read + tags: + - DeviceIntegrations + /api/v1/device-integrations/{deviceIntegrationId}: + get: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Retrieve a device integration + description: Retrieves a device integration by `deviceIntegrationId` + operationId: getDeviceIntegration + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/DeviceIntegrations' + examples: + CrowdStrike: + $ref: '#/components/examples/DeviceIntegrationCrowdStrikeResponse' + WindowsSecurityCenter: + $ref: >- + #/components/examples/DeviceIntegrationWindowsSecurityCenterResponse + ChromeDeviceTrustConnector: + $ref: >- + #/components/examples/DeviceIntegrationChromeDeviceTrustConnectorResponse + DevicePostureIdP: + $ref: >- + #/components/examples/DeviceIntegrationDevicePostureIdPResponse + DevicePostureCheck: + $ref: >- + #/components/examples/DeviceIntegrationDevicePostureCheckResponse + AndroidZeroTrust: + $ref: >- + #/components/examples/DeviceIntegrationAndroidZeroTrustResponse + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.deviceIntegrations.read + tags: + - DeviceIntegrations + parameters: + - $ref: '#/components/parameters/pathDeviceIntegrationId' + /api/v1/device-integrations/{deviceIntegrationId}/lifecycle/activate: + post: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Activate a device integration + description: >- + Activates a device integration and populates the related configurations + by `deviceIntegrationId` + operationId: activateDeviceIntegration + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/DeviceIntegrations' + examples: + ChromeDeviceTrustConnector: + $ref: >- + #/components/examples/DeviceIntegrationChromeDeviceTrustConnectorResponse + DevicePostureIdP: + $ref: >- + #/components/examples/DeviceIntegrationDevicePostureIdPResponse + DevicePostureCheck: + $ref: >- + #/components/examples/DeviceIntegrationDevicePostureCheckResponse + AndroidZeroTrust: + $ref: >- + #/components/examples/DeviceIntegrationAndroidZeroTrustResponse + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.deviceIntegrations.manage + tags: + - DeviceIntegrations + parameters: + - $ref: '#/components/parameters/pathDeviceIntegrationId' + /api/v1/device-integrations/{deviceIntegrationId}/lifecycle/deactivate: + post: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: Deactivate a device integration + description: Deactivates a device integration by `deviceIntegrationId` + operationId: deactivateDeviceIntegration + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/DeviceIntegrations' + examples: + CrowdStrike: + $ref: '#/components/examples/DeviceIntegrationCrowdStrikeResponse' + WindowsSecurityCenter: + $ref: >- + #/components/examples/DeviceIntegrationWindowsSecurityCenterResponse + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.deviceIntegrations.manage + tags: + - DeviceIntegrations + parameters: + - $ref: '#/components/parameters/pathDeviceIntegrationId' +components: + schemas: + DeviceIntegrations: + title: DeviceIntegrations + type: object + properties: + displayName: + type: string + description: The display name of the device integration + id: + type: string + readOnly: true + description: The ID of the device integration + metadata: + $ref: '#/components/schemas/DeviceIntegrationsMetadata' + name: + $ref: '#/components/schemas/DeviceIntegrationsName' + platform: + $ref: '#/components/schemas/DeviceIntegrationsPlatform' + status: + $ref: '#/components/schemas/DeviceIntegrationsStatus' + _links: + $ref: '#/components/schemas/LinksSelfAndLifecycle' + DeviceIntegrationsMetadata: + description: The metadata of the device integration + oneOf: + - type: object + properties: + type: + type: string + enum: + - CHROME + serviceAccountName: + type: string + serviceAccountEmail: + type: string + required: + - type + - serviceAccountName + - serviceAccountEmail + - type: object + properties: + type: + type: string + enum: + - WORKSPACE_ONE + provider: + type: string + enrollmentUrl: + type: string + idpId: + type: string + required: + - type + - provider + - enrollmentUrl + - idpId + - type: object + properties: + type: + type: string + enum: + - DEVICE_IDP + idpId: + type: string + required: + - type + - idpId + type: object + DeviceIntegrationsName: + description: The namespace of the device integration + type: string + enum: + - com.android.zero.trust + - com.crowdstrike.zta + - com.google.dtc + - com.okta.device.osquery + - com.okta.deviceidp + - com.okta.windowssecuritycenter + - com.okta.workspaceone + DeviceIntegrationsPlatform: + type: string + enum: + - ANDROID + - CHROMEOS + - IOS + - MACOS + - WINDOWS + DeviceIntegrationsStatus: + description: The status of the device integration + type: string + enum: + - ACTIVE + - DEACTIVATED + LinksSelfAndLifecycle: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + HrefObjectActivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to activate the resource + HrefObjectDeactivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to deactivate the resource + ErrorCause: + type: object + properties: + errorSummary: + type: string + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorInvalidToken401: + description: Unauthorized + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + InvalidTokenProvided: + $ref: '#/components/examples/ErrorInvalidTokenProvided' + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + pathDeviceIntegrationId: + in: path + name: deviceIntegrationId + required: true + description: The ID of the device integration + schema: + type: string + examples: + DeviceIntegrationCrowdStrikeResponse: + summary: Response of a device integration for CrowdStrike + value: + id: dindyfy1f7Pv1eoVF0g4 + name: com.okta.deviceidp + displayName: Device Posture Provider + status: DEACTIVATED + platform: IOS + metadata: + type: DEVICE_IDP + idpId: 0oa2owlGX5l74kjr60g4 + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-integrations/dindyfy1f7Pv1eoVF0g4 + hints: + allow: + - GET + activate: + href: >- + https://your-subdomain.okta.com/api/v1/device-integrations/dindyfy1f7Pv1eoVF0g4/lifecycle/activate + hints: + allow: + - POST + DeviceIntegrationWindowsSecurityCenterResponse: + summary: Response of a device integration for Windows Security Center + value: + id: dinjihtR8qWZZF6qe0g4 + name: com.okta.windowssecuritycenter + displayName: Windows Security Center + status: DEACTIVATED + platform: WINDOWS + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-integrations/dinjihtR8qWZZF6qe0g4 + hints: + allow: + - GET + activate: + href: >- + https://your-subdomain.okta.com/api/v1/device-integrations/dinjihtR8qWZZF6qe0g4/lifecycle/activate + hints: + allow: + - POST + DeviceIntegrationChromeDeviceTrustConnectorResponse: + summary: Response of a device integration for Chrome Device Trust + value: + id: din15gaNrC7BvlBgx0g4 + name: com.google.dtc + displayName: Chrome Device Trust + status: ACTIVE + platform: CHROMEOS + metadata: + type: CHROME + serviceAccountName: okta-gci-00o158oxTmBNgrgyM0g4 + serviceAccountEmail: >- + okta-gci-00o158oxTmBNgrgyM0g4@vocal-invention-346218.iam.gserviceaccount.com + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-integrations/din15gaNrC7BvlBgx0g4 + hints: + allow: + - GET + deactivate: + href: >- + https://your-subdomain.okta.com/api/v1/device-integrations/din15gaNrC7BvlBgx0g4/lifecycle/deactivate + hints: + allow: + - POST + DeviceIntegrationDevicePostureIdPResponse: + summary: Response of a device integration for Device Posture Provider + value: + id: dindyfzlaerjWVdqt0g4 + name: com.okta.deviceidp + displayName: Device Posture Provider + status: ACTIVE + platform: WINDOWS + metadata: + type: DEVICE_IDP + idpId: 0oa2owlGX5l74kjr60g4 + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-integrations/dindyfzlaerjWVdqt0g4 + hints: + allow: + - GET + deactivate: + href: >- + https://your-subdomain.okta.com/api/v1/device-integrations/dindyfzlaerjWVdqt0g4/lifecycle/deactivate + hints: + allow: + - POST + DeviceIntegrationDevicePostureCheckResponse: + summary: Response of device integration for Device Posture Check + value: + id: din9lzd33mvS9vBwN1c5 + name: com.okta.device.osquery + displayName: OSQuery + status: ACTIVE + platform: MACOS + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-integrations/din9lzd33mvS9vBwN1c5 + hints: + allow: + - GET + deactivate: + href: >- + https://your-subdomain.okta.com/api/v1/device-integrations/din9lzd33mvS9vBwN1c5/lifecycle/deactivate + hints: + allow: + - POST + DeviceIntegrationAndroidZeroTrustResponse: + summary: Response of device integration for Android Device Trust + value: + id: din9lzd33mvS9kjr60g4 + name: com.android.zero.trust + displayName: Android Device Trust + status: ACTIVE + platform: ANDROID + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-integrations/din9lzd33mvS9kjr60g4 + hints: + allow: + - GET + deactivate: + href: >- + https://your-subdomain.okta.com/api/v1/device-integrations/din9lzd33mvS9kjr60g4/lifecycle/deactivate + hints: + allow: + - POST + ErrorInvalidTokenProvided: + summary: Invalid Token Provided + value: + errorCode: E0000011 + errorSummary: Invalid token provided + errorLink: E0000011 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + device_integrations: + id: okta.device_integrations.device_integrations + name: device_integrations + title: Device Integrations + methods: + list_device_integrations: + operation: + $ref: '#/paths/~1api~1v1~1device-integrations/get' + response: + mediaType: application/json + openAPIDocKey: '200' + get_device_integration: + operation: + $ref: '#/paths/~1api~1v1~1device-integrations~1{deviceIntegrationId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + activate_device_integration: + operation: + $ref: >- + #/paths/~1api~1v1~1device-integrations~1{deviceIntegrationId}~1lifecycle~1activate/post + response: + mediaType: application/json + openAPIDocKey: '200' + deactivate_device_integration: + operation: + $ref: >- + #/paths/~1api~1v1~1device-integrations~1{deviceIntegrationId}~1lifecycle~1deactivate/post + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/device_integrations/methods/list_device_integrations + - $ref: >- + #/components/x-stackQL-resources/device_integrations/methods/get_device_integration + insert: [] + update: [] + delete: [] + replace: [] +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/device_posture_checks.yaml b/providers/src/okta/v00.00.00000/services/device_posture_checks.yaml new file mode 100644 index 00000000..0ca1cb86 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/device_posture_checks.yaml @@ -0,0 +1,708 @@ +openapi: 3.0.3 +info: + title: device_posture_checks API + description: okta device_posture_checks API + version: 5.1.0 +paths: + /api/v1/device-posture-checks: + get: + summary: List all device posture checks + description: Lists all device posture checks + operationId: listDevicePostureChecks + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/DevicePostureCheck' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.devicePostureChecks.read + tags: + - DevicePostureCheck + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + post: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: Create a device posture check + description: Creates a device posture check + operationId: createDevicePostureCheck + x-codegen-request-body-name: devicePostureCheck + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/DevicePostureCheck' + examples: + MacOS: + $ref: '#/components/examples/DevicePostureChecksMacOSRequest' + Windows: + $ref: '#/components/examples/DevicePostureChecksWindowsRequest' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/DevicePostureCheck' + examples: + MacOS: + $ref: '#/components/examples/DevicePostureChecksMacOSResponse' + Windows: + $ref: '#/components/examples/DevicePostureChecksWindowsResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.devicePostureChecks.manage + tags: + - DevicePostureCheck + /api/v1/device-posture-checks/default: + get: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: List all default device posture checks + description: >- + Lists all default device posture checks. Default device posture checks + are defined by Okta. Their type will always be `BUILTIN`. + operationId: listDefaultDevicePostureChecks + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/DevicePostureCheck' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.devicePostureChecks.read + tags: + - DevicePostureCheck + /api/v1/device-posture-checks/{postureCheckId}: + get: + summary: Retrieve a device posture check + description: Retrieves a device posture check by `postureCheckId` + operationId: getDevicePostureCheck + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/DevicePostureCheck' + examples: + MacOS: + $ref: '#/components/examples/DevicePostureChecksMacOSResponse' + Windows: + $ref: '#/components/examples/DevicePostureChecksWindowsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.devicePostureChecks.read + tags: + - DevicePostureCheck + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: Replace a device posture check + description: Replaces a device posture check by `postureCheckId` + operationId: replaceDevicePostureCheck + x-codegen-request-body-name: devicePostureCheck + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/DevicePostureCheck' + examples: + MacOS: + $ref: '#/components/examples/DevicePostureChecksMacOSRequest' + Windows: + $ref: '#/components/examples/DevicePostureChecksWindowsRequest' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/DevicePostureCheck' + examples: + MacOS: + $ref: '#/components/examples/DevicePostureChecksMacOSResponse' + Windows: + $ref: '#/components/examples/DevicePostureChecksWindowsResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.devicePostureChecks.manage + tags: + - DevicePostureCheck + delete: + summary: Delete a device posture check + description: >- + Deletes a device posture check by `postureCheckId`. You can't delete the + device posture check if it's used in a device assurance policy. + operationId: deleteDevicePostureCheck + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '409': + description: Conflict + headers: {} + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorDeviceCheckInUse: + $ref: '#/components/examples/ErrorDevicePostureCheckInUse' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.devicePostureChecks.manage + tags: + - DevicePostureCheck + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathPostureCheckId' +components: + schemas: + DevicePostureCheck: + title: DevicePostureCheck + type: object + properties: + createdBy: + type: string + readOnly: true + description: User who created the device posture check + example: 00u217pyf72CdUrBt1c5 + createdDate: + type: string + readOnly: true + description: Time the device posture check was created + example: '2019-10-02T18:03:07.000Z' + description: + type: string + description: Description of the device posture check + example: Query macOS devices to check if firewall is enabled + id: + type: string + readOnly: true + description: The ID of the device posture check + example: dch3m8o4rWhwReDeM1c5 + lastUpdate: + type: string + readOnly: true + description: Time the device posture check was updated + example: '2019-10-02T18:03:07.000Z' + lastUpdatedBy: + type: string + readOnly: true + description: User who updated the device posture check + example: 00u217pyf72CdUrBt1c5 + mappingType: + $ref: '#/components/schemas/DevicePostureChecksMappingType' + name: + type: string + description: Display name of the device posture check + example: Device posture check macOS + platform: + $ref: '#/components/schemas/DevicePostureChecksPlatform' + query: + type: string + description: OSQuery for the device posture check + example: >- + SELECT CASE WHEN global_state = 0 THEN 0 ELSE 1 END AS + firewall_enabled FROM alf; + remediationSettings: + $ref: '#/components/schemas/DevicePostureChecksRemediationSettings' + type: + $ref: '#/components/schemas/DevicePostureChecksType' + variableName: + type: string + description: Unique name of the device posture check + example: macOSFirewall + _links: + $ref: '#/components/schemas/LinksSelf' + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + DevicePostureChecksMappingType: + description: >- + Represents how the device posture check is rendered in device assurance + policies + type: string + enum: + - CHECKBOX + - TEXTBOX + DevicePostureChecksPlatform: + type: string + enum: + - MACOS + - WINDOWS + DevicePostureChecksRemediationSettings: + description: >- + Represents the remediation instructions shown to the end user when the + device posture check fails + type: object + properties: + link: + type: object + properties: + defaultUrl: + type: string + description: >- + Default URL for the link. This property is only relevant if type + is set to `BUILTIN`. If type is set to `CUSTOM`, this field is + ignored. + example: >- + https://help.okta.com/eu/en-us/content/topics/end-user/ov-device-health-macos.htm + customUrl: + type: string + description: Custom URL for the link + example: example.myremediationurl.com/docs + message: + type: object + properties: + defaultI18nKey: + type: string + description: >- + Default i18n key for the message. This property is only relevant + if type is set to `BUILTIN`. If type is set to `CUSTOM`, this + field is ignored. + example: macos.firewall.enabled.remediation.message + customText: + type: string + description: Custom text for the message + example: >- + It is our company policy that all devices must have a firewall + enabled. + DevicePostureChecksType: + type: string + enum: + - BUILTIN + - CUSTOM + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + ErrorCause: + type: object + properties: + errorSummary: + type: string + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + pathPostureCheckId: + in: path + name: postureCheckId + required: true + description: ID of the device posture check + schema: + type: string + examples: + DevicePostureChecksMacOSRequest: + summary: macOS request + value: + name: Device posture check macOS + description: Query macOS devices to check if firewall is enabled + variableName: macOSFirewall + platform: MACOS + type: CUSTOM + mappingType: CHECKBOX + query: >- + SELECT CASE WHEN global_state = 0 THEN 0 ELSE 1 END AS + firewall_enabled FROM alf; + remediationSettings: + message: + defaultI18nKey: null + customText: >- + It is our company policy that all devices must have a firewall + enabled. + link: + defaultUrl: null + customUrl: example.myremediationurl.com/docs + DevicePostureChecksWindowsRequest: + summary: Windows request + value: + name: Device posture check Windows + description: Query Windows devices to check if firewall is enabled + variableName: windowsFirewall + platform: WINDOWS + type: CUSTOM + mappingType: CHECKBOX + query: >- + SELECT CASE WHEN enabled = 1 THEN 1 ELSE 0 END AS firewall_enabled + FROM windows_firewall_profiles; + remediationSettings: + message: + defaultI18nKey: null + customText: >- + It is our company policy that all devices must have a firewall + enabled. + link: + defaultUrl: null + customUrl: example.myremediationurl.com/docs + DevicePostureChecksMacOSResponse: + summary: macOS response + value: + id: dch3m8o4rWhwReDeM1c5 + name: Device posture check macOS + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + description: Query macOS devices to check if firewall is enabled + variableName: macOSFirewall + query: >- + SELECT CASE WHEN global_state = 0 THEN 0 ELSE 1 END AS + firewall_enabled FROM alf; + platform: MACOS + type: CUSTOM + mappingType: CHECKBOX + remediationSettings: + message: + defaultI18nKey: null + customText: >- + It is our company policy that all devices must have a firewall + enabled. + link: + defaultUrl: null + customUrl: example.myremediationurl.com/docs + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-posture-checks/dch3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + DevicePostureChecksWindowsResponse: + summary: Windows response + value: + id: dch3m8o4rWhwReDeM1c5 + name: Device posture check Windows + lastUpdate: '2022-01-01T00:00:00.000Z' + createdUpdate: '2022-01-01T00:00:00.000Z' + lastUpdatedBy: 00u217pyf72CdUrBt1c5 + createdBy: 00u217pyf72CdUrBt1c5 + description: Query Windows devices to check if firewall is enabled + variableName: windowsFirewall + query: >- + SELECT CASE WHEN enabled = 1 THEN 1 ELSE 0 END AS firewall_enabled + FROM windows_firewall_profiles; + platform: WINDOWS + type: CUSTOM + mappingType: CHECKBOX + remediationSettings: + message: + defaultI18nKey: null + customText: >- + It is our company policy that all devices must have a firewall + enabled. + link: + defaultUrl: null + customUrl: example.myremediationurl.com/docs + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/device-posture-checks/dch3m8o4rWhwReDeM1c5 + hints: + allow: + - DELETE + - GET + - PUT + ErrorDevicePostureCheckInUse: + summary: Can't delete device posture check in use by device assurance policies + value: + errorSummary: Device posture check is in use and can't be deleted. + errorId: oaenwA1ra80S9W-pvbh4m6haA + errorCauses: [] + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + device_posture_checks: + id: okta.device_posture_checks.device_posture_checks + name: device_posture_checks + title: Device Posture Checks + methods: + list_device_posture_checks: + operation: + $ref: '#/paths/~1api~1v1~1device-posture-checks/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_device_posture_check: + operation: + $ref: '#/paths/~1api~1v1~1device-posture-checks/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_device_posture_check: + operation: + $ref: '#/paths/~1api~1v1~1device-posture-checks~1{postureCheckId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_device_posture_check: + operation: + $ref: '#/paths/~1api~1v1~1device-posture-checks~1{postureCheckId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_device_posture_check: + operation: + $ref: '#/paths/~1api~1v1~1device-posture-checks~1{postureCheckId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/device_posture_checks/methods/list_device_posture_checks + - $ref: >- + #/components/x-stackQL-resources/device_posture_checks/methods/get_device_posture_check + insert: + - $ref: >- + #/components/x-stackQL-resources/device_posture_checks/methods/create_device_posture_check + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/device_posture_checks/methods/delete_device_posture_check + replace: + - $ref: >- + #/components/x-stackQL-resources/device_posture_checks/methods/replace_device_posture_check + default_device_posture_checks: + id: okta.device_posture_checks.default_device_posture_checks + name: default_device_posture_checks + title: Default Device Posture Checks + methods: + list_default_device_posture_checks: + operation: + $ref: '#/paths/~1api~1v1~1device-posture-checks~1default/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/default_device_posture_checks/methods/list_default_device_posture_checks + insert: [] + update: [] + delete: [] + replace: [] +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/devices.yaml b/providers/src/okta/v00.00.00000/services/devices.yaml new file mode 100644 index 00000000..d1f45a65 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/devices.yaml @@ -0,0 +1,1893 @@ +openapi: 3.0.3 +info: + title: devices API + description: okta devices API + version: 5.1.0 +paths: + /api/v1/devices: + get: + summary: List all devices + description: >- + Lists all devices with pagination support. + + + >**Note:** To list all devices enrolled by a user, use the [List all + devices endpoint in the User Resources + API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserResources/#tag/UserResources/operation/listUserDevices). + + + You can return a subset of devices that match a supported search + criteria using the `search` query parameter. + + Searches for devices based on the properties specified in the `search` + parameter conforming SCIM filter specifications (case-insensitive). This + data is eventually consistent. The API returns different results + depending on specified queries in the request. Empty list is returned if + no objects match `search` request. + + > **Note:** Listing devices with `search` should not be used as a part + of any critical flow, such as authentication or updates, to prevent + potential data loss. `search` results may not reflect the latest + information, as this endpoint uses a search index which may not be + up-to-date with recent updates to the object. + + + Don't use search results directly for record updates, as the data might + be stale and therefore overwrite newer data, resulting in data loss. + + + Use an `id` lookup for records that you update to ensure your results + contain the latest data. + + + This operation requires [URL + encoding](https://www.w3.org/TR/html4/interact/forms.html#h-17.13.4.1). + For example, `search=profile.displayName eq "Bob"` is encoded as + `search=profile.displayName%20eq%20%22Bob%22`. + operationId: listDevices + parameters: + - name: after + in: query + schema: + type: string + description: >- + The cursor to use for pagination. It is an opaque string that + specifies your current location in the list and is obtained from + the `Link` response header. See [Pagination]https://developer.okta.com/docs/api#pagination for + more information. + example: 200u3des4afA47rYJu1d7 + - name: limit + in: query + schema: + type: integer + minimum: 1 + maximum: 200 + default: 200 + example: 20 + description: A limit on the number of objects to return (recommend `20`) + - name: search + in: query + description: >- + A SCIM filter expression that filters the results. Searches include + all device `profile` properties and the device `id`, `status`, and + `lastUpdated` properties. + + + Searches for devices can be filtered by the contains (`co`) + operator. You can only use `co` with these select device profile + attributes: `profile.displayName`, `profile.serialNumber`, + `profile.imei`, `profile.meid`, `profile.udid`, and `profile.sid`. + See [Operators](https://developer.okta.com/docs/api/#operators). + schema: + type: string + example: lastUpdated gt "2019-06-01T09:00:00.000Z" + examples: + FilterByDeviceStatus: + summary: Filter by device status + value: status%20eq%20%22ACTIVE%22 + FilterByLastUpdatedTime: + summary: Filter by last updated time + value: lastUpdated%20gt%20%222024-12-23'T'00%3A00%3A00.000Z%22 + FilterByDeviceId: + summary: Filter by device ID + value: id%20eq%20%22guo4a5u7JHHhjXrMK0g4%22 + FilterByDeviceDisplayName: + summary: Filter by device display name + value: profile.displayName%20eq%20%22Bob%22 + FilterByDevicePlatform: + summary: Filter by device platform + value: profile.platform%20eq%20%22WINDOWS%22 + FilterBySID: + summary: Filter by device security identifier (SID) + value: profile.sid%20sw%20%22S-1%22 + - name: expand + in: query + description: >- + Includes associated user details and management status for the + device in the `_embedded` attribute + schema: + type: string + example: userSummary + enum: + - user + - userSummary + x-enumDescriptions: + user: Lists full details for associated users + userSummary: Lists summaries for associated users + examples: + UserFullDetails: + summary: Get a detailed list of associated users + value: user + UserSummaries: + summary: Get the list of associated user summaries + value: userSummary + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/DeviceList' + examples: + APIDevicesResponseUserSummaryExample: + type: array + $ref: '#/components/examples/APIDevicesListAllUserSummaryResponse' + APIDevicesResponseExample: + type: array + $ref: '#/components/examples/APIDevicesListAllResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.devices.read + tags: + - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/devices/{deviceId}: + get: + summary: Retrieve a device + description: Retrieves a device by `deviceId` + operationId: getDevice + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/Device' + examples: + APIDevicesResponseExample: + $ref: '#/components/examples/DeviceResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.devices.read + tags: + - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + delete: + summary: Delete a device + description: >- + Deletes (permanently) a device by `deviceId` if it has a status of + `DEACTIVATED`. You can transition the device to `DEACTIVATED` status + using the [Deactivate a + Device](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Device/#tag/Device/operation/deactivateDevice) + endpoint. + + This request is destructive and deletes all of the profile data related + to the device. Once deleted, device data can't be recovered. However, + reenrollment creates a new device record. + + > **Note:** Attempts to delete a device that isn't in a `DEACTIVATED` + state raise an error. + operationId: deleteDevice + responses: + '204': + description: No Content + '403': + description: Forbidden + headers: {} + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.devices.manage + tags: + - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathDeviceId' + /api/v1/devices/{deviceId}/lifecycle/activate: + post: + summary: Activate a device + description: |- + Activates a device by setting its status to `ACTIVE` by `deviceId`. + Activated devices are used to create and delete device user links. + operationId: activateDevice + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.devices.manage + tags: + - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathDeviceId' + /api/v1/devices/{deviceId}/lifecycle/deactivate: + post: + summary: Deactivate a device + description: >- + Deactivates a device by setting its status to `DEACTIVATED` by + `deviceId`. + + Deactivation causes a device to lose all device user links. Set the + device status to `DEACTIVATED` before deleting it. + + > **Note:** When deactivating a Device, keep in mind the following: + - Device deactivation is a destructive operation for device factors and client certificates. Device reenrollment using Okta Verify allows end users to set up new factors on the device. + - Device deletion removes the device record from Okta. Reenrollment creates a new device record. + operationId: deactivateDevice + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.devices.manage + tags: + - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathDeviceId' + /api/v1/devices/{deviceId}/lifecycle/suspend: + post: + summary: Suspend a Device + description: >- + Suspends a device by setting its status to `SUSPENDED`. + + Use suspended devices to create and delete device user links. You can + only unsuspend or deactivate suspended devices. + + > **Note:** `SUSPENDED` status is meant to be temporary, so it isn't + destructive. + operationId: suspendDevice + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.devices.manage + tags: + - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathDeviceId' + /api/v1/devices/{deviceId}/lifecycle/unsuspend: + post: + summary: Unsuspend a Device + description: |- + Unsuspends a device by returning its `status` to `ACTIVE`. + >**Note:** Only devices with a `SUSPENDED` status can be unsuspended. + operationId: unsuspendDevice + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.devices.manage + tags: + - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathDeviceId' + /api/v1/devices/{deviceId}/users: + get: + summary: List all users for a device + description: Lists all Users for a device by `deviceId` + operationId: listDeviceUsers + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/DeviceUser' + examples: + APIDevicesListAllUsersResponseExample: + summary: List all users for a specific device + $ref: '#/components/examples/APIDevicesListAllUsersResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.devices.read + tags: + - Device + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathDeviceId' +components: + schemas: + DeviceList: + allOf: + - $ref: '#/components/schemas/Device' + - properties: + _embedded: + type: object + description: >- + List of associated users for the device if the `expand=user` + query parameter is specified in the request. Use + `expand=userSummary` to get only a summary of each associated + user for the device. + properties: + users: + description: Users for the device + type: array + items: + $ref: '#/components/schemas/DeviceUser' + readOnly: true + type: object + Device: + type: object + properties: + created: + type: string + format: date-time + description: Timestamp when the device was created + readOnly: true + id: + type: string + description: Unique key for the device + readOnly: true + lastUpdated: + type: string + format: date-time + description: >- + Timestamp when the device record was last updated. Updates occur + when Okta collects and saves device signals during authentication, + and when the lifecycle state of the device changes. + readOnly: true + profile: + $ref: '#/components/schemas/DeviceProfile' + resourceAlternateId: + type: string + readOnly: true + resourceDisplayName: + $ref: '#/components/schemas/DeviceDisplayName' + resourceId: + type: string + description: Alternate key for the `id` + readOnly: true + resourceType: + type: string + default: UDDevice + readOnly: true + status: + $ref: '#/components/schemas/DeviceStatus' + _links: + $ref: '#/components/schemas/LinksSelfAndFullUsersLifecycle' + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + DeviceUser: + type: object + properties: + created: + type: string + description: Timestamp when device was created + managementStatus: + type: string + description: The management status of the device + enum: + - MANAGED + - NOT_MANAGED + x-enumDescriptions: + MANAGED: The device has management software installed + NOT_MANAGED: The device doesn't have management software installed + screenLockType: + type: string + description: Screen lock type of the device + enum: + - NONE + - PASSCODE + - BIOMETRIC + user: + $ref: '#/components/schemas/User' + DeviceProfile: + type: object + properties: + diskEncryptionType: + $ref: '#/components/schemas/DiskEncryptionTypeDef' + displayName: + type: string + description: Display name of the device + minLength: 1 + maxLength: 255 + imei: + type: string + description: International Mobile Equipment Identity (IMEI) of the device + minLength: 14 + maxLength: 17 + integrityJailbreak: + type: boolean + description: >- + Indicates if the device is jailbroken or rooted. Only applicable to + `IOS` and `ANDROID` platforms + managed: + type: boolean + description: >- + Indicates if the device is managed by mobile device management (MDM) + software + manufacturer: + type: string + description: Name of the manufacturer of the device + maxLength: 127 + meid: + type: string + description: Mobile equipment identifier of the device + maxLength: 14 + model: + type: string + description: Model of the device + maxLength: 127 + osVersion: + type: string + description: Version of the device OS + maxLength: 127 + platform: + $ref: '#/components/schemas/DevicePlatform' + registered: + type: boolean + description: Indicates if the device is registered at Okta + secureHardwarePresent: + type: boolean + description: Indicates if the device contains a secure hardware functionality + serialNumber: + type: string + description: Serial number of the device + maxLength: 127 + sid: + type: string + description: Windows Security identifier of the device + maxLength: 256 + tpmPublicKeyHash: + type: string + description: Windows Trusted Platform Module hash value + udid: + type: string + description: macOS Unique device identifier of the device + maxLength: 47 + required: + - displayName + - platform + - registered + DeviceDisplayName: + description: Display name of the device + type: object + properties: + sensitive: + type: boolean + description: >- + Indicates whether the associated value is Personal Identifiable + Information (PII) and requires masking + default: false + value: + type: string + description: Display name of the device + DeviceStatus: + description: The state object of the device + type: string + enum: + - ACTIVE + - DEACTIVATED + - SUSPENDED + - UNSUSPENDED + x-enumDescriptions: + ACTIVE: Use activated devices to create and delete device user links + DEACTIVATED: >- + Deactivation causes a device to lose all device user links. Set the + device status to `DEACTIVATED` before deleting it. + SUSPENDED: >- + Use suspended devices to create and delete device user links. You can + only unsuspend or deactivate suspended devices. + UNSUSPENDED: Returns a suspended device to `ACTIVE`. + LinksSelfAndFullUsersLifecycle: + allOf: + - $ref: '#/components/schemas/LinksSelfAndLifecycle' + - type: object + properties: + suspend: + $ref: '#/components/schemas/HrefObjectSuspendLink' + unsuspend: + $ref: '#/components/schemas/HrefObjectUnsuspendLink' + users: + description: Link to device users + allOf: + - $ref: '#/components/schemas/HrefObject' + ErrorCause: + type: object + properties: + errorSummary: + type: string + User: + type: object + properties: + activated: + type: string + description: The timestamp when the user status transitioned to `ACTIVE` + format: date-time + readOnly: true + nullable: true + created: + type: string + description: The timestamp when the user was created + format: date-time + readOnly: true + credentials: + $ref: '#/components/schemas/UserCredentials' + id: + type: string + description: The unique key for the user + readOnly: true + lastLogin: + type: string + description: The timestamp of the last login + format: date-time + readOnly: true + nullable: true + lastUpdated: + type: string + description: The timestamp when the user was last updated + format: date-time + readOnly: true + passwordChanged: + type: string + description: The timestamp when the user's password was last updated + format: date-time + readOnly: true + nullable: true + profile: + $ref: '#/components/schemas/UserProfile' + realmId: + type: string + description: >- + The ID of the realm in which the user is residing. See + [Realms](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Realm/). + example: guo1bfiNtSnZYILxO0g4 + readOnly: true + status: + $ref: '#/components/schemas/UserStatus' + statusChanged: + type: string + description: The timestamp when the status of the user last changed + format: date-time + readOnly: true + nullable: true + transitioningToStatus: + type: string + description: >- + The target status of an in-progress asynchronous status transition. + This property is only returned if the user's state is transitioning. + readOnly: true + nullable: true + enum: + - ACTIVE + - DEPROVISIONED + - PROVISIONED + type: + type: object + description: >- + The user type that determines the schema for the user's profile. The + `type` property is a map that identifies the [User + Types](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/#tag/UserType). + + + Currently it contains a single element, `id`. It can be specified + when creating a new user, and ca be updated by an admin on a full + replace of an existing user (but not a partial update). + properties: + id: + type: string + description: The ID of the user type + _embedded: + type: object + description: >- + Embedded resources related to the user using the [JSON Hypertext + Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification + additionalProperties: + type: object + properties: {} + readOnly: true + _links: + description: >- + Specifies link relations (see [Web + Linking](https://datatracker.ietf.org/doc/html/rfc8288) available + for the current status of a user. + + The links object is used for dynamic discovery of related resources, + lifecycle operations, and credential operations. The links object is + read-only. + + + For an individual user result, the links object contains a full set + of link relations available for that user as determined by your + policies. + + For a collection of users, the links object contains only the `self` + link. Operations that return a collection of users include [List all + users](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers) + and [List all group member + users](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroupUsers). + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + self: + description: URL to the individual user + allOf: + - $ref: '#/components/schemas/HrefObject' + activate: + description: URL to activate the user + allOf: + - $ref: '#/components/schemas/HrefObject' + resetPassword: + description: URL to reset the user's password + allOf: + - $ref: '#/components/schemas/HrefObject' + resetFactors: + description: URL to reset the user's factors + allOf: + - $ref: '#/components/schemas/HrefObject' + expirePassword: + description: URL to expire the user's password + allOf: + - $ref: '#/components/schemas/HrefObject' + forgotPassword: + description: URL to initiate a forgot password operation + allOf: + - $ref: '#/components/schemas/HrefObject' + changeRecoveryQuestion: + description: URL to change the user's recovery question + allOf: + - $ref: '#/components/schemas/HrefObject' + deactivate: + description: URL to deactivate a user + allOf: + - $ref: '#/components/schemas/HrefObject' + reactivate: + description: URL to reactivate the user + allOf: + - $ref: '#/components/schemas/HrefObject' + changePassword: + description: URL to change the user's password + allOf: + - $ref: '#/components/schemas/HrefObject' + schema: + description: URL to the user's profile schema + allOf: + - $ref: '#/components/schemas/HrefObject' + suspend: + description: URL to suspend the user + allOf: + - $ref: '#/components/schemas/HrefObject' + unsuspend: + description: URL to unsuspend the user + allOf: + - $ref: '#/components/schemas/HrefObject' + unlock: + description: URL to unlock the locked-out user + allOf: + - $ref: '#/components/schemas/HrefObject' + type: + description: URL to the user type + allOf: + - $ref: '#/components/schemas/HrefObject' + - readOnly: true + DiskEncryptionTypeDef: + description: >- + Type of encryption used on the device + + > **Note:** The following values map to Disk Encryption ON: `FULL`, + `USER`, `ALL_INTERNAL_VOLUMES`. All other values map to Disk Encryption + OFF. + type: string + enum: + - ALL_INTERNAL_VOLUMES + - FULL + - NONE + - SYSTEM_VOLUME + - USER + x-enumDescriptions: + NONE: No encryption has been set. + FULL: >- + Disk is fully encrypted. Only applicable to `IOS` and `ANDROID` + platforms. + USER: >- + Encryption key is tied to the user or profile. Only applicable to + `ANDROID` platform. + ALL_INTERNAL_VOLUMES: >- + All internal disks are encrypted. Only applicable to `WINDOWS` and + `MACOS` platforms. + SYSTEM_VOLUME: >- + Only the system volume is encrypted. Only applicable to `WINDOWS` and + `MACOS` platforms. + DevicePlatform: + description: OS platform of the device + type: string + enum: + - ANDROID + - IOS + - MACOS + - WINDOWS + LinksSelfAndLifecycle: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + HrefObjectSuspendLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to suspend the resource + HrefObjectUnsuspendLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to unsuspend the resource + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + UserCredentials: + description: >- + Specifies primary authentication and recovery credentials for a user. + Credential types and requirements vary depending on the provider and + security policy of the org. + type: object + properties: + password: + $ref: '#/components/schemas/PasswordCredential' + provider: + $ref: '#/components/schemas/AuthenticationProvider' + recovery_question: + $ref: '#/components/schemas/RecoveryQuestionCredential' + UserProfile: + additionalProperties: true + description: >- + Specifies the default and custom profile properties for a user. + + + The default user profile is based on the [System for Cross-domain + Identity Management: Core + Schema](https://datatracker.ietf.org/doc/html/rfc7643). + + + The only permitted customizations of the default profile are to update + permissions, change whether the `firstName` and `lastName` properties + are nullable, and specify a + [pattern](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation) + for `login`. You can use the Profile Editor in the Admin Console or the + [Schemas + API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) + to make schema modifications. + + + You can extend user profiles with custom properties. You must first add + the custom property to the user profile schema before you reference it. + + You can use the Profile Editor in the Admin Console or the [Schemas + API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) + to manage schema extensions. + + + Custom attributes can contain HTML tags. It's the client's + responsibility to escape or encode this data before displaying it. Use + [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) + to prevent cross-site scripting. + type: object + properties: + city: + type: string + description: The city or locality of the user's address (`locality`) + maxLength: 128 + nullable: true + costCenter: + type: string + description: Name of the cost center assigned to a user + nullable: true + countryCode: + description: >- + The country name component of the user's address (`country`). For + validation, see [ISO 3166-1 alpha 2 "short" code + format](https://datatracker.ietf.org/doc/html/draft-ietf-scim-core-schema-22#ref-ISO3166). + type: string + maxLength: 2 + nullable: true + department: + type: string + description: Name of the user's department + displayName: + type: string + description: Name of the user suitable for display to end users + nullable: true + division: + type: string + description: Name of the user's division + nullable: true + email: + type: string + description: >- + The primary email address of the user. For validation, see [RFC 5322 + Section + 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). + format: email + minLength: 5 + maxLength: 100 + employeeNumber: + description: The organization or company assigned unique identifier for the user + type: string + firstName: + type: string + description: Given name of the user (`givenName`) + minLength: 1 + maxLength: 50 + nullable: true + honorificPrefix: + type: string + description: Honorific prefix(es) of the user, or title in most Western languages + nullable: true + honorificSuffix: + type: string + description: Honorific suffix(es) of the user + nullable: true + lastName: + type: string + description: The family name of the user (`familyName`) + minLength: 1 + maxLength: 50 + nullable: true + locale: + type: string + description: >- + The user's default location for purposes of localizing items such as + currency, date time format, numerical representations, and so on. + + A locale value is a concatenation of the ISO 639-1 two-letter + language code, an underscore, and the ISO 3166-1 two-letter country + code. For example, en_US specifies the language English and country + US. This value is `en_US` by default. + login: + type: string + description: >- + The unique identifier for the user (`username`). For validation, see + [Login pattern + validation](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation). + + + Every user within your Okta org must have a unique identifier for a + login. This constraint applies to all users you import from other + systems or applications such as Active Directory. Your organization + is the top-level namespace to mix and match logins from all your + connected applications or directories. Careful consideration of + naming conventions for your login identifier will make it easier to + onboard new applications in the future. + + + Logins are not considered unique if they differ only in case and/or + diacritical marks. If one of your users has a login of + Isaac.Brock@example.com, there cannot be another user whose login is + isaac.brock@example.com, nor isáàc.bröck@example.com. + + + Okta has a default ambiguous name resolution policy for usernames + that include @-signs. (By default, usernames must be formatted as + email addresses and thus always include @-signs. You can remove that + restriction using either the Admin Console or the [Schemas + API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/). + Users can sign in with their non-qualified short name (for example: + isaac.brock with username isaac.brock@example.com) as long as the + short name is still unique within the organization. + + maxLength: 100 + minLength: 5 + manager: + type: string + description: The `displayName` of the user's manager + nullable: true + managerId: + type: string + description: The `id` of the user's manager + nullable: true + middleName: + type: string + description: The middle name of the user + nullable: true + mobilePhone: + type: string + description: The mobile phone number of the user + maxLength: 100 + minLength: 0 + nullable: true + nickName: + type: string + description: The casual way to address the user in real life + nullable: true + organization: + type: string + description: Name of the the user's organization + nullable: true + postalAddress: + type: string + description: Mailing address component of the user's address + maxLength: 4096 + nullable: true + preferredLanguage: + type: string + description: >- + The user's preferred written or spoken language. For validation, see + [RFC 7231 Section + 5.3.5](https://datatracker.ietf.org/doc/html/rfc7231#section-5.3.5). + nullable: true + primaryPhone: + type: string + description: The primary phone number of the user such as a home number + maxLength: 100 + minLength: 0 + nullable: true + profileUrl: + type: string + description: >- + The URL of the user's online profile. For example, a web page. See + [URL](https://datatracker.ietf.org/doc/html/rfc1808). + nullable: true + secondEmail: + type: string + format: email + description: >- + The secondary email address of the user typically used for account + recovery. For validation, see [RFC 5322 Section + 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). + minLength: 5 + maxLength: 100 + nullable: true + state: + type: string + description: The state or region component of the user's address (`region`) + maxLength: 128 + nullable: true + streetAddress: + type: string + description: The full street address component of the user's address + maxLength: 1024 + nullable: true + timezone: + type: string + description: The user's time zone + nullable: true + title: + type: string + description: The user's title, such as Vice President + nullable: true + userType: + type: string + description: >- + The property used to describe the organization-to-user relationship, + such as employee or contractor + nullable: true + zipCode: + type: string + description: >- + The ZIP code or postal code component of the user's address + (`postalCode`) + maxLength: 50 + nullable: true + UserStatus: + description: >- + The current status of the user. + + + The status of a user changes in response to explicit events, such as + admin-driven lifecycle changes, user login, or self-service password + recovery. Okta doesn't asynchronously sweep through users and update + their password expiry state, for example. Instead, Okta evaluates + password policy at login time, notices the password has expired, and + moves the user to the expired state. When running reports, remember that + the data is valid as of the last login or lifecycle event for that user. + type: string + enum: + - ACTIVE + - DEPROVISIONED + - LOCKED_OUT + - PASSWORD_EXPIRED + - PROVISIONED + - RECOVERY + - STAGED + - SUSPENDED + readOnly: true + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + HrefObjectActivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to activate the resource + HrefObjectDeactivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to deactivate the resource + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + PasswordCredential: + description: >- + Specifies a password for a user. + + + When a user has a valid password, imported hashed password, or password + hook, and a response object contains + + a password credential, then the password object is a bare object without + the value property defined (for example, `password: {}`). This indicates + that a password value exists. You can modify password policy + requirements in the Admin Console by editing the Password + authenticator: **Security** > **Authenticators** > **Password** (or for + Okta Classic orgs, use **Security** > **Authentication** > + **Password**). + + + For information on defaults and configuring your password policies, see + [Configure the password + authenticator](https://help.okta.com/okta_help.htm?type=oie&id=ext-configure-password) + in the help documentation. + type: object + properties: + hash: + $ref: '#/components/schemas/PasswordCredentialHash' + hook: + $ref: '#/components/schemas/PasswordCredentialHook' + value: + type: string + writeOnly: true + description: >- + Specifies the password for a user. The password policy validates + this password. + format: password + example: pa$$word + AuthenticationProvider: + description: >- + Specifies the authentication provider that validates the user's password + credential. The user's current provider is managed by the **Delegated + Authentication** settings for your org. The provider object is + **read-only**. + type: object + properties: + name: + type: string + description: The name of the authentication provider + readOnly: true + example: OKTA + type: + $ref: '#/components/schemas/AuthenticationProviderType' + readOnly: true + RecoveryQuestionCredential: + description: >- + Specifies a secret question and answer that's validated (case + insensitive) when a user forgets their + + password or unlocks their account. The answer property is write-only. + type: object + properties: + answer: + type: string + description: The answer to the recovery question + minimum: 1 + maximum: 100 + writeOnly: true + example: se7en + question: + type: string + description: The recovery question + minimum: 1 + maximum: 100 + example: what is your favourite movie? + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + PasswordCredentialHash: + description: >- + Specifies a hashed password to import into Okta. This allows an existing + password to be imported into Okta directly + + from some other store. Okta supports the BCRYPT, SHA-512, SHA-256, + SHA-1, MD5, and PBKDF2 hash functions for password import. + A hashed password may be specified in a password object when creating or updating a user, but not for other operations. + See the [Create user with imported hashed password](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-with-imported-hashed-password) description. When you update a user with a hashed password, the user must be in the `STAGED` status. + type: object + properties: + algorithm: + $ref: '#/components/schemas/PasswordCredentialHashAlgorithm' + digestAlgorithm: + $ref: '#/components/schemas/DigestAlgorithm' + iterationCount: + type: integer + description: >- + The number of iterations used when hashing passwords using PBKDF2. + Must be >= 4096. Only required for PBKDF2 algorithm. + keySize: + type: integer + description: >- + Size of the derived key in bytes. Only required for PBKDF2 + algorithm. + salt: + description: >- + Only required for salted hashes. For BCRYPT, this specifies Radix-64 + as the encoded salt used to generate the hash, + + which must be 22 characters long. For other salted hashes, this + specifies the Base64-encoded salt used to + + generate the hash. + type: string + saltOrder: + type: string + description: >- + Specifies whether salt was pre- or postfixed to the password before + hashing. Only required for salted algorithms. + value: + description: >- + For SHA-512, SHA-256, SHA-1, MD5, and PBKDF2, this is the actual + base64-encoded hash of the password (and salt, if used). + + This is the Base64-encoded `value` of the + SHA-512/SHA-256/SHA-1/MD5/PBKDF2 digest that was computed by either + pre-fixing or post-fixing + + the `salt` to the `password`, depending on the `saltOrder`. If a + `salt` was not used in the `source` system, then this should just be + + the Base64-encoded `value` of the password's + SHA-512/SHA-256/SHA-1/MD5/PBKDF2 digest. For BCRYPT, this is the + actual Radix-64 encoded hashed password. + type: string + workFactor: + type: integer + description: >- + Governs the strength of the hash and the time required to compute + it. Only required for BCRYPT algorithm. + minimum: 1 + maximum: 20 + PasswordCredentialHook: + description: >- + Specify a [password import inline + hook](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createPasswordImportInlineHook) + to trigger verification of the user's password the first time the user + signs in. This allows an existing password to be imported into Okta + directly from some other store. + type: object + properties: + type: + type: string + description: The type of password inline hook. Currently, must be set to default. + AuthenticationProviderType: + description: The type of authentication provider + type: string + enum: + - ACTIVE_DIRECTORY + - FEDERATION + - IMPORT + - LDAP + - OKTA + - SOCIAL + x-enumDescriptions: + ACTIVE_DIRECTORY: >- + Specifies the Microsoft Active Directory instance name as the `name` + property + FEDERATION: >- + Specifies a federated identity provider (such as an SAML IdP) that + validates the user's password credentials. Doesn't support a + `password` or `recovery question` credential. The user must + authenticate through a trusted identity provider. + IMPORT: Specifies a hashed password that was imported from an external source + LDAP: Specifies the LDAP directory instance name as the `name` property + OKTA: Specifies the Okta identity provider + SOCIAL: >- + Specifies an OIDC or third-party social identity provider. Doesn't + support a `password` or `recovery question` credential. The user must + authenticate through a trusted identity provider. + readOnly: true + PasswordCredentialHashAlgorithm: + description: >- + The algorithm used to generate the hash using the password (and salt, + when applicable). + type: string + enum: + - BCRYPT + - MD5 + - PBKDF2 + - SHA-1 + - SHA-256 + - SHA-512 + DigestAlgorithm: + description: >- + Algorithm used to generate the key. Only required for the PBKDF2 + algorithm. + type: string + enum: + - SHA256_HMAC + - SHA512_HMAC + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + pathDeviceId: + name: deviceId + in: path + schema: + type: string + example: guo4a5u7JHHhjXrMK0g4 + required: true + description: '`id` of the device' + examples: + APIDevicesListAllUserSummaryResponse: + summary: List all devices with embedded user summaries + value: + - id: guo4a5u7YAHhjXrMK0g4 + status: CREATED + created: '2019-10-02T18:03:07.000Z' + lastUpdated: '2019-10-02T18:03:07.000Z' + profile: + displayName: Example device name 1 + platform: WINDOWS + serialNumber: XXDDRFCFRGF3M8MD6D + sid: S-1-11-111 + registered: true + secureHardwarePresent: false + diskEncryptionType: ALL_INTERNAL_VOLUMES + resourceType: UDDevice + resourceDisplayName: + value: Example device name 1 + sensitive: false + resourceAlternateId: null + resourceId: guo4a5u7YAHhjXrMK0g4 + _links: + activate: + href: >- + https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4 + hints: + allow: + - GET + - PATCH + - PUT + users: + href: >- + https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/users + hints: + allow: + - GET + _embedded: + users: [] + - id: guo4a5u7YAHhjXrMK0g5 + status: ACTIVE + created: '2023-06-21T23:24:02.000Z' + lastUpdated: '2023-06-21T23:24:02.000Z' + profile: + displayName: Example device name 2 + platform: ANDROID + manufacturer: Google + model: Pixel 6 + osVersion: 13:2023-05-05 + registered: true + secureHardwarePresent: true + diskEncryptionType: USER + resourceType: UDDevice + resourceDisplayName: + value: Example device name 2 + sensitive: false + resourceAlternateId: null + resourceId: guo4a5u7YAHhjXrMK0g5 + _links: + activate: + href: >- + https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5 + hints: + allow: + - GET + - PATCH + - PUT + users: + href: >- + https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/users + hints: + allow: + - GET + _embedded: + users: + - managementStatus: MANAGED + created: '2021-10-01T16:52:41.000Z' + screenLockType: BIOMETRIC + user: + id: 00u17vh0q8ov8IU881d7 + realmId: 00u17vh0q8ov8IU8T0g5 + profile: + firstName: fname + lastName: lname + login: email@email.com + email: email@email.com + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7 + APIDevicesListAllResponse: + summary: List all devices with embedded users + value: + - id: guo4a5u7YAHhjXrMK0g4 + status: CREATED + created: '2019-10-02T18:03:07.000Z' + lastUpdated: '2019-10-02T18:03:07.000Z' + profile: + displayName: Example device name 1 + platform: WINDOWS + serialNumber: XXDDRFCFRGF3M8MD6D + sid: S-1-11-111 + registered: true + secureHardwarePresent: false + diskEncryptionType: ALL_INTERNAL_VOLUMES + resourceType: UDDevice + resourceDisplayName: + value: Example device name 1 + sensitive: false + resourceAlternateId: null + resourceId: guo4a5u7YAHhjXrMK0g4 + _links: + activate: + href: >- + https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4 + hints: + allow: + - GET + - PATCH + - PUT + users: + href: >- + https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/users + hints: + allow: + - GET + _embedded: + users: [] + - id: guo4a5u7YAHhjXrMK0g5 + status: ACTIVE + created: '2023-06-21T23:24:02.000Z' + lastUpdated: '2023-06-21T23:24:02.000Z' + profile: + displayName: Example device name 2 + platform: ANDROID + manufacturer: Google + model: Pixel 6 + osVersion: 13:2023-05-05 + registered: true + secureHardwarePresent: true + diskEncryptionType: USER + resourceType: UDDevice + resourceDisplayName: + value: Example device name 2 + sensitive: false + resourceAlternateId: null + resourceId: guo4a5u7YAHhjXrMK0g5 + _links: + activate: + href: >- + https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/lifecycle/activate + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5 + hints: + allow: + - GET + - PATCH + - PUT + users: + href: >- + https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/users + hints: + allow: + - GET + _embedded: + users: + - managementStatus: MANAGED + created: '2021-10-01T16:52:41.000Z' + screenLockType: BIOMETRIC + user: + id: 00u17vh0q8ov8IU881d7 + status: ACTIVE + created: '2020-08-12T06:46:50.000Z' + activated: '2020-08-12T06:46:50.000Z' + statusChanged: '2021-01-27T21:05:32.000Z' + lastLogin: '2021-10-14T09:04:48.000Z' + lastUpdated: '2021-01-27T21:05:32.000Z' + passwordChanged: '2020-08-12T06:46:50.000Z' + type: + id: oty7ut9Uu76oHVUZc0w4 + profile: + firstName: fname + lastName: lname + mobilePhone: null + secondEmail: null + login: email@email.com + email: email@email.com + credentials: + password: {} + recovery_question: + question: What is the food you least liked as a child? + provider: + type: OKTA + name: OKTA + _links: + suspend: + href: >- + https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/suspend + method: POST + schema: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/user/osc7ut9Uu76oHVUZc0w4 + resetPassword: + href: >- + https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_password + method: POST + forgotPassword: + href: >- + https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/forgot_password + method: POST + expirePassword: + href: >- + https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/expire_password + method: POST + changeRecoveryQuestion: + href: >- + https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_recovery_question + method: POST + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7 + type: + href: >- + https://{yourOktaDomain}/api/v1/meta/types/user/oty7ut9Uu76oHVUZc0w4 + changePassword: + href: >- + https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_password + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/deactivate + DeviceResponse: + value: + id: guo8jx5vVoxfvJeLb0w4 + status: ACTIVE + created: '2020-11-03T21:47:01.000Z' + lastUpdated: '2020-11-03T23:46:27.000Z' + profile: + displayName: DESKTOP-EHAD3IE + platform: WINDOWS + manufacturer: International Corp + model: VMware7,1 + osVersion: 10.0.18362 + serialNumber: 56 4d 4f 95 74 c5 d3 e7-fc 3a 57 9c c2 f8 5d ce + udid: 954F4D56-C574-E7D3-FC3A-579CC2F85DCE + sid: S-1-5-21-3992267483-1860856704-2413701314-500 + registered: true + secureHardwarePresent: false + diskEncryptionType: NONE + resourceId: guo8jx5vVoxfvJeLb0w4 + resourceDisplayName: + value: DESKTOP-EHAD3IE + sensitive: false + resourceType: UDDevice + resourceAlternateId: null + _links: + suspend: + href: >- + https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/lifecycle/suspend + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4 + hints: + allow: + - GET + - PATCH + - PUT + users: + href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/users + hints: + allow: + - GET + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/lifecycle/deactivate + hints: + allow: + - POST + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + APIDevicesListAllUsersResponse: + summary: Response example + value: + - created: '2021-08-20T17:13:35.000Z' + managementStatus: NOT_MANAGED + screenLockType: BIOMETRIC + user: + id: 00u17vh0q8ov8IU881d7 + status: ACTIVE + created: '2021-08-20T16:08:25.000Z' + activated: null + statusChanged: '2021-08-20T16:39:41.000Z' + lastLogin: '2023-04-18T17:54:12.000Z' + lastUpdated: '2021-12-20T18:27:30.000Z' + passwordChanged: '2021-12-20T18:27:30.000Z' + type: + id: oty17vh0n2EHVnbYF1d7 + profile: + firstName: Bunk + lastName: Moreland + mobilePhone: null + secondEmail: null + login: bunk.moreland@example.com + email: bunk.moreland@example.com + credentials: + password: null + provider: + type: OKTA + name: OKTA + _links: + suspend: + href: >- + https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/suspend + method: POST + schema: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/user/osc17vh0n2EHVnbYF1d7 + resetPassword: + href: >- + https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_password + method: POST + forgotPassword: + href: >- + https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/forgot_password + method: POST + expirePassword: + href: >- + https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/expire_password + method: POST + changeRecoveryQuestion: + href: >- + https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_recovery_question + method: POST + self: + href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7 + resetFactors: + href: >- + https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_factors + method: POST + type: + href: >- + https://{yourOktaDomain}/api/v1/meta/types/user/oty17vh0n2EHVnbYF1d7 + changePassword: + href: >- + https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_password + method: POST + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/deactivate + method: POST + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + devices: + id: okta.devices.devices + name: devices + title: Devices + methods: + list_devices: + operation: + $ref: '#/paths/~1api~1v1~1devices/get' + response: + mediaType: application/json + openAPIDocKey: '200' + get_device: + operation: + $ref: '#/paths/~1api~1v1~1devices~1{deviceId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_device: + operation: + $ref: '#/paths/~1api~1v1~1devices~1{deviceId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + activate_device: + operation: + $ref: '#/paths/~1api~1v1~1devices~1{deviceId}~1lifecycle~1activate/post' + response: + mediaType: '' + openAPIDocKey: '204' + deactivate_device: + operation: + $ref: '#/paths/~1api~1v1~1devices~1{deviceId}~1lifecycle~1deactivate/post' + response: + mediaType: '' + openAPIDocKey: '204' + suspend_device: + operation: + $ref: '#/paths/~1api~1v1~1devices~1{deviceId}~1lifecycle~1suspend/post' + response: + mediaType: '' + openAPIDocKey: '204' + unsuspend_device: + operation: + $ref: '#/paths/~1api~1v1~1devices~1{deviceId}~1lifecycle~1unsuspend/post' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: '#/components/x-stackQL-resources/devices/methods/list_devices' + - $ref: '#/components/x-stackQL-resources/devices/methods/get_device' + insert: [] + update: [] + delete: + - $ref: '#/components/x-stackQL-resources/devices/methods/delete_device' + replace: [] + device_users: + id: okta.devices.device_users + name: device_users + title: Device Users + methods: + list_device_users: + operation: + $ref: '#/paths/~1api~1v1~1devices~1{deviceId}~1users/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/device_users/methods/list_device_users + insert: [] + update: [] + delete: [] + replace: [] +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/directories.yaml b/providers/src/okta/v00.00.00000/services/directories.yaml new file mode 100644 index 00000000..8f9828b1 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/directories.yaml @@ -0,0 +1,248 @@ +openapi: 3.0.3 +info: + title: directories API + description: okta directories API + version: 5.1.0 +paths: + /api/v1/directories/{appInstanceId}/groups/modify: + post: + summary: Update an Active Directory group membership + description: >- + Updates an Active Directory group membership directly in Active + Directory + + + > **Note:** See **Before you begin: Active Directory integration with + the following setup** in the [Use Okta Access Certifications to manage + AD group + membership](https://help.okta.com/okta_help.htm?type=oie&id=ad-bidirectional-group-mgt-configure) + product documentation. + operationId: updateADGroupMembership + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AgentAction' + examples: + addUserToGroup: + $ref: '#/components/examples/add-user-request' + required: true + responses: + '200': + description: OK + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '502': + $ref: '#/components/responses/Error502NoConnectedAgents' + '504': + $ref: '#/components/responses/Error504AgentTimeOut' + security: + - oauth2: + - okta.directories.groups.manage + tags: + - DirectoriesIntegration + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/appInstanceId' +components: + schemas: + AgentAction: + description: Details about the Active Directory group membership update + type: object + properties: + id: + type: string + description: ID of the Active Directory group to update + parameters: + $ref: '#/components/schemas/Parameters' + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + Parameters: + description: Attributes used for processing Active Directory group membership update + type: object + properties: + action: + type: string + description: The update action to take + enum: + - ADD + - REMOVE + x-enumDescriptions: + ADD: Add to the membership of the group + REMOVE: Remove from the membership of the group + attribute: + type: string + description: >- + The attribute that tracks group memberships in Active Directory. For + Active Directory, use `member`. + example: member + values: + type: array + description: List of user IDs whose group memberships to update + items: + type: string + description: ID of an existing user + ErrorCause: + type: object + properties: + errorSummary: + type: string + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + Error502NoConnectedAgents: + description: There are no connected agents. + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AgentTimeOut: + $ref: '#/components/examples/ErrorNoConnectedAgents' + Error504AgentTimeOut: + description: Timed out waiting for agent + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AgentTimeOut: + $ref: '#/components/examples/ErrorAgentTimeOut' + parameters: + appInstanceId: + name: appInstanceId + in: path + description: ID of the Active Directory app instance in Okta + schema: + type: string + required: true + examples: + add-user-request: + summary: Add user to group + value: + id: 00g1xucgTZFrziXg10g4 + parameters: + action: ADD + attribute: member + values: + - 00u1bh5efGKMsSiLv0g4 + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + ErrorNoConnectedAgents: + value: + errorCode: E0000236 + errorSummary: There are no connected agents + errorLink: E0000236 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + ErrorAgentTimeOut: + value: + errorCode: E0000237 + errorSummary: Timed out waiting for agent + errorLink: E0000237 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + directories_integration: + id: okta.directories.directories_integration + name: directories_integration + title: Directories Integration + methods: + update_adgroup_membership: + operation: + $ref: >- + #/paths/~1api~1v1~1directories~1{appInstanceId}~1groups~1modify/post + response: + mediaType: '' + openAPIDocKey: '200' + sqlVerbs: + select: [] + insert: [] + update: + - $ref: >- + #/components/x-stackQL-resources/directories_integration/methods/update_adgroup_membership + delete: [] + replace: [] +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/domains.yaml b/providers/src/okta/v00.00.00000/services/domains.yaml new file mode 100644 index 00000000..0842e93f --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/domains.yaml @@ -0,0 +1,659 @@ +openapi: 3.0.3 +info: + title: domains API + description: okta domains API + version: 5.1.0 +paths: + /api/v1/domains: + get: + summary: List all Custom Domains + description: Lists all verified custom domains for the org + operationId: listCustomDomains + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/DomainListResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.domains.read + tags: + - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a Custom Domain + description: Creates your custom domain + operationId: createCustomDomain + x-codegen-request-body-name: domain + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/DomainRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/DomainResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.domains.manage + tags: + - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/domains/{domainId}: + get: + summary: Retrieve a custom domain + description: Retrieves a custom domain by `domainId` + operationId: getCustomDomain + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/DomainResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.domains.read + tags: + - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a custom domain's brand + description: Replaces a custom domain's brand + operationId: replaceCustomDomain + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UpdateDomain' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/DomainResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.domains.manage + tags: + - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a custom domain + description: Deletes a custom domain by `domainId` + operationId: deleteCustomDomain + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.domains.manage + tags: + - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathDomainId' + /api/v1/domains/{domainId}/certificate: + put: + summary: Upsert the custom domain's certificate + description: >- + Upserts (creates or renews) the `MANUAL` certificate for the custom + domain + + + > **Notes:** + + > * If the existing `certificateSourceType` is `OKTA_MANAGED`, this + operation changes the source type to `MANUAL`. Okta no longer manages + and renews certificates for this domain after you provide a user-managed + certificate. + + > * Okta supports TLS certificates and private keys that are PEM-encoded + and 2048, 3072, or 4096 bits. See the [Custom domain + guide](https://developer.okta.com/docs/guides/custom-url-domain/main/) + for more details. + operationId: upsertCertificate + x-codegen-request-body-name: certificate + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/DomainCertificate' + required: true + responses: + '204': + description: No Content + content: {} + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.domains.manage + tags: + - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathDomainId' + /api/v1/domains/{domainId}/verify: + post: + summary: Verify a custom domain + description: >- + Verifies the custom domain and validity of DNS records by `domainId`. + Furthermore, if the `certificateSourceType` in the domain is + `OKTA_MANAGED`, then an attempt is made to obtain and install a + certificate. After a certificate is obtained and installed by Okta, Okta + manages the certificate including certificate renewal. + operationId: verifyDomain + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/DomainResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.domains.manage + tags: + - CustomDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathDomainId' +components: + schemas: + DomainListResponse: + description: >- + Defines a list of domains with a subset of the properties for each + domain. + type: object + properties: + domains: + description: Each element of the array defines an individual domain. + type: array + items: + $ref: '#/components/schemas/DomainResponse' + DomainRequest: + type: object + properties: + certificateSourceType: + $ref: '#/components/schemas/DomainCertificateSourceType' + domain: + description: Custom domain name + type: string + example: login.example.com + required: + - certificateSourceType + - domain + DomainResponse: + description: The properties that define an individual domain. + type: object + properties: + brandId: + description: The ID number of the brand + type: string + example: bndul904tTZ6kWVhP0g3 + certificateSourceType: + $ref: '#/components/schemas/DomainCertificateSourceType' + dnsRecords: + type: array + items: + $ref: '#/components/schemas/DNSRecord' + domain: + description: Custom domain name + type: string + example: login.example.com + id: + description: Unique ID of the domain + type: string + example: OcDz6iRyjkaCTXkdo0g3 + publicCertificate: + $ref: '#/components/schemas/DomainCertificateMetadata' + validationStatus: + $ref: '#/components/schemas/DomainValidationStatus' + _links: + $ref: '#/components/schemas/DomainLinks' + UpdateDomain: + type: object + properties: + brandId: + description: The `id` of the brand used to replace the existing brand. + type: string + example: bndul904tTZ6kWVhP0g3 + required: + - brandId + DomainCertificate: + description: Defines the properties of the certificate + type: object + properties: + certificate: + description: Certificate content + type: string + example: >- + "-----BEGIN + CERTIFICATE-----\nMIIFNzCCBB+gAwIBAgHTAAXomJWRama3ypu8TIxdA9wzMA0GCSqGSIb3DQEBCwUA\nMDIzCzAJCgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\nEwJSMzAeFw0yMTAyMTAwNTEzMDVaFw0yMTA1MTEwNTEzMDVaMCQxIjAgBgNVBAMT\nGWFuaXRhdGVzdC5zaWdtYW5ldGNvcnAudXMwggEiMA0GCSqGSIb3DQEBAQUAA4IB\nDwAwggEKAoIBAQC5cyk6x63iBJSWvtgsOBqIxfO8euPHcRnyWsL9dsvnbNyOnyvc\nqFWxdiW3sh2cItzYtoN1Zfgj5lWGOVXbHxP0VaNG9fHVX3+NHP6LFHQz92BzAYQm\npqi9zaP/aKJklk6LdPFbVLGhuZfm34+ijW9YsgLTKR2WTaZJK5QtamVVmP+VsSCl\na2ifFzjz2FCkMMEc/Y0zUyP+en/mbL71K+VnpZdlEC1s38EvjRTFKFZTKVw5wpWg\nCZQq/AZYj9RxR23IIuRcUJ8TQ2pyoc3kIXPWjiIarSgBlA8G9kCsxgzXP2RyLwKr\nIBIo+qyHweifpPYW28ipdSbPjiypAMdpbGLDAgMBAAGjggJTMIICTzAOBgNVHQ8B\nAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB\n/wQCMAAwHQYDVR0OBBYEFPVZKiovtIK4Av/IBUQeLUs29pT6MB8GA1UdIwQYMBaA\nFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcw\nAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMu\naS5sZW5jci5vcmcvMCQGA1UdEQQdMBuCGWFuaXRhdGVzdC5zaWdtYW5ldGNvcnAu\ndXMwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEF\nBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgorBgEEAdZ5AgQC\nBIH0BIHxAO8AdgBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXeK\nkmOsAAAEAwBHMEUCIQDSudPEWXk969BT8yz3ag6BJWCMRU5tefEw9nXEQMsh5gIg\nUmfGIuUlcNNI5PydVIHj+zns+SR8P7zfd3FIxW4gK0QAdQD2XJQv0XcwIhRUGAgw\nlFaO400TGTO/3wwvIAvMTvFk4wAAAXeKkmOlAAAEAwBGMEQCIHQkr2qOGuInvonv\nW4vvdI61nraax5V6SC3E0D2JSO91AiBVhpX4BBafRAh36r7l8LrxAfxBM3CjBmAC\nq8fUrWfIWDANBgkqhkiG9w0BAQsFAAOCAQEAgGDMKXofKpDdv5kkID3s5GrKdzaj\njFmb/6kyqd1E6eGXZAewCP1EF5BVvR6lBP2aRXiZ6sJVZktoIfztZnbxBGgbPHfv\nR3iXIG6fxkklzR9Y8puPMBFadANE/QV78tIRAlyaqeSNsoxHi7ssQjHTP111B2lf\n3KmuTpsruut1UesEJcPReLk/1xTkRx262wAncach5Wp+6GWWduTZYJbsNFyrK1RP\nYQ0qYpP9wt2qR+DGaRUBG8i1XLnZS8pkyxtKhVw/a5Fowt+NqCpEBjjJiWJRSGnG\nNSgRtSXq11j8O4JONi8EXe7cEtvzUiLR5PL3itsK2svtrZ9jIwQ95wOPaA==\n-----END + CERTIFICATE-----", + certificateChain: + description: Certificate chain + type: string + example: >- + "-----BEGIN + CERTIFICATE-----\nMIIFPjCCBCbjAwIBAgISA7RikMltj36DkLk1DUzjwfYBMA0GCSqGSIb3DQEBCwUA\nMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\nEwJSMzAeFw0yMTEwMTExOTQ3MjRaFw0yMjAxMDkxOTQ3MjNaMCgxJjAkBgNVBAMT\nHWFuaXRhdGVzdHJhaW4uc2lnbWFuZXRjb3JwLnVzMIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEA40EsG7YrFlsH3XdZKirdKKOC7/cca5g9L4rwyA/PlfeU\nB7mJhbQI/a3yZbtY+GjHmedBx15aPtyq+NFZLOkiRCXx0k2zNIJB4yC6Jr/Yp8C2\nrXO6mrCcuqpX7SuDPBtrfdYcIg8G6m0wjj1V1p2/XR8G//CBe8I2XTaTpHsx/VC8\nMNOAA27aSbeX4Nz6TQ69rFuxRG+neUbcz2hQKwroCsCHi6iBmqRkg19Uh8315Cx2\nBUqY0JecpP42KMiktzIoSlqS9yZSuNQh1kP1tPwkEzbs/t3FrfCnnRx5RDr2pJpV\nnonL3sB3TVotS3nFgPNHCfp65O0Bg/3ZpU9IvUpcdQIDAQABo4ICVjCCAlIwDgYD\nVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNV\nHRMBAf8EAjAAMB0GA1UdDgQWBBSzWt3Dvp71cKA2Z54ESjjyM4dp+jAfBgNVHSME\nGDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYB\nBQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDov\nL3IzLmkubGVuY3Iub3JnLzAoBgNVHREEITAfgh1hbml0YXRlc3RyYWluLnNpZ21h\nbmV0Y29ycC51czBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAo\nMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQIGCisG\nAQQB1nkCBAIEgfMEgfAA7gB1AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgia\nN9kTAAABfHEcLqAAAAQDAEYwRAIgMlyQ61FjuIKDfATjz0wfkskChD0csVe0TStq\nmC7NbLACICp3CYMvvDiWt1pr5pzCwTQO8F6v0/qNjmH4mjCutAgyAHUARqVV63X6\nkSAwtaKJafTzfREsQXS+/Um4havy/HD+bUcAAAF8cRwvRAAABAMARjBEAiAZd6Vn\n7MLXT7JeIxZrfbNARrf5oCM4UAVjjJeaUhB1MwIgSLW5cVAZvkiwbQW+vIutFjBz\na8cNb/i+nM7RxFW+JPgwDQYJKoZIhvcNAQELBQADggEBAIlHZiHIuOvYFteqpwvR\n0ElqinIpkYsfI+0O5FwHBXz7vMCPGtfdlcX5M10eW3aEBo9lR59mjDMsMufbTb60\nJuSnguelkUoq4WzqjZI+2uy/FTztI5GPpXmXW3IyzbqmCWQt7u8N607g1TYLBaLL\nrbFIhl+LbTJAa//mxI6bb4l/86j/kSjht6U0OIde7ylscb+3MHobbpIWJYp8Jr1D\nubm/0glL46ExnuLbIKojLhDBnG/wHVunB0rJxGh1vPvwD75O1nSIdxuNlVcGwws+\n7wsOyPA1s0VWzrMN1olLMyIPFCwPvfCm1E8Dje1AXMpmyDlqjEoQsoMUH//GKF0S\nTgM=\n-----END + CERTIFICATE-----\n-----BEGIN + CERTIFICATE-----\nMIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw\nWhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg\nRW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\nAoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP\nR5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx\nsxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm\nNHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg\nZ3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG\n/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC\nAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB\nAf8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA\nFHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw\nAoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw\nOi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB\ngt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W\nPTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl\nikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz\nCkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm\nlJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4\navAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2\nyJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O\nyK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids\nhCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+\nHlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv\nMldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX\nnLRbwHOoq7hHwg==\n-----END + CERTIFICATE-----\n-----BEGIN + CERTIFICATE-----\nMIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/\nMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\nDkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB\nAQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC\nov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL\nwYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D\nLtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK\n4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5\nbHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y\nsR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ\nXmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4\nFQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc\nSLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql\nPRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND\nTwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\nSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1\nc3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx\n+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB\nATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu\nb3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E\nU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu\nMA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC\n5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW\n9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG\nWCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O\nhe8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC\nDfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5\n-----END + CERTIFICATE-----" + privateKey: + description: Certificate private key + type: string + example: >- + "-----BEGIN PRIVATE + KEY-----\nMIIEvgIBADANBgkqhkiG9w0AAQEFAASCBKgwghSkAgEAAoIBAQC5cyk6y63iBJSW\nstgsOBqIxfO8euPHcRnyWsL9dsvnbNyOnyvcqFWxdiW3sh2cItzYtoN1Zfgj5lWG\nOVXbHxP0VaNG9fHVX3+NHP6LFHQz92BzAYQmpqi9zaP/aKJklk6LdPFbVLGhuZfm\n34+ijW9YsgLTKR2WTaZJK5QtamVVmP+VsSCla2ifFzjz2FCkMMEc/Y0zUyP+en/m\nbL71K+VnpZdlEC1s38EvjRTFKFZTKVw5wpWgCZQq/AZYj9RxR23IIuRcUJ8TQ2py\noc3kIXPWjiIarSgBlA8G9kCsxgzXP2RyLwKrIBIo+qyHweifpPYW28ipdSbPjiyp\nAMdpbGLDAgMBAAECggEAUXVfT91z6IqghhKwO8QtC5T/+fN06B8rCYSKj/FFoZL0\n0oTiLFuYwImoCadoUDQUE/Efj0rKE2LSgFHg/44IItQXE01m+5WmHmL1ADxsyoLH\nz9yDosKj7jNM7RyV8F8Bg0pL1hU+rU4rhhL/MaS0mx4eFYjC4UmcWBmXTdelSVJa\nkvXvQLT5y86bqh7tqMjM/kALTWRz5CgNJFk/ONA1yo5RTX9S7SIXimBgAvuGqP8i\nMPEhJou7U3DfzXVfvP8byqNdsZs6ZNhG3wXspl61mRyrY+51SOaNLA7Bkji7x4bH\nNw6mJI0IJTAP9oc1Z8fYeMuxT1bfuD7VOupSP0mAMQKBgQDk+KuyQkmPymeP/Wwu\nII4DUpleVzxTK9obMQQoCEEElbQ6+jTb+8ixP0bWLvBXg/rX734j7OWfn/bljWLH\nXLrSoqQZF1+XMVeY4g4wx9UuTK/D2n791zdOgQivxbIPdWL3a4ap86ar8uyMgJu8\nBLXfFBAOc+9myqUkbeO7wt0e6QKBgQDPV04jPtIJoMrggpQDNreGrANKOmsXWxj4\nOHW13QNdJ2KGQpoTdoqQ8ZmlxuA8Bf2RjHsnB2kgGVTVQR74zRib4MByhvsdhvVm\nF2LNsJoIDfqtv3c+oj13VonRUGuzUeJpwT/snyaL+jQ/ZZcYz0jDgDhIODTcFYj8\nDMSD5SHgywKBgHH6MwWuJ44TNBAiF2qyu959jGjAxf+k0ZI9iRMgYLUWjDvbdtqW\ncCWDGRDfFraJtSEuTz003GzkJPPJuIUC7OCTI1p2HxhU8ITi6itwHfdJJyk4J4TW\nT+qdIqTUpTk6tsPw23zYE3x+lS+viVZDhgEArKl1HpOthh0nMnixnH6ZAoGBAKGn\nV+xy1h9bldFk/TFkP8Jn6ki9MzGKfPVKT7vzDORcCJzU4Hu8OFy5gSmW3Mzvfrsz\n4/CR/oxgM5vwoc0pWr5thJ3GT5K93iYypX3o6q7M91zvonDa3UFl3x2qrc2pUfVS\nDhzWGJ+Z+5JSCnP1aK3EEh18dPoCcELTUYPj6X3xAoGBALAllTb3RCIaqIqk+s3Y\n6KDzikgwGM6j9lmOI2MH4XmCVym4Z40YGK5nxulDh2Ihn/n9zm13Z7ul2DJwgQSO\n0zBc7/CMOsMEBaNXuKL8Qj4enJXMtub4waQ/ywqHIdc50YaPI5Ax8dD/10h9M6Qc\nnUFLNE8pXSnsqb0eOL74f3uQ\n-----END + PRIVATE KEY-----" + type: + $ref: '#/components/schemas/DomainCertificateType' + required: + - certificate + - certificateChain + - privateKey + - type + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + DomainCertificateSourceType: + description: >- + Certificate source type that indicates whether the certificate is + provided by the user or Okta. + type: string + enum: + - MANUAL + - OKTA_MANAGED + DNSRecord: + description: DNS TXT and CNAME records to be registered for the Domain + type: object + properties: + expiration: + description: DNS TXT record expiration + type: string + fqdn: + description: DNS record name + type: string + example: _oktaverification.login.example.com + recordType: + $ref: '#/components/schemas/DNSRecordType' + values: + description: DNS record value + type: array + items: + type: string + example: + - 79496f234c814638b1cc44f51a782781 + DomainCertificateMetadata: + description: Certificate metadata for the domain + type: object + properties: + expiration: + description: Certificate expiration + type: string + example: '2021-05-11T05:13:05.000Z' + fingerprint: + description: Certificate fingerprint + type: string + example: >- + 73:68:82:7B:83:2E:48:29:A5:5E:E8:40:41:80:B3:AA:03:C4:42:43:05:73:45:BC:AA:47:00:23:A3:70:E5:C4 + subject: + description: Certificate subject + type: string + example: CN=login.example.com + DomainValidationStatus: + description: Status of the domain + example: VERIFIED + type: string + enum: + - COMPLETED + - IN_PROGRESS + - NOT_STARTED + - VERIFIED + DomainLinks: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + brand: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: The associated brand + certificate: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: The certificate link references the domain certificate + verify: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + The verify link verifies the domain and transitions the + domain status to `VERIFIED` + DomainCertificateType: + description: Certificate type + type: string + enum: + - PEM + ErrorCause: + type: object + properties: + errorSummary: + type: string + DNSRecordType: + example: TXT + type: string + enum: + - CNAME + - TXT + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + pathDomainId: + name: domainId + description: '`id` of the Domain' + in: path + required: true + schema: + type: string + example: OmWNeywfTzElSLOBMZsL + examples: + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + custom_domains: + id: okta.domains.custom_domains + name: custom_domains + title: Custom Domains + methods: + list_custom_domains: + operation: + $ref: '#/paths/~1api~1v1~1domains/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_custom_domain: + operation: + $ref: '#/paths/~1api~1v1~1domains/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_custom_domain: + operation: + $ref: '#/paths/~1api~1v1~1domains~1{domainId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_custom_domain: + operation: + $ref: '#/paths/~1api~1v1~1domains~1{domainId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_custom_domain: + operation: + $ref: '#/paths/~1api~1v1~1domains~1{domainId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + upsert_certificate: + operation: + $ref: '#/paths/~1api~1v1~1domains~1{domainId}~1certificate/put' + response: + mediaType: '' + openAPIDocKey: '204' + verify_domain: + operation: + $ref: '#/paths/~1api~1v1~1domains~1{domainId}~1verify/post' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/custom_domains/methods/list_custom_domains + - $ref: >- + #/components/x-stackQL-resources/custom_domains/methods/get_custom_domain + insert: + - $ref: >- + #/components/x-stackQL-resources/custom_domains/methods/create_custom_domain + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/custom_domains/methods/delete_custom_domain + replace: + - $ref: >- + #/components/x-stackQL-resources/custom_domains/methods/replace_custom_domain +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/email_domains.yaml b/providers/src/okta/v00.00.00000/services/email_domains.yaml new file mode 100644 index 00000000..e07034d7 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/email_domains.yaml @@ -0,0 +1,670 @@ +openapi: 3.0.3 +info: + title: email_domains API + description: okta email_domains API + version: 5.1.0 +paths: + /api/v1/email-domains: + get: + summary: List all email domains + description: Lists all the Email Domains in your org + operationId: listEmailDomains + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/EmailDomainResponseWithEmbedded' + examples: + List email domain response: + $ref: '#/components/examples/EmailDomainResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.emailDomains.read + tags: + - EmailDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create an email domain + description: Creates an Email Domain in your org + operationId: createEmailDomain + x-codegen-request-body-name: emailDomain + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/EmailDomain' + examples: + Create email domain request: + $ref: '#/components/examples/CreateEmailDomainRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/EmailDomainResponse' + examples: + Create email domain response: + $ref: '#/components/examples/EmailDomainResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '409': + description: Conflict + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Email domain already exists: + $ref: '#/components/examples/ErrorEmailDomainAlreadyExists' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.emailDomains.manage + tags: + - EmailDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/queryExpandEmailDomain' + /api/v1/email-domains/{emailDomainId}: + get: + summary: Retrieve an email domain + description: Retrieves an Email Domain by `emailDomainId` + operationId: getEmailDomain + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/EmailDomainResponseWithEmbedded' + examples: + Retrieve email domain response: + $ref: '#/components/examples/EmailDomainResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.emailDomains.read + tags: + - EmailDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace an email domain + description: Replaces associated username and sender display name by `emailDomainId` + operationId: replaceEmailDomain + x-codegen-request-body-name: updateEmailDomain + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UpdateEmailDomain' + examples: + Update email domain request: + $ref: '#/components/examples/UpdateEmailDomainRequest' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/EmailDomainResponse' + examples: + Update email domain response: + $ref: '#/components/examples/UpdatedEmailDomainResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.emailDomains.manage + tags: + - EmailDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete an email domain + description: Deletes an Email Domain by `emailDomainId` + operationId: deleteEmailDomain + responses: + '204': + description: No Content + content: {} + '400': + description: >- + Unable to delete custom email domain due to mail provider specific + restrictions + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Email domain in use: + $ref: '#/components/examples/ErrorEmailDomainInUse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.emailDomains.manage + tags: + - EmailDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathEmailDomainId' + - $ref: '#/components/parameters/queryExpandEmailDomain' + /api/v1/email-domains/{emailDomainId}/verify: + post: + summary: Verify an email domain + description: Verifies an Email Domain by `emailDomainId` + operationId: verifyEmailDomain + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/EmailDomainResponse' + examples: + Verified email domain response: + $ref: '#/components/examples/VerifiedEmailDomainResponse' + '400': + description: Email domain could not be verified by mail provider + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Email domain could not be verified: + $ref: '#/components/examples/ErrorEmailDomainNotVerified' + Email domain invalid status: + $ref: '#/components/examples/ErrorEmailDomainInvalidStatus' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.emailDomains.manage + tags: + - EmailDomain + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathEmailDomainId' +components: + schemas: + EmailDomainResponseWithEmbedded: + allOf: + - $ref: '#/components/schemas/EmailDomainResponse' + type: object + properties: + _embedded: + type: object + properties: + brands: + type: array + items: + $ref: '#/components/schemas/Brand' + readOnly: true + EmailDomain: + allOf: + - $ref: '#/components/schemas/BaseEmailDomain' + type: object + properties: + brandId: + type: string + domain: + type: string + validationSubdomain: + type: string + description: >- + Subdomain for the email sender's custom mail domain. Specify your + subdomain when you configure a custom mail domain. + default: mail + required: + - domain + - brandId + EmailDomainResponse: + allOf: + - $ref: '#/components/schemas/BaseEmailDomain' + type: object + properties: + dnsValidationRecords: + type: array + items: + $ref: '#/components/schemas/EmailDomainDNSRecord' + domain: + type: string + id: + type: string + validationStatus: + $ref: '#/components/schemas/EmailDomainStatus' + validationSubdomain: + type: string + description: The subdomain for the email sender's custom mail domain + default: mail + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + UpdateEmailDomain: + allOf: + - $ref: '#/components/schemas/BaseEmailDomain' + Brand: + type: object + properties: + agreeToCustomPrivacyPolicy: + type: boolean + description: >- + Consent for updating the custom privacy URL. Not required when + resetting the URL. + customPrivacyPolicyUrl: + type: string + description: Custom privacy policy URL + default: null + defaultApp: + $ref: '#/components/schemas/DefaultApp' + emailDomainId: + type: string + description: The ID of the email domain + id: + readOnly: true + type: string + description: The Brand ID + isDefault: + readOnly: true + type: boolean + description: If `true`, the Brand is used for the Okta subdomain + locale: + $ref: '#/components/schemas/Language' + name: + type: string + description: The name of the Brand + removePoweredByOkta: + type: boolean + default: false + description: >- + Removes "Powered by Okta" from the sign-in page in redirect + authentication deployments, and "© [current year] Okta, Inc." from + the Okta End-User Dashboard + BaseEmailDomain: + type: object + properties: + displayName: + type: string + userName: + type: string + required: + - displayName + - userName + EmailDomainDNSRecord: + type: object + properties: + fqdn: + type: string + recordType: + $ref: '#/components/schemas/EmailDomainDNSRecordType' + verificationValue: + type: string + EmailDomainStatus: + type: string + enum: + - DELETED + - ERROR + - NOT_STARTED + - POLLING + - VERIFIED + ErrorCause: + type: object + properties: + errorSummary: + type: string + DefaultApp: + type: object + properties: + appInstanceId: + type: string + description: ID for the App instance + appLinkName: + type: string + description: Name for the app instance + classicApplicationUri: + type: string + description: Application URI for classic Orgs + Language: + description: >- + The language specified as an [IETF BCP 47 language + tag](https://datatracker.ietf.org/doc/html/rfc5646) + type: string + EmailDomainDNSRecordType: + type: string + enum: + - CNAME + - TXT + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + queryExpandEmailDomain: + name: expand + in: query + style: form + explode: false + required: false + schema: + type: array + items: + type: string + enum: + - brands + description: Specifies additional metadata to be included in the response + pathEmailDomainId: + name: emailDomainId + in: path + required: true + schema: + type: string + description: The ID of the email domain. + examples: + EmailDomainResponse: + value: + id: OeD114iNkrcN6aR680g4 + validationStatus: NOT_STARTED + displayName: Admin + userName: admin + domain: example.com + validationSubdomain: mail + dnsValidationRecords: + - recordType: TXT + fqdn: _oktaverification.example.com + verificationValue: 759080212bda43e3bc825a7d73b4bb64 + - recordType: CNAME + fqdn: mail.example.com + verificationValue: u22224444.wl024.sendgrid.net + - recordType: CNAME + fqdn: t02._domainkey.example.com + verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net + - recordType: CNAME + fqdn: t022._domainkey.example.com + verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net + CreateEmailDomainRequest: + value: + displayName: Admin + userName: admin + domain: example.com + brandId: bnd100iSrkcN6aR680g1 + validationSubdomain: mail + ErrorEmailDomainAlreadyExists: + value: + errorCode: E0000197 + errorSummary: Email domain already exists. + errorLink: E0000197 + errorId: oaeEdRqprFuTyKokyYPbURJkA + errorCauses: [] + UpdateEmailDomainRequest: + value: + displayName: IT Admin + userName: noreply + UpdatedEmailDomainResponse: + value: + id: OeD114iNkrcN6aR680g4 + validationStatus: NOT_STARTED + displayName: IT Admin + userName: noreply + domain: example.com + validationSubdomain: mail + dnsValidationRecords: + - recordType: TXT + fqdn: _oktaverification.example.com + verificationValue: 759080212bda43e3bc825a7d73b4bb64 + - recordType: CNAME + fqdn: mail.example.com + verificationValue: u22224444.wl024.sendgrid.net + - recordType: CNAME + fqdn: t02._domainkey.example.com + verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net + - recordType: CNAME + fqdn: t022._domainkey.example.com + verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net + ErrorEmailDomainInUse: + value: + errorCode: E0000216 + errorSummary: Email domain can't be deleted due to mail provider restrictions. + errorLink: E0000216 + errorId: oaeEdRqprFuTyKokyYPbURJkB + errorCauses: [] + VerifiedEmailDomainResponse: + value: + id: OeD114iNkrcN6aR680g4 + validationStatus: VERIFIED + displayName: IT Admin + userName: noreply + domain: example.com + validationSubdomain: mail + dnsValidationRecords: + - recordType: TXT + fqdn: _oktaverification.example.com + verificationValue: 759080212bda43e3bc825a7d73b4bb64 + - recordType: CNAME + fqdn: mail.example.com + verificationValue: u22224444.wl024.sendgrid.net + - recordType: CNAME + fqdn: t02._domainkey.example.com + verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net + - recordType: CNAME + fqdn: t022._domainkey.example.com + verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net + ErrorEmailDomainNotVerified: + value: + errorCode: E0000218 + errorSummary: Email domain couldn't be verified by mail provider. + errorLink: E0000218 + errorId: oaeEdRqprFuTyKokyYPbURJkC + errorCauses: [] + ErrorEmailDomainInvalidStatus: + value: + errorCode: E0000217 + errorSummary: Invalid status. Can't validate email domain with current status. + errorLink: E0000217 + errorId: oaeEdRqprFuTyKokyYPbURJkD + errorCauses: [] + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + email_domains: + id: okta.email_domains.email_domains + name: email_domains + title: Email Domains + methods: + list_email_domains: + operation: + $ref: '#/paths/~1api~1v1~1email-domains/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_email_domain: + operation: + $ref: '#/paths/~1api~1v1~1email-domains/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_email_domain: + operation: + $ref: '#/paths/~1api~1v1~1email-domains~1{emailDomainId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_email_domain: + operation: + $ref: '#/paths/~1api~1v1~1email-domains~1{emailDomainId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_email_domain: + operation: + $ref: '#/paths/~1api~1v1~1email-domains~1{emailDomainId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + verify_email_domain: + operation: + $ref: '#/paths/~1api~1v1~1email-domains~1{emailDomainId}~1verify/post' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/email_domains/methods/list_email_domains + - $ref: >- + #/components/x-stackQL-resources/email_domains/methods/get_email_domain + insert: + - $ref: >- + #/components/x-stackQL-resources/email_domains/methods/create_email_domain + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/email_domains/methods/delete_email_domain + replace: + - $ref: >- + #/components/x-stackQL-resources/email_domains/methods/replace_email_domain +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/email_servers.yaml b/providers/src/okta/v00.00.00000/services/email_servers.yaml new file mode 100644 index 00000000..9a8402ce --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/email_servers.yaml @@ -0,0 +1,435 @@ +openapi: 3.0.3 +info: + title: email_servers API + description: okta email_servers API + version: 5.1.0 +paths: + /api/v1/email-servers: + get: + summary: List all enrolled SMTP servers + description: Lists all the enrolled custom SMTP server configurations + operationId: listEmailServers + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/EmailServerListResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.emailServers.read + tags: + - EmailServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + post: + summary: Create a custom SMTP server + description: Creates a custom email SMTP server configuration for your org + operationId: createEmailServer + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/EmailServerPost' + responses: + '201': + description: Successfully enrolled server credentials + content: + application/json: + schema: + $ref: '#/components/schemas/EmailServerResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.emailServers.manage + tags: + - EmailServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/email-servers/{emailServerId}: + get: + summary: Retrieve an SMTP server configuration + description: Retrieves the specified custom SMTP server configuration + operationId: getEmailServer + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/EmailServerListResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.emailServers.read + tags: + - EmailServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + patch: + summary: Update an SMTP server configuration + description: Updates the specified custom SMTP server configuration + operationId: updateEmailServer + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/EmailServerRequest' + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/EmailServerResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.emailServers.manage + tags: + - EmailServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + delete: + summary: Delete an SMTP server configuration + description: Deletes the specified custom SMTP server configuration + operationId: deleteEmailServer + responses: + '204': + description: No content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.emailServers.manage + tags: + - EmailServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathEmailServerId' + /api/v1/email-servers/{emailServerId}/test: + post: + summary: Test an SMTP server configuration + description: Tests the specified custom SMTP Server configuration + operationId: testEmailServer + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/EmailTestAddresses' + responses: + '204': + description: No content + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.emailServers.manage + tags: + - EmailServer + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathEmailServerId' +components: + schemas: + EmailServerListResponse: + type: object + properties: + email-servers: + type: array + items: + $ref: '#/components/schemas/EmailServerResponse' + EmailServerPost: + allOf: + - $ref: '#/components/schemas/EmailServerRequest' + - required: + - host + - port + - username + - password + - alias + EmailServerResponse: + allOf: + - $ref: '#/components/schemas/BaseEmailServer' + - properties: + id: + type: string + description: ID of your SMTP server + type: object + EmailServerRequest: + allOf: + - $ref: '#/components/schemas/BaseEmailServer' + - properties: + password: + type: string + description: Password used to access your SMTP server + type: object + EmailTestAddresses: + type: object + properties: + from: + type: string + description: Email address that sends test emails + example: sender@host.com + to: + type: string + description: Email address that receives test emails + example: receiver@host.com + required: + - from + - to + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + BaseEmailServer: + type: object + properties: + alias: + type: string + description: Human-readable name for your SMTP server + example: CustomServer1 + enabled: + type: boolean + description: If `true`, routes all email traffic through your SMTP server + host: + type: string + description: Hostname or IP address of your SMTP server + example: 192.168.160.1 + port: + type: integer + description: Port number of your SMTP server + example: 587 + username: + type: string + description: Username used to access your SMTP server + example: aUser + ErrorCause: + type: object + properties: + errorSummary: + type: string + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + pathEmailServerId: + name: emailServerId + in: path + required: true + schema: + type: string + description: ID of your SMTP Server configuration + examples: + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + email_servers: + id: okta.email_servers.email_servers + name: email_servers + title: Email Servers + methods: + list_email_servers: + operation: + $ref: '#/paths/~1api~1v1~1email-servers/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_email_server: + operation: + $ref: '#/paths/~1api~1v1~1email-servers/post' + response: + mediaType: application/json + openAPIDocKey: '201' + get_email_server: + operation: + $ref: '#/paths/~1api~1v1~1email-servers~1{emailServerId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + update_email_server: + operation: + $ref: '#/paths/~1api~1v1~1email-servers~1{emailServerId}/patch' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_email_server: + operation: + $ref: '#/paths/~1api~1v1~1email-servers~1{emailServerId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + test_email_server: + operation: + $ref: '#/paths/~1api~1v1~1email-servers~1{emailServerId}~1test/post' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/email_servers/methods/list_email_servers + - $ref: >- + #/components/x-stackQL-resources/email_servers/methods/get_email_server + insert: + - $ref: >- + #/components/x-stackQL-resources/email_servers/methods/create_email_server + update: + - $ref: >- + #/components/x-stackQL-resources/email_servers/methods/update_email_server + delete: + - $ref: >- + #/components/x-stackQL-resources/email_servers/methods/delete_email_server + replace: [] +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/eventhooks.yaml b/providers/src/okta/v00.00.00000/services/eventhooks.yaml new file mode 100644 index 00000000..f459fdd5 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/eventhooks.yaml @@ -0,0 +1,1096 @@ +openapi: 3.0.3 +info: + title: eventhooks API + description: okta eventhooks API + version: 5.1.0 +paths: + /api/v1/eventHooks: + get: + summary: List all event hooks + description: Lists all event hooks + operationId: listEventHooks + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/EventHook' + examples: + RetrieveAllEventHooks: + $ref: '#/components/examples/RetrieveAllEventHooks' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.eventHooks.read + tags: + - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create an event hook + description: >- + Creates a new event hook for your organization in `ACTIVE` status. You + pass an event hook object in the JSON payload + + of your request. That object represents the set of required information + about the event hook you're registering, including: + * The URI of your external service + * The [events](https://developer.okta.com/docs/reference/api/event-types/) in Okta you want to subscribe to + * An optional event hook filter that can reduce the number of event hook calls. This is a self-service Early Access (EA) feature. + See [Create an event hook filter](https://developer.okta.com/docs/concepts/event-hooks/#create-an-event-hook-filter). + + Additionally, you can specify a secret API key for Okta to pass to your external service endpoint for security verification. Note that the API key you set here is unrelated to the Okta API token + you must supply when making calls to Okta APIs. Optionally, you can + specify extra headers that Okta passes to your external + + service with each call. + + Your external service must use a valid HTTPS endpoint. + operationId: createEventHook + x-codegen-request-body-name: eventHook + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/EventHook' + examples: + CreateAnEventHook: + $ref: '#/components/examples/CreateAnEventHook' + CreateAnEventHookWithFilter: + $ref: '#/components/examples/CreateAnEventHookWithFilter' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/EventHook' + examples: + CreateAnEventHook: + $ref: '#/components/examples/RetrieveAnEventHook' + CreateAnEventHookWithFilter: + $ref: '#/components/examples/RetrieveAnEventHookWithFilter' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.eventHooks.manage + tags: + - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/eventHooks/{eventHookId}: + get: + summary: Retrieve an event hook + description: Retrieves an event hook + operationId: getEventHook + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/EventHook' + examples: + RetrieveAnEventHook: + $ref: '#/components/examples/RetrieveAnEventHook' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.eventHooks.read + tags: + - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace an event hook + description: >- + Replaces an event hook. Okta validates the new properties before + replacing the existing values. + + Some event hook properties are immutable and can't be updated. Refer to + the parameter description in the request body schema. + + + >**Note:** Updating the `channel` property requires you to verify the + hook again. + operationId: replaceEventHook + x-codegen-request-body-name: eventHook + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/EventHook' + examples: + ReplaceAnEventHook: + $ref: '#/components/examples/ReplaceAnEventHookWithFilter' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/EventHook' + examples: + ReplaceAnEventHook: + $ref: '#/components/examples/RetrieveAnEventHookWithFilter' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.eventHooks.manage + tags: + - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete an event hook + description: >- + Deletes the event hook that matches the provided `id`. After deletion, + the event hook is unrecoverable. + + As a safety precaution, you can only delete event hooks with a status of + `INACTIVE`. + operationId: deleteEventHook + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.eventHooks.manage + tags: + - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathEventHookId' + /api/v1/eventHooks/{eventHookId}/lifecycle/activate: + post: + summary: Activate an event hook + description: Activates the event hook that matches the provided `id` + operationId: activateEventHook + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/EventHook' + examples: + ActivateAnEventHook: + $ref: '#/components/examples/RetrieveAnEventHook' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.eventHooks.manage + tags: + - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathEventHookId' + /api/v1/eventHooks/{eventHookId}/lifecycle/deactivate: + post: + summary: Deactivate an event hook + description: Deactivates the event hook that matches the provided `id` + operationId: deactivateEventHook + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/EventHook' + examples: + DeactivateAnEventHook: + $ref: '#/components/examples/RetrieveADeactivatedEventHook' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.eventHooks.manage + tags: + - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathEventHookId' + /api/v1/eventHooks/{eventHookId}/lifecycle/verify: + post: + summary: Verify an event hook + description: >- + Verifies that the event hook matches the provided `eventHookId`. To + verify ownership, your endpoint must send information back to Okta in + JSON format. See [Event + hooks](https://developer.okta.com/docs/concepts/event-hooks/#one-time-verification-request). + + + Only `ACTIVE` and `VERIFIED` event hooks can receive events from Okta. + + + If a response is not received within 3 seconds, the outbound request + times out. One retry is attempted after a timeout or error response. + + If a successful response still isn't received, this operation returns a + 400 error with more information about the failure. + operationId: verifyEventHook + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/EventHook' + examples: + VerifyAnEventHook: + $ref: '#/components/examples/RetrieveAnEventHook' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.eventHooks.manage + tags: + - EventHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathEventHookId' +components: + schemas: + EventHook: + type: object + properties: + channel: + $ref: '#/components/schemas/EventHookChannel' + created: + description: Timestamp of the event hook creation + type: string + format: date-time + readOnly: true + createdBy: + description: The ID of the user who created the event hook + type: string + readOnly: true + description: + description: Description of the event hook + type: string + nullable: true + events: + $ref: '#/components/schemas/EventSubscriptions' + id: + type: string + description: Unique key for the event hook + readOnly: true + lastUpdated: + description: Date of the last event hook update + type: string + format: date-time + readOnly: true + name: + description: Display name for the event hook + type: string + status: + description: Status of the event hook + type: string + enum: + - ACTIVE + - INACTIVE + readOnly: true + verificationStatus: + $ref: '#/components/schemas/EventHookVerificationStatus' + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + deactivate: + $ref: '#/components/schemas/HrefObject' + verify: + $ref: '#/components/schemas/HrefObject' + type: object + required: + - name + - events + - channel + EventHookChannel: + type: object + properties: + config: + $ref: '#/components/schemas/EventHookChannelConfig' + type: + $ref: '#/components/schemas/EventHookChannelType' + version: + description: >- + Version of the channel. Currently the only supported version is + `1.0.0``. + type: string + required: + - type + - config + - version + EventSubscriptions: + type: object + properties: + filter: + $ref: '#/components/schemas/EventHookFilters' + items: + $ref: '#/components/schemas/EventHookSubscribedEventTypes' + type: + $ref: '#/components/schemas/EventSubscriptionType' + required: + - type + - items + EventHookVerificationStatus: + description: >- + Verification status of the event hook. `UNVERIFIED` event hooks won't + receive any events. + type: string + enum: + - UNVERIFIED + - VERIFIED + readOnly: true + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + EventHookChannelConfig: + type: object + properties: + authScheme: + $ref: '#/components/schemas/EventHookChannelConfigAuthScheme' + headers: + description: >- + Optional list of key/value pairs for headers that can be sent with + the request to the external service. For example, + + `X-Other-Header` is an example of an optional header, with a value + of `my-header-value`, that you want Okta to pass to your + + external service. + type: array + items: + $ref: '#/components/schemas/EventHookChannelConfigHeader' + method: + description: The method of the Okta event hook request + type: string + readOnly: true + uri: + description: >- + The external service endpoint called to execute the event hook + handler + type: string + required: + - uri + EventHookChannelType: + description: The channel type. Currently supports `HTTP`. + type: string + enum: + - HTTP + EventHookFilters: + nullable: true + description: >- + The optional filter defined on a specific event type + + + > **Note:** Event hook filters is a [self-service Early Access + (EA)](https://developer.okta.com/docs/api/openapi/okta-management/guides/release-lifecycle/#early-access-ea) + to enable. + + If you want to disable this feature, it's recommended to first remove + all event filters. + type: object + properties: + eventFilterMap: + $ref: '#/components/schemas/EventHookFilterMap' + type: + type: string + description: The type of filter. Currently only supports `EXPRESSION_LANGUAGE` + readOnly: true + EventHookSubscribedEventTypes: + description: >- + The subscribed event types that trigger the event hook. When you + register an event hook + + you need to specify which events you want to subscribe to. To see the + list of event types + + currently eligible for use in event hooks, use the [Event Types + catalog](https://developer.okta.com/docs/reference/api/event-types/#catalog) + + and search with the parameter `event-hook-eligible`. + items: + type: string + type: array + EventSubscriptionType: + description: The events object type. Currently supports `EVENT_TYPE`. + type: string + enum: + - EVENT_TYPE + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + ErrorCause: + type: object + properties: + errorSummary: + type: string + EventHookChannelConfigAuthScheme: + description: >- + The authentication scheme used for this request. + + + To use Basic Auth for authentication, set `type` to `HEADER`, + + `key` to `Authorization`, and `value` to the Base64-encoded string of + "username:password". Ensure that you include + + the scheme (including space) as part of the `value` parameter. For + example, `Basic YWRtaW46c3VwZXJzZWNyZXQ=`. + type: object + properties: + key: + description: The name for the authorization header + type: string + type: + $ref: '#/components/schemas/EventHookChannelConfigAuthSchemeType' + value: + description: >- + The header value. This secret key is passed to your external service + endpoint for security verification. + + This property is not returned in the response. + type: string + writeOnly: true + EventHookChannelConfigHeader: + nullable: true + type: object + properties: + key: + description: The optional field or header name + type: string + value: + description: The value for the key + type: string + EventHookFilterMap: + description: The object that maps the filter to the event type + items: + $ref: '#/components/schemas/EventHookFilterMapObject' + type: array + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + EventHookChannelConfigAuthSchemeType: + description: The authentication scheme type. Currently only supports `HEADER`. + type: string + enum: + - HEADER + EventHookFilterMapObject: + type: object + properties: + condition: + $ref: '#/components/schemas/EventHookFilterMapObjectCondition' + event: + type: string + description: The filtered event type + EventHookFilterMapObjectCondition: + type: object + properties: + expression: + type: string + description: The Okta Expression language statement that filters the event type + version: + type: string + nullable: true + description: Internal field + readOnly: true + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + pathEventHookId: + name: eventHookId + description: '`id` of the Event Hook' + in: path + required: true + schema: + type: string + example: who8vt36qfNpCGz9H1e6 + examples: + RetrieveAllEventHooks: + summary: Retrieves all event hooks + value: + - id: who8tsqyrhCdmetzx135 + status: ACTIVE + verificationStatus: VERIFIED + name: Event Hook Test + description: null + created: '2023-07-07T17:41:56.000Z' + createdBy: 00u7xut94qEWYx5ss1e5 + lastUpdated: '2023-07-07T17:43:03.000Z' + events: + type: EVENT_TYPE + items: + - user.lifecycle.deactivate + - user.lifecycle.activate + filter: null + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userDeactivate + headers: [] + method: POST + authScheme: + type: HEADER + key: authorization + _links: + self: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx135 + verify: + href: >- + https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx135/lifecycle/verify + hints: + allow: + - POST + deactivate: + href: >- + https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx135/lifecycle/deactivate + hints: + allow: + - POST + - id: who8vt36qfNpCGz9H1e6 + status: ACTIVE + verificationStatus: VERIFIED + name: Event Hook with Filter + description: An event hook using an Okta Expression Language filter + created: '2023-07-07T13:41:56.000Z' + createdBy: 00u7xut94qEWYx5ss1e5 + lastUpdated: '2023-07-07T13:43:03.000Z' + events: + type: EVENT_TYPE + items: + - group.user_membership.add + filter: + type: EXPRESSION_LANGUAGE + eventFilterMap: + - event: group.user_membership.add + condition: + version: null + expression: >- + event.target.?[type eq 'UserGroup'].size()>0 && + event.target.?[displayName eq 'Sales'].size()>0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + headers: [] + method: POST + authScheme: + type: HEADER + key: authorization + _links: + self: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6 + verify: + href: >- + https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify + hints: + allow: + - POST + deactivate: + href: >- + https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate + hints: + allow: + - POST + CreateAnEventHook: + summary: Create an event hook + value: + name: Event Hook Test + events: + type: EVENT_TYPE + items: + - group.user_membership.add + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + headers: + - key: X-Other-Header + value: my-header-value + authScheme: + type: HEADER + key: Authorization + value: my-shared-secret + CreateAnEventHookWithFilter: + summary: Create an event hook with a filter + value: + name: Event Hook with Filter + description: An event hook using an Okta Expression Language filter + events: + type: EVENT_TYPE + items: + - group.user_membership.add + filter: + type: EXPRESSION_LANGUAGE + eventFilterMap: + - event: group.user_membership.add + condition: + expression: >- + event.target.?[type eq 'UserGroup'].size()>0 && + event.target.?[displayName eq 'Sales'].size()>0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + authScheme: + type: HEADER + key: Authorization + value: my-shared-secret + RetrieveAnEventHook: + summary: Retrieve an event hook + value: + id: who8vt36qfNpCGz9H1e6 + status: ACTIVE + verificationStatus: VERIFIED + name: Event Hook Test + description: null + created: '2023-07-07T13:41:56.000Z' + createdBy: 00u7xut94qEWYx5ss1e5 + lastUpdated: '2023-07-07T13:43:03.000Z' + events: + type: EVENT_TYPE + items: + - group.user_membership.add + filter: null + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + headers: + - key: X-Other-Header + value: my-header-value + method: POST + authScheme: + type: HEADER + key: authorization + _links: + self: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6 + verify: + href: >- + https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify + hints: + allow: + - POST + deactivate: + href: >- + https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate + hints: + allow: + - POST + RetrieveAnEventHookWithFilter: + summary: Retrieve an event hook + value: + id: who8vt36qfNpCGz9H1e6 + status: ACTIVE + verificationStatus: VERIFIED + name: Event Hook with Filter + description: An event hook using an Okta Expression Language filter + created: '2023-07-07T13:41:56.000Z' + createdBy: 00u7xut94qEWYx5ss1e5 + lastUpdated: '2023-07-07T13:43:03.000Z' + events: + type: EVENT_TYPE + items: + - group.user_membership.add + filter: + type: EXPRESSION_LANGUAGE + eventFilterMap: + - event: group.user_membership.add + condition: + version: null + expression: >- + event.target.?[type eq 'UserGroup'].size()>0 && + event.target.?[displayName eq 'Sales'].size()>0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + method: POST + authScheme: + type: HEADER + key: authorization + _links: + self: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6 + verify: + href: >- + https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify + hints: + allow: + - POST + deactivate: + href: >- + https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate + hints: + allow: + - POST + ReplaceAnEventHookWithFilter: + summary: Replace an event hook + value: + name: Event Hook with Filter + description: An event hook using an Okta Expression Language filter + events: + type: EVENT_TYPE + items: + - group.user_membership.add + filter: + type: EXPRESSION_LANGUAGE + eventFilterMap: + - event: group.user_membership.add + condition: + expression: >- + event.target.?[type eq 'UserGroup'].size()>0 && + event.target.?[displayName eq 'Sales'].size()>0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + authScheme: + type: HEADER + key: Authorization + value: my-shared-secret + RetrieveADeactivatedEventHook: + summary: Deactivated event hook + value: + id: who8vt36qfNpCGz9H1e6 + status: INACTIVE + verificationStatus: VERIFIED + name: Event Hook Test + description: null + created: '2023-07-07T13:41:56.000Z' + createdBy: 00u7xut94qEWYx5ss1e5 + lastUpdated: '2023-07-07T13:43:03.000Z' + events: + type: EVENT_TYPE + items: + - group.user_membership.add + filter: null + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example_external_service/userAdded + headers: + - key: X-Other-Header + value: my-header-value + method: POST + authScheme: + type: HEADER + key: authorization + _links: + self: + href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6 + verify: + href: >- + https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify + hints: + allow: + - POST + deactivate: + href: >- + https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate + hints: + allow: + - POST + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + event_hooks: + id: okta.eventhooks.event_hooks + name: event_hooks + title: Event Hooks + methods: + list_event_hooks: + operation: + $ref: '#/paths/~1api~1v1~1eventHooks/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_event_hook: + operation: + $ref: '#/paths/~1api~1v1~1eventHooks/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_event_hook: + operation: + $ref: '#/paths/~1api~1v1~1eventHooks~1{eventHookId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_event_hook: + operation: + $ref: '#/paths/~1api~1v1~1eventHooks~1{eventHookId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_event_hook: + operation: + $ref: '#/paths/~1api~1v1~1eventHooks~1{eventHookId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + activate_event_hook: + operation: + $ref: >- + #/paths/~1api~1v1~1eventHooks~1{eventHookId}~1lifecycle~1activate/post + response: + mediaType: application/json + openAPIDocKey: '200' + deactivate_event_hook: + operation: + $ref: >- + #/paths/~1api~1v1~1eventHooks~1{eventHookId}~1lifecycle~1deactivate/post + response: + mediaType: application/json + openAPIDocKey: '200' + verify_event_hook: + operation: + $ref: >- + #/paths/~1api~1v1~1eventHooks~1{eventHookId}~1lifecycle~1verify/post + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/event_hooks/methods/list_event_hooks + - $ref: >- + #/components/x-stackQL-resources/event_hooks/methods/get_event_hook + insert: + - $ref: >- + #/components/x-stackQL-resources/event_hooks/methods/create_event_hook + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/event_hooks/methods/delete_event_hook + replace: + - $ref: >- + #/components/x-stackQL-resources/event_hooks/methods/replace_event_hook +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/features.yaml b/providers/src/okta/v00.00.00000/services/features.yaml new file mode 100644 index 00000000..bbc810f2 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/features.yaml @@ -0,0 +1,668 @@ +openapi: 3.0.3 +info: + title: features API + description: okta features API + version: 5.1.0 +paths: + /api/v1/features: + get: + summary: List all features + description: Lists all self-service features for your org + operationId: listFeatures + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/Feature' + examples: + FeaturesList: + summary: List all self-service features for your org + $ref: '#/components/examples/ListFeaturesResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.features.read + tags: + - Feature + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/features/{featureId}: + get: + summary: Retrieve a feature + description: Retrieves a feature by ID + operationId: getFeature + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Feature' + examples: + FeaturesRetrieve: + summary: Retrieve a feature by ID + $ref: '#/components/examples/RetrieveFeaturesResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.features.read + tags: + - Feature + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathFeatureId' + /api/v1/features/{featureId}/dependencies: + get: + summary: List all dependencies + description: >- + Lists all feature dependencies for a specified feature. + + + A feature's dependencies are the features that it requires to be enabled + in order for itself to be enabled. + operationId: listFeatureDependencies + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/Feature' + examples: + FeaturesDependenciesList: + summary: List all dependencies + $ref: '#/components/examples/ListFeatureDependenciesResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.features.read + tags: + - Feature + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathFeatureId' + /api/v1/features/{featureId}/dependents: + get: + summary: List all dependents + description: >- + Lists all feature dependents for the specified feature. + + + A feature's dependents are the features that need to be disabled in + order for the feature itself to be disabled. + operationId: listFeatureDependents + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/Feature' + examples: + FeaturesDependentsList: + summary: List all feature dependents for the specified feature + $ref: '#/components/examples/ListFeatureDependentsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.features.read + tags: + - Feature + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathFeatureId' + /api/v1/features/{featureId}/{lifecycle}: + post: + summary: Update a feature lifecycle + description: >- + Updates a feature's lifecycle status. Use this endpoint to enable or + disable a feature for your org. + + + Use the `mode=force` parameter to override dependency restrictions for a + particular feature. Normally, you can't enable a feature if it has one + or more dependencies that aren't enabled. + + + When you use the `mode=force` parameter while enabling a feature, Okta + first tries to enable any disabled features that this feature may have + as dependencies. If you don't pass the `mode=force` parameter and the + feature has dependencies that need to be enabled before the feature is + enabled, a 400 error is returned. + + + When you use the `mode=force` parameter while disabling a feature, Okta + first tries to disable any enabled features that this feature may have + as dependents. If you don't pass the `mode=force` parameter and the + feature has dependents that need to be disabled before the feature is + disabled, a 400 error is returned. + + + The following chart shows the different state transitions for a feature. + + + ![State transitions of a + feature](/img/update-ssfeat-flowchart.png + '#width=500px;') + operationId: updateFeatureLifecycle + parameters: + - name: mode + in: query + description: >- + Indicates if you want to force enable or disable a feature. + Supported value is `force`. + schema: + type: string + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Feature' + examples: + FeaturesUpdate: + summary: Update the feature lifecycle status + $ref: '#/components/examples/UpdateFeatureLifecycleResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.features.manage + tags: + - Feature + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathFeatureId' + - $ref: '#/components/parameters/pathLifecycle' +components: + schemas: + Feature: + description: Specifies feature release cycle information + type: object + properties: + description: + type: string + description: Brief description of the feature and what it provides + id: + type: string + description: Unique identifier for this feature + readOnly: true + name: + type: string + description: Name of the feature + stage: + $ref: '#/components/schemas/FeatureStage' + status: + $ref: '#/components/schemas/EnabledStatus' + type: + $ref: '#/components/schemas/FeatureType' + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + dependents: + description: Link to feature dependents + type: object + readOnly: true + properties: + href: + description: Link URI + type: string + readOnly: true + dependencies: + description: Link to feature dependencies + type: object + readOnly: true + properties: + href: + description: Link URI + type: string + readOnly: true + type: object + FeatureStage: + description: >- + Current release cycle stage of a feature + + + If a feature's stage value is `EA`, the state is `null` and not + returned. If the value is `BETA`, the state is `OPEN` or `CLOSED` + depending on whether the `BETA` feature is manageable. + + + > **Note:** If a feature's stage is `OPEN BETA`, you can update it only + in Preview cells. If a feature's stage is `CLOSED BETA`, you can disable + it only in Preview cells. + type: object + properties: + state: + $ref: '#/components/schemas/FeatureStageState' + value: + $ref: '#/components/schemas/FeatureStageValue' + EnabledStatus: + description: Setting status + type: string + enum: + - DISABLED + - ENABLED + FeatureType: + description: Type of feature + type: string + enum: + - self-service + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + FeatureLifecycle: + example: ENABLE + type: string + enum: + - DISABLE + - ENABLE + FeatureStageState: + description: Indicates the release state of the feature + type: string + enum: + - CLOSED + - OPEN + FeatureStageValue: + description: Current release stage of the feature + type: string + enum: + - BETA + - EA + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + ErrorCause: + type: object + properties: + errorSummary: + type: string + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + pathFeatureId: + name: featureId + description: '`id` of the feature' + in: path + required: true + schema: + type: string + example: R5HjqNn1pEqWGy48E9jg + pathLifecycle: + name: lifecycle + description: Whether to `ENABLE` or `DISABLE` the feature + in: path + required: true + schema: + $ref: '#/components/schemas/FeatureLifecycle' + examples: + ListFeaturesResponse: + summary: List all self-service features for your org + value: + - id: ftrZooGoT8b41iWRiQs7 + description: Example feature description + name: Example feature name + stage: + state: CLOSED + value: BETA + status: DISABLED + type: self-service + _links: + self: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 + dependents: + href: >- + https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents + dependencies: + href: >- + https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies + RetrieveFeaturesResponse: + summary: Retrieve a feature by ID + value: + id: ftrZooGoT8b41iWRiQs7 + description: Example feature description + name: Example feature name + stage: + state: CLOSED + value: BETA + status: DISABLED + type: self-service + _links: + self: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 + dependents: + href: >- + https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents + dependencies: + href: >- + https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies + ListFeatureDependenciesResponse: + summary: List all dependencies for a feature + value: + - id: ftrZooGoT8b41iWRiQs7 + description: Example feature description + name: Example feature name + stage: + state: OPEN + value: EA + status: ENABLED + type: self-service + _links: + self: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 + dependents: + href: >- + https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents + dependencies: + href: >- + https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies + ListFeatureDependentsResponse: + summary: List all feature dependents for the specified feature + value: + - id: ftrZooGoT8b41iWRiQs7 + description: Example feature description + name: Example feature name + stage: + state: OPEN + value: EA + status: ENABLED + type: self-service + _links: + self: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 + dependents: + href: >- + https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents + dependencies: + href: >- + https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies + UpdateFeatureLifecycleResponse: + summary: Update the feature lifecycle status + value: + description: Example feature description + id: ftrZooGoT8b41iWRiQs7 + name: Example feature name + stage: + state: OPEN + value: BETA + status: DISABLED + type: self-service + _links: + self: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 + dependents: + href: >- + https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents + dependencies: + href: >- + https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + features: + id: okta.features.features + name: features + title: Features + methods: + list_features: + operation: + $ref: '#/paths/~1api~1v1~1features/get' + response: + mediaType: application/json + openAPIDocKey: '200' + get_feature: + operation: + $ref: '#/paths/~1api~1v1~1features~1{featureId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + update_feature_lifecycle: + operation: + $ref: '#/paths/~1api~1v1~1features~1{featureId}~1{lifecycle}/post' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: '#/components/x-stackQL-resources/features/methods/list_features' + - $ref: '#/components/x-stackQL-resources/features/methods/get_feature' + insert: [] + update: [] + delete: [] + replace: [] + feature_dependencies: + id: okta.features.feature_dependencies + name: feature_dependencies + title: Feature Dependencies + methods: + list_feature_dependencies: + operation: + $ref: '#/paths/~1api~1v1~1features~1{featureId}~1dependencies/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/feature_dependencies/methods/list_feature_dependencies + insert: [] + update: [] + delete: [] + replace: [] + feature_dependents: + id: okta.features.feature_dependents + name: feature_dependents + title: Feature Dependents + methods: + list_feature_dependents: + operation: + $ref: '#/paths/~1api~1v1~1features~1{featureId}~1dependents/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/feature_dependents/methods/list_feature_dependents + insert: [] + update: [] + delete: [] + replace: [] +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/first_party_app_settings.yaml b/providers/src/okta/v00.00.00000/services/first_party_app_settings.yaml new file mode 100644 index 00000000..fdd530e9 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/first_party_app_settings.yaml @@ -0,0 +1,245 @@ +openapi: 3.0.3 +info: + title: first_party_app_settings API + description: okta first_party_app_settings API + version: 5.1.0 +paths: + /api/v1/first-party-app-settings/{appName}: + get: + summary: Retrieve the Okta application settings + description: >- + Retrieves the settings for an Okta app (also known as an Okta + first-party app) + operationId: getFirstPartyAppSettings + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/AdminConsoleSettings' + examples: + exampleSettings: + $ref: '#/components/examples/AdminConsoleSettingsExample' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + tags: + - OktaApplicationSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the Okta application settings + description: >- + Replaces the settings for an Okta app (also known as an Okta first-party + app) + operationId: replaceFirstPartyAppSettings + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AdminConsoleSettings' + examples: + exampleSettings: + $ref: '#/components/examples/AdminConsoleSettingsExample' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AdminConsoleSettings' + examples: + exampleSettings: + $ref: '#/components/examples/AdminConsoleSettingsExample' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + tags: + - OktaApplicationSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathFirstPartyAppName' +components: + schemas: + AdminConsoleSettings: + title: Okta Admin Console Settings + description: Settings specific to the Okta Admin Console + type: object + properties: + sessionIdleTimeoutMinutes: + description: >- + The maximum idle time before the Okta Admin Console session expires. + Must be no more than 12 hours. + type: integer + minimum: 5 + maximum: 720 + default: 15 + sessionMaxLifetimeMinutes: + description: >- + The absolute maximum session lifetime of the Okta Admin Console. + Must be no more than 7 days. + type: integer + minimum: 5 + maximum: 10080 + default: 720 + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + ErrorCause: + type: object + properties: + errorSummary: + type: string + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + parameters: + pathFirstPartyAppName: + name: appName + description: | + The key name for the Okta app.
+ Supported apps: + * Okta Admin Console (`admin-console`) + in: path + required: true + schema: + type: string + example: admin-console + examples: + AdminConsoleSettingsExample: + summary: Default Okta Admin Console settings + value: + sessionMaxLifetimeMinutes: 720 + sessionIdleTimeoutMinutes: 15 + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + x-stackQL-resources: + first_party_app_settings: + id: okta.first_party_app_settings.first_party_app_settings + name: first_party_app_settings + title: First Party App Settings + methods: + get_first_party_app_settings: + operation: + $ref: '#/paths/~1api~1v1~1first-party-app-settings~1{appName}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_first_party_app_settings: + operation: + $ref: '#/paths/~1api~1v1~1first-party-app-settings~1{appName}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/first_party_app_settings/methods/get_first_party_app_settings + insert: [] + update: [] + delete: [] + replace: + - $ref: >- + #/components/x-stackQL-resources/first_party_app_settings/methods/replace_first_party_app_settings +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/groups.yaml b/providers/src/okta/v00.00.00000/services/groups.yaml new file mode 100644 index 00000000..a66eb4c3 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/groups.yaml @@ -0,0 +1,4196 @@ +openapi: 3.0.3 +info: + title: groups API + description: okta groups API + version: 5.1.0 +paths: + /api/v1/groups: + get: + summary: List all groups + description: >- + Lists all groups with pagination support. + + + > **Note:** To list all groups belonging to a member, use the [List all + groups endpoint in the User Resources + API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserResources/#tag/UserResources/operation/listUserGroups). + + + The number of groups returned depends on the specified + [`limit`](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!in=query&path=limit&t=request), + if you have a search, filter, and/or query parameter set, and if that + parameter is not null. We recommend using a limit less than or equal to + 200. + + + A subset of groups can be returned that match a supported filter + expression, query, or search criteria. + + + > **Note:** Results from the filter or query parameter are driven from + an eventually consistent datasource. The synchronization lag is + typically less than one second. + operationId: listGroups + parameters: + - name: search + in: query + description: >- + Searches for groups with a supported + [filtering](https://developer.okta.com/docs/api/#filter) expression + for all properties except for `_embedded`, `_links`, and + `objectClass`. This operation supports + [pagination](https://developer.okta.com/docs/api/#pagination). + + + Using search requires [URL + encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding), + for example, `search=type eq "OKTA_GROUP"` is encoded as + `search=type+eq+%22OKTA_GROUP%22`. + + + This operation searches many properties: + + + * Any group profile attribute, including imported app group profile + attributes. + + * The top-level properties: `id`, `created`, + `lastMembershipUpdated`, `lastUpdated`, and `type`. + + * The + [source](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!c=200&path=_links/source&t=response) + of groups with type of `APP_GROUP`, accessed as `source.id`. + + + You can also use the `sortBy` and `sortOrder` parameters. + + + Searches for groups can be filtered by the following operators: + `sw`, `eq`, and `co`. You can only use `co` with these select + profile attributes: `profile.name` and `profile.description`. See + [Operators](https://developer.okta.com/docs/api/#operators). + schema: + type: string + examples: + searchByType: + value: type%20eq%20%22APP_GROUP%22 + summary: Search by type + description: Search for groups that have a type of APP_GROUP + searchByLastMembershipUpdatedAfterDate: + value: lastMembershipUpdated%20gt%20%222014-01-01T00%3A00%3A00.000Z%22 + summary: Search by last updated membership timestamp + description: >- + Search for groups whose memberships were last updated after + 01/01/2024 + searchById: + value: id%20eq%20%2200gak46y5hydV6NdM0g4%22 + summary: Search by ID + description: Search for groups with the specified ID (00gak46y5hydV6NdM0g4) + searchByProfileName: + value: profile.name%20eq%20%22West%20Coast%20users%22 + summary: Search by name + description: >- + Search for groups that have a group profile name of West Coast + users + searchBySamAccountName: + value: profile.samAccountName%20sw%20%22West%20Coast%22 + summary: Search using an operator + description: >- + Search for groups whose samAccountName profile attribute starts + with "West Coast" + searchBySourceId: + value: source.id%20eq%20%220oa2v0el0gP90aqjJ0g7%22 + summary: Search by source ID + description: >- + Search for groups that have the source app with the specified + source ID (0oa2v0el0gP90aqjJ0g7) + searchByIdTypeAndCreationDate: + value: >- + type%20eq%20%22APP_GROUP%22%20and%20%28created%20lt%20%222014-01-01T00%3A00%3A00.000Z%22%20and%20source.id%20eq%20%220oa2v0el0gP90aqjJ0g7%22%29 + summary: Search with multiple criteria + description: >- + List groups of type APP_GROUP that were created before + 01/01/2014 and whose source app has the ID 0oa2v0el0gP90aqjJ0g7 + - name: filter + in: query + description: >- + Filter expression for groups. See + [Filter](https://developer.okta.com/docs/api/#filter). + + + > **Note:** All filters must be [URL + encoded](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding). + For example, `filter=lastUpdated gt "2013-06-01T00:00:00.000Z"` is + encoded as + `filter=lastUpdated%20gt%20%222013-06-01T00:00:00.000Z%22`. + schema: + type: string + examples: + filterById: + value: id%20eq%20%2200g1emaKYZTWRYYRRTSK%22 + summary: Filter by ID + description: Filter group with a specific ID (00g1emaKYZTWRYYRRTSK) + filterByType: + value: type%20eq%20%22OKTA_GROUP%22 + summary: Filter by type + description: Filter groups that are of the type OKTA_GROUP + filterByTypeAndProfileLastUpdatedAfterDate: + value: >- + type%20eq%20%22OKTA_GROUP%22%20and%20lastUpdated%20gt%20%222016-11-11T00%3A00%3A00.000Z%22 + summary: Filter by type and last updated date + description: >- + Filter groups that are OKTA_GROUP type with profile updated + after 11/11/2016 + filterByTypeAndProfileOrMembershipUpdatedBeforeDate: + value: >- + type%20eq%20%22OKTA_GROUP%22%20and%20%28lastUpdated%20lt%20%222015-11-11T00%3A00%3A00.000Z%22%20or%20lastMembershipUpdated%20lt%20%222015-11-11T00%3A00%3A00.000Z%22%29 + summary: Filter by multiple criteria + description: >- + Filter groups that are OKTA_GROUP type, with profiles or + memberships updated before 11/11/2015 + - name: q + in: query + description: >- + Finds a group that matches the `name` property. + + > **Note:** Paging and searching are currently mutually exclusive. + You can't page a query. The default limit for a query is 300 + results. Query is intended for an auto-complete picker use case + where users refine their search string to constrain the results. + schema: + type: string + example: West&limit=10 + - name: after + in: query + description: >- + Specifies the pagination cursor for the next page of groups. The + `after` cursor should be treated as an opaque value and obtained + through the next link relation. See + [Pagination](https://developer.okta.com/docs/api/#pagination). + schema: + type: string + - name: limit + in: query + description: >- + Specifies the number of group results in a page. + + + Okta recommends using a specific value other than the default or + maximum. If your request times out, retry your request with a + smaller `limit` and [page the + results](https://developer.okta.com/docs/api/#pagination). + + + The Okta default `Everyone` group isn't returned for users with a + group admin role. + schema: + type: integer + format: int32 + maximum: 10000 + - name: expand + in: query + description: >- + If specified, additional metadata is included in the response. + Possible values are `stats` and `app`. This additional metadata is + listed in the + [`_embedded`](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/addGroup!c=200&path=_embedded&t=response) + property of the response. + + + > **Note:** You can use the `stats` value to return the number of + users within a group. This is listed as the + `_embedded.stats.usersCount` value in the response. See this + [Knowledge Base + article](https://support.okta.com/help/s/article/Is-there-an-API-that-returns-the-number-of-users-in-a-group?language=en_US) + for more information and an example. + schema: + type: string + - name: sortBy + in: query + description: >- + Specifies field to sort by **(for search queries only)**. `sortBy` + can be any single property, for example `sortBy=profile.name`. + schema: + type: string + example: lastUpdated + - name: sortOrder + in: query + description: >- + Specifies sort order: `asc` or `desc` (for search queries only). + This parameter is ignored if `sortBy` isn't present. Groups with the + same value for the `sortBy` property are ordered by `id`'. + schema: + type: string + default: asc + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/Group' + examples: + ListGroupExample: + $ref: '#/components/examples/list-groups-examples' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.groups.read + tags: + - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Add a group + description: >- + Adds a new group with the `OKTA_GROUP` type to your org. + + > **Note:** App import operations are responsible for syncing groups + with `APP_GROUP` type such as Active Directory groups. See + + [About groups](https://help.okta.com/okta_help.htm?id=Directory_Groups) + in the help documentation. + operationId: addGroup + x-codegen-request-body-name: group + requestBody: + content: + application/json: + schema: + properties: + profile: + $ref: '#/components/schemas/OktaUserGroupProfile' + type: object + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Group' + examples: + GroupExample: + $ref: '#/components/examples/group-example' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.groups.manage + tags: + - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/rules: + get: + summary: List all group rules + description: Lists all group rules for your org + operationId: listGroupRules + parameters: + - name: limit + in: query + description: Specifies the number of rule results in a page + schema: + type: integer + format: int32 + default: 50 + minimum: 1 + maximum: 200 + - name: after + in: query + description: Specifies the pagination cursor for the next page of rules + schema: + type: string + - name: search + in: query + description: Specifies the keyword to search rules for + schema: + type: string + - name: expand + in: query + description: If specified as `groupIdToGroupNameMap`, then displays group names + schema: + type: string + x-okta-added-version: 1.3.0 + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/GroupRule' + examples: + ListGroupRulesExample: + $ref: '#/components/examples/list-group-rules-example' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.groups.read + tags: + - GroupRule + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a group rule + description: >- + Creates a group rule to dynamically add users to the specified group if + they match the condition + + > **Note:** Group rules are created with the status set to `'INACTIVE'`. + operationId: createGroupRule + x-codegen-request-body-name: groupRule + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CreateGroupRuleRequest' + examples: + GroupRuleExample: + $ref: '#/components/examples/create-group-rule-request-example' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/GroupRule' + examples: + GroupRuleExample: + $ref: '#/components/examples/group-rule-example' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.groups.manage + tags: + - GroupRule + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/groups/rules/{groupRuleId}: + get: + summary: Retrieve a group rule + description: Retrieves a specific group rule by ID from your org + operationId: getGroupRule + parameters: + - name: expand + in: query + description: If specified as `groupIdToGroupNameMap`, then show group names + schema: + type: string + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/GroupRule' + examples: + GroupRuleExample: + $ref: '#/components/examples/group-rule-example' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.groups.read + tags: + - GroupRule + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a group rule + description: >- + Replaces a group rule + + > **Notes:** You can only update rules with a group whose status is set + to `'INACTIVE'`. + + > + + > You currently can't update the `action` section. + operationId: replaceGroupRule + x-codegen-request-body-name: groupRule + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/GroupRule' + examples: + GroupRuleExample: + $ref: '#/components/examples/group-rule-example' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/GroupRule' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.groups.manage + tags: + - GroupRule + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a group rule + description: Deletes a specific group rule by `groupRuleId` + operationId: deleteGroupRule + parameters: + - name: removeUsers + in: query + description: If set to `true`, removes users from groups assigned by this rule + schema: + type: boolean + default: false + responses: + '202': + description: Accepted + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.groups.manage + tags: + - GroupRule + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathGroupRuleId' + /api/v1/groups/rules/{groupRuleId}/lifecycle/activate: + post: + summary: Activate a group rule + description: Activates a specific group rule by ID from your org + operationId: activateGroupRule + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.groups.manage + tags: + - GroupRule + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathGroupRuleId' + /api/v1/groups/rules/{groupRuleId}/lifecycle/deactivate: + post: + summary: Deactivate a group rule + description: Deactivates a specific group rule by ID from your org + operationId: deactivateGroupRule + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.groups.manage + tags: + - GroupRule + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathGroupRuleId' + /api/v1/groups/{groupId}: + get: + summary: Retrieve a group + description: Retrieves a specific group by `id` from your org + operationId: getGroup + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Group' + examples: + GroupExample: + $ref: '#/components/examples/group-example' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.groups.read + tags: + - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a group + description: >- + Replaces the profile for a group of `OKTA_GROUP` type from your org. + + > **Note :** You only can modify profiles for groups of the `OKTA_GROUP` + type. + + > + + > App imports are responsible for updating profiles for groups of the + `APP_GROUP` type, such as Active Directory groups. + operationId: replaceGroup + x-codegen-request-body-name: group + requestBody: + content: + application/json: + schema: + properties: + profile: + $ref: '#/components/schemas/OktaUserGroupProfile' + type: object + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Group' + examples: + GroupExample: + $ref: '#/components/examples/group-example' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.groups.manage + tags: + - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a group + description: >- + Deletes a group of the `OKTA_GROUP` or `APP_GROUP` type from your org. + + > **Note:** You can't remove groups of type `APP_GROUP` if they are used + in a group push mapping. + operationId: deleteGroup + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.groups.manage + tags: + - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathGroupId' + /api/v1/groups/{groupId}/apps: + get: + summary: List all assigned apps + description: >- + Lists all apps that are assigned to a group. See [Application Groups + API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationGroups/). + operationId: listAssignedApplicationsForGroup + parameters: + - name: after + in: query + description: Specifies the pagination cursor for the next page of apps + schema: + type: string + - name: limit + in: query + description: Specifies the number of app results for a page + schema: + type: integer + format: int32 + default: 20 + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/Application' + examples: + ListAppsExample: + $ref: '#/components/examples/list-apps-example' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.groups.read + tags: + - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathGroupId' + /api/v1/groups/{groupId}/owners: + get: + summary: List all group owners + description: Lists all owners for a specific group + operationId: listGroupOwners + parameters: + - name: search + in: query + description: >- + SCIM filter expression for group owners. Allows you to filter owners + by type. + schema: + type: string + - name: after + in: query + description: Specifies the pagination cursor for the next page of owners + schema: + type: string + - name: limit + in: query + description: Specifies the number of owner results in a page + schema: + type: integer + format: int32 + default: 1000 + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/GroupOwner' + examples: + ListsOneOwnerOfaGroup: + $ref: '#/components/examples/ListsOwnerOneResponse' + ListsMultipleOwnersOfaGroup: + $ref: '#/components/examples/ListsOwnersMultipleResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.groups.read + tags: + - GroupOwner + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Assign a group owner + description: Assigns a group owner + operationId: assignGroupOwner + parameters: + - $ref: '#/components/parameters/pathGroupId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AssignGroupOwnerRequestBody' + examples: + AssignAGroupOwner: + $ref: '#/components/examples/AssignGroupOwnerRequest' + required: true + responses: + '201': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/GroupOwner' + examples: + AssignAGroupOwner: + $ref: '#/components/examples/AssignGroupOwnerResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.groups.manage + tags: + - GroupOwner + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathGroupId' + /api/v1/groups/{groupId}/owners/{ownerId}: + delete: + summary: Delete a group owner + description: Deletes a group owner from a specific group + operationId: deleteGroupOwner + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.groups.manage + tags: + - GroupOwner + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathGroupId' + - $ref: '#/components/parameters/pathOwnerId' + /api/v1/groups/{groupId}/roles: + get: + summary: List all group role assignments + description: Lists all assigned roles of a group by `groupId` + operationId: listGroupAssignedRoles + parameters: + - $ref: '#/components/parameters/pathQueryRoleExpand' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/StandardRolesListResponseGroup' + Custom Roles: + $ref: '#/components/examples/CustomRolesListResponseGroup' + IAM-Based Standard Roles: + $ref: '#/components/examples/IAMStandardRolesListResponseGroup' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleAssignmentBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Assign a role to a group + description: >- + Assigns a [standard + role](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#standard-roles) to a group. + + + You can also assign a custom role to a group, but the preferred method + to assign a custom role to a group is to create a binding between the + custom role, the resource set, and the group. See [Create a role + resource set + binding](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/RoleDResourceSetBinding/#tag/RoleDResourceSetBinding/operation/createResourceSetBinding). + + + > **Notes:** + + > * The request payload is different for standard and custom role + assignments. + + > * For IAM-based standard role assignments, use the request payload for + standard roles. However, the response payload for IAM-based role + assignments is similar to the custom role's assignment response. + operationId: assignRoleToGroup + parameters: + - name: disableNotifications + in: query + description: Grants the group third-party admin status when set to `true` + schema: + type: boolean + default: false + x-codegen-request-body-name: assignRoleRequest + requestBody: + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/StandardRoleAssignmentSchema' + - $ref: '#/components/schemas/CustomRoleAssignmentSchema' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: >- + #/components/examples/CreateStandardRoleAssignmentResponseGroup + Custom Roles: + $ref: '#/components/examples/CreateCustomRoleResponseGroup' + IAM-based Standard Roles: + $ref: '#/components/examples/CreateIAMStandardRoleResponseGroup' + '201': + description: Success + content: {} + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleAssignmentBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathGroupId' + /api/v1/groups/{groupId}/roles/{roleAssignmentId}: + get: + summary: Retrieve a group role assignment + description: >- + Retrieves a role assigned to a group (identified by the `groupId`). The + `roleAssignmentId` is the unique identifier for either a standard role + group assignment object or a custom role resource set binding object. + operationId: getGroupAssignedRole + responses: + '200': + description: Success + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: >- + #/components/examples/CreateStandardRoleAssignmentResponseGroup + Custom Roles: + $ref: '#/components/examples/CreateCustomRoleResponseGroup' + IAM-based Standard Roles: + $ref: '#/components/examples/CreateIAMStandardRoleResponseGroup' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleAssignmentBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign a group role + description: >- + Unassigns a role assignment (identified by `roleAssignmentId`) from a + group (identified by the `groupId`) + operationId: unassignRoleFromGroup + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleAssignmentBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathGroupId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/catalog/apps: + get: + summary: List all group role app targets + description: >- + Lists all app targets for an `APP_ADMIN` role assignment to a group. The + response includes a list of OIN-cataloged apps or app instances. The + response payload for an app instance contains the `id` property, but an + OIN-cataloged app doesn't. + operationId: listApplicationTargetsForApplicationAdministratorRoleForGroup + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/CatalogApplication' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleBTargetBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathGroupId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}: + put: + summary: Assign a group role app target + description: >- + Assigns an OIN app target to an `APP_ADMIN` role assignment to a group. + When you assign the first OIN app target, you reduce the scope of the + role assignment. The role no longer applies to all app targets, but + applies only to the specified target. An OIN app target that's assigned + to the role overrides any existing instance targets of the OIN app. For + example, if a user is assigned to administer a specific Facebook + instance, a successful request to add an OIN app with `facebook` for + `appName` makes that user the administrator for all Facebook instances. + operationId: assignAppTargetToAdminRoleForGroup + responses: + '200': + description: Success + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign a group role app target + description: > + Unassigns an OIN app target from an `APP_ADMIN` role assignment to a + group + + + > **Note:** You can't remove the last app target from a role assignment. + + > If you need a role assignment that applies to all apps, delete the + `APP_ADMIN` role assignment with the target and create another one. See + [Unassign a group + role](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/RoleAssignmentBGroup/#tag/RoleAssignmentBGroup/operation/unassignRoleFromGroup). + operationId: unassignAppTargetToAdminRoleForGroup + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathGroupId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathAppName' + /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}/{appId}: + put: + summary: Assign a group role app instance target + description: >- + Assigns an app instance target to an `APP_ADMIN` role assignment to a + group. When you assign the first OIN app or app instance target, you + reduce the scope of the role assignment. + + The role no longer applies to all app targets, but applies only to the + specified target. + + + > **Note:** You can target a mixture of both OIN app and app instance + targets, but you can't assign permissions to manage all instances of an + OIN app and then assign a subset of permissions to the same app. + + > For example, you can't specify that an admin has access to manage all + instances of the Salesforce app and then also manage specific + configurations of the Salesforce app. + operationId: assignAppInstanceTargetToAppAdminRoleForGroup + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign a group role app instance target + description: >- + Unassigns an app instance target from an `APP_ADMIN` role assignment to + a group + + + > **Note:** You can't remove the last app instance target from a role + assignment. + + > If you need a role assignment that applies to all apps, delete the + `APP_ADMIN` role assignment with the target and create another one. See + [Unassign a group + role](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/RoleAssignmentBGroup/#tag/RoleAssignmentBGroup/operation/unassignRoleFromGroup). + operationId: unassignAppInstanceTargetToAppAdminRoleForGroup + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathGroupId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathAppName' + - $ref: '#/components/parameters/pathAppId' + /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/groups: + get: + summary: List all group role group targets + description: >- + Lists all group targets for a + [`USER_ADMIN`](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#standard-roles), + `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to a + group. + + If the role isn't scoped to specific group targets, Okta returns an + empty array `[]`. + operationId: listGroupTargetsForGroupRole + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/Group' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleBTargetBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathGroupId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/groups/{targetGroupId}: + put: + summary: Assign a group role group target + description: >- + Assigns a group target to a + [`USER_ADMIN`](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#standard-roles), + `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to a + group. + + When you assign the first group target, you reduce the scope of the role + assignment. The role no longer applies to all targets but applies only + to the specified target. + operationId: assignGroupTargetToGroupAdminRole + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign a group role group target + description: >- + Unassigns a group target from a + [`USER_ADMIN`](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#standard-roles), + `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to a + group. + operationId: unassignGroupTargetFromGroupAdminRole + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetBGroup + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathGroupId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathTargetGroupId' + /api/v1/groups/{groupId}/users: + get: + summary: List all member users + description: >- + Lists all users that are a member of a group. + + The default user limit is set to a very high number due to historical + reasons that are no longer valid for most orgs. This will change in a + future version of this API. The recommended page limit is now + `limit=200`. + operationId: listGroupUsers + parameters: + - $ref: '#/components/parameters/queryAfter' + - name: limit + in: query + description: Specifies the number of user results in a page + schema: + type: integer + format: int32 + default: 1000 + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/User' + examples: + ListMemberUserResponse: + $ref: '#/components/examples/ListUsersResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.groups.read + tags: + - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathGroupId' + /api/v1/groups/{groupId}/users/{userId}: + put: + summary: Assign a user to a group + description: >- + Assigns a user to a group with the `OKTA_GROUP` type. + + > **Note:** You only can modify memberships for groups of the + `OKTA_GROUP` type. App imports are responsible for managing group + memberships for groups of the `APP_GROUP` type, such as Active Directory + groups. + operationId: assignUserToGroup + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.groups.manage + tags: + - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign a user from a group + description: >- + Unassigns a user from a group with the `OKTA_GROUP` type. + + > **Note:** You only can modify memberships for groups of the + `OKTA_GROUP` type. + + > + + > App imports are responsible for managing group memberships for groups + of the `APP_GROUP` type, such as Active Directory groups. + operationId: unassignUserFromGroup + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.groups.manage + tags: + - Group + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathGroupId' + - $ref: '#/components/parameters/pathUserId' +components: + schemas: + Group: + type: object + properties: + created: + type: string + format: date-time + readOnly: true + description: Timestamp when the group was created + id: + type: string + readOnly: true + example: 0gabcd1234 + description: Unique ID for the group + lastMembershipUpdated: + type: string + format: date-time + readOnly: true + description: Timestamp when the groups memberships were last updated + lastUpdated: + type: string + format: date-time + readOnly: true + description: Timestamp when the group's profile was last updated + objectClass: + type: array + readOnly: true + description: Determines the group's `profile` + items: + type: string + profile: + $ref: '#/components/schemas/GroupProfile' + type: + $ref: '#/components/schemas/GroupType' + _embedded: + type: object + description: Embedded resources related to the group + additionalProperties: + type: object + properties: {} + readOnly: true + _links: + description: >- + [Discoverable + resources](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!c=200&path=_links&t=response) + related to the group + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + apps: + $ref: '#/components/schemas/HrefObject' + logo: + type: array + items: + $ref: '#/components/schemas/HrefObject' + source: + $ref: '#/components/schemas/HrefObject' + users: + $ref: '#/components/schemas/HrefObject' + type: object + OktaUserGroupProfile: + description: >- + Profile for any group that is not imported from Active Directory. + Specifies the standard + + and custom profile properties for a group. + + + The `objectClass` for these groups is `okta:user_group`. + type: object + properties: + description: + type: string + example: All users West of The Rockies + description: Description of the group + name: + type: string + example: West Coast users + description: Name of the group + x-okta-extensible: true + GroupRule: + type: object + properties: + actions: + $ref: '#/components/schemas/GroupRuleAction' + conditions: + $ref: '#/components/schemas/GroupRuleConditions' + created: + type: string + format: date-time + readOnly: true + description: Creation date for group rule + id: + type: string + readOnly: true + description: ID of the group rule + lastUpdated: + type: string + format: date-time + readOnly: true + description: Date group rule was last updated + name: + type: string + description: Name of the group rule + minLength: 1 + maxLength: 50 + status: + $ref: '#/components/schemas/GroupRuleStatus' + type: + type: string + description: >- + Type to indicate a group rule operation. Only `group_rule` is + allowed. + CreateGroupRuleRequest: + type: object + properties: + actions: + $ref: '#/components/schemas/GroupRuleAction' + conditions: + $ref: '#/components/schemas/GroupRuleConditions' + name: + type: string + description: Name of the group rule + minLength: 1 + maxLength: 50 + type: + type: string + enum: + - group_rule + Application: + type: object + properties: + accessibility: + $ref: '#/components/schemas/ApplicationAccessibility' + created: + type: string + format: date-time + readOnly: true + description: Timestamp when the application object was created + features: + type: array + description: > + Enabled app features + + > **Note:** See [Application + Features](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationFeatures/) + for app provisioning features. + readOnly: true + items: + type: string + enum: + - GROUP_PUSH + - IMPORT_NEW_USERS + - IMPORT_PROFILE_UPDATES + - IMPORT_USER_SCHEMA + - PROFILE_MASTERING + - PUSH_NEW_USERS + - PUSH_PASSWORD_UPDATES + - PUSH_PROFILE_UPDATES + - PUSH_USER_DEACTIVATION + - REACTIVATE_USERS + - OUTBOUND_DEL_AUTH + - DESKTOP_SSO + - FEDERATED_PROFILE + - SUPPRESS_ACTIVATION_EMAIL + - PUSH_PENDING_USERS + - MFA + - UPDATE_EXISTING_USERNAME + - EXCLUDE_USERNAME_UPDATE_ON_PROFILE_PUSH + - EXCHANGE_ACTIVE_SYNC + - IMPORT_SYNC + - IMPORT_SYNC_CONTACTS + - DEVICE_COMPLIANCE + - VPN_CONFIG + - IMPORT_SCHEMA_ENUM_VALUES + - SCIM_PROVISIONING + - DEVICE_FILTER_IN_SIGN_ON_RULES + - PROFILE_TEMPLATE_UPGRADE + - DEFAULT_PUSH_STATUS_TO_PUSH + - REAL_TIME_SYNC + - SSO + - AUTHN_CONTEXT + - JIT_PROVISIONING + - GROUP_SYNC + - OPP_SCIM_INCREMENTAL_IMPORTS + - IN_MEMORY_APP_USER + - LOG_STREAMING + - OAUTH_INTEGRATION + - IDP + - PUSH_NEW_USERS_WITHOUT_PASSWORD + - SKYHOOK_SERVICE + - ENTITLEMENT_MANAGEMENT + - PUSH_NEW_USERS_WITH_HASHED_PASSWORD + x-enumDescriptions: + GROUP_PUSH: >- + Creates or links a group in the app when a mapping is defined + for a group in Okta. Okta is the source for group memberships + and all group members in Okta who are also assigned to the app + are synced as group members to the app. + IMPORT_NEW_USERS: Creates or links a user in Okta to a user from the app + IMPORT_PROFILE_UPDATES: >- + Updates a linked user's app profile during manual or scheduled + imports + IMPORT_USER_SCHEMA: >- + Discovers the profile schema for a user from the app + automatically + PROFILE_MASTERING: >- + Designates the app as the identity lifecycle and profile + attribute authority for linked users. The user's profile in Okta + is read-only. + PUSH_NEW_USERS: >- + Creates or links a user account in the app when assigning the + app to a user in Okta + PUSH_PASSWORD_UPDATES: >- + Updates the user's app password when their password changes in + Okta + PUSH_PROFILE_UPDATES: >- + Updates a user's profile in the app when the user's profile + changes in Okta (the profile source) + PUSH_USER_DEACTIVATION: >- + Deactivates a user's account in the app when unassigned from the + app in Okta or deactivated + REACTIVATE_USERS: >- + Reactivates an existing inactive user when provisioning a user + to the app + OUTBOUND_DEL_AUTH: >- + Okta user authentication requests are delegated to a third-party + app + DESKTOP_SSO: >- + Okta user authentication requests are handled by desktop SSO + negotiation (if possible) + FEDERATED_PROFILE: >- + App user profiles are synchronized at sign-in and profile-view + instances instead of during bulk imports + SUPPRESS_ACTIVATION_EMAIL: >- + Activation emails aren't sent to users sourced by AD and orgs + with DelAuth enabled + PUSH_PENDING_USERS: >- + Users are in PENDING state in Okta and are created but not + active in the sourced app user + MFA: App can verify credentials as a second factor + UPDATE_EXISTING_USERNAME: App can update the user name for existing users + EXCLUDE_USERNAME_UPDATE_ON_PROFILE_PUSH: Exclude username update during profile push + EXCHANGE_ACTIVE_SYNC: App supports synchronizing credentials with OMM enrolled devices + IMPORT_SYNC: Synchronize import events + IMPORT_SYNC_CONTACTS: Synchronize contacts + DEVICE_COMPLIANCE: Apps support device compliance rules + VPN_CONFIG: App supports pushing VPN configuration to OMM enrolled devices + IMPORT_SCHEMA_ENUM_VALUES: >- + App supports downloading schema enum values. You can download + custom objects and integrating them with UD without being tied + to the type metadata system. + SCIM_PROVISIONING: >- + App supports generic SCIM client provisioning and can leverage + SCIM standard for provisioning and push custom attributes to a + third-party app + DEVICE_FILTER_IN_SIGN_ON_RULES: App supports filtering by client type in app sign-on rules + PROFILE_TEMPLATE_UPGRADE: >- + App supports profile template upgrades. This is primarily to + help roll out the profile template upgrade feature for + individual apps + DEFAULT_PUSH_STATUS_TO_PUSH: >- + App defaults Push status to `PUSH`. This feature is for apps, + such as SharePoint, that want to receive App User profile + updates even though they didn't implement traditional + PUSH_PROFILE_UPDATES in the client API. + REAL_TIME_SYNC: Apps support real-time synchronization + SSO: Apps support establishing a subject based on claims from an IdP + AUTHN_CONTEXT: >- + Apps support establishing an authentication context based on + claims from an IdP + JIT_PROVISIONING: Apps support provisioning a user based on claims from an IdP + GROUP_SYNC: >- + Apps support syncing group information based on claims from an + IdP + OPP_SCIM_INCREMENTAL_IMPORTS: Apps support incremental imports. Used for SCIM app instances + IN_MEMORY_APP_USER: >- + Apps support in-memory app users. This feature is used as an + alternative to Implicit App Assignment for a non-persisted app + user. + LOG_STREAMING: Apps support log streaming + OAUTH_INTEGRATION: App is an OAuth 2.0 integration + IDP: Apps support IdP functionalities + PUSH_NEW_USERS_WITHOUT_PASSWORD: Don't send generated password for new users + SKYHOOK_SERVICE: Use the Skyhook microservice for LCM operations + ENTITLEMENT_MANAGEMENT: Marker to showcase which OIN apps are entitlement enabled + PUSH_NEW_USERS_WITH_HASHED_PASSWORD: >- + Send hashed password for new users. This feature is only used + for CIS to CIC migration. + id: + type: string + readOnly: true + description: Unique ID for the app instance + label: + $ref: '#/components/schemas/ApplicationLabel' + lastUpdated: + type: string + format: date-time + readOnly: true + description: Timestamp when the application object was last updated + licensing: + $ref: '#/components/schemas/ApplicationLicensing' + orn: + type: string + readOnly: true + description: The Okta resource name (ORN) for the current app instance + profile: + type: object + description: >- + Contains any valid JSON schema for specifying properties that can be + referenced from a request (only available to OAuth 2.0 client apps). + + For example, add an app manager contact email address or define an + allowlist of groups that you can then reference using the Okta + Expression Language `getFilteredGroups` function. + + + > **Notes:** + + > * `profile` isn't encrypted, so don't store sensitive data in it. + + > * `profile` doesn't limit the level of nesting in the JSON schema + you created, but there is a practical size limit. Okta recommends a + JSON schema size of 1 MB or less for best performance. + additionalProperties: true + signOnMode: + $ref: '#/components/schemas/ApplicationSignOnMode' + status: + $ref: '#/components/schemas/ApplicationLifecycleStatus' + universalLogout: + $ref: '#/components/schemas/ApplicationUniversalLogout' + visibility: + $ref: '#/components/schemas/ApplicationVisibility' + _embedded: + type: object + description: >- + Embedded resources related to the app using the [JSON Hypertext + Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. If the `expand=user/{userId}` query parameter is + specified, then the assigned [Application + User](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/) is + embedded. + properties: + user: + type: object + description: >- + The specified [Application + User](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/) + assigned to the app + additionalProperties: + type: object + properties: {} + readOnly: true + _links: + $ref: '#/components/schemas/ApplicationLinks' + required: + - signOnMode + - label + discriminator: + propertyName: signOnMode + mapping: + AUTO_LOGIN: '#/components/schemas/AutoLoginApplication' + BASIC_AUTH: '#/components/schemas/BasicAuthApplication' + BOOKMARK: '#/components/schemas/BookmarkApplication' + BROWSER_PLUGIN: '#/components/schemas/BrowserPluginApplication' + OPENID_CONNECT: '#/components/schemas/OpenIdConnectApplication' + SAML_1_1: '#/components/schemas/Saml11Application' + SAML_2_0: '#/components/schemas/SamlApplication' + SECURE_PASSWORD_STORE: '#/components/schemas/SecurePasswordStoreApplication' + WS_FEDERATION: '#/components/schemas/WsFederationApplication' + GroupOwner: + type: object + properties: + displayName: + description: The display name of the group owner + type: string + readOnly: true + id: + description: The `id` of the group owner + type: string + lastUpdated: + description: Timestamp when the group owner was last updated + type: string + format: date-time + readOnly: true + originId: + description: >- + The ID of the app instance if the `originType` is `APPLICATION`. + This value is `NULL` if `originType` is `OKTA_DIRECTORY`. + type: string + originType: + $ref: '#/components/schemas/GroupOwnerOriginType' + resolved: + description: >- + If `originType`is APPLICATION, this parameter is set to `FALSE` + until the owner's `originId` is reconciled with an associated Okta + ID. + type: boolean + type: + $ref: '#/components/schemas/GroupOwnerType' + AssignGroupOwnerRequestBody: + type: object + properties: + id: + description: The `id` of the group owner + type: string + type: + $ref: '#/components/schemas/GroupOwnerType' + StandardRole: + title: Standard Role Assignment + type: object + properties: + assignmentType: + $ref: '#/components/schemas/RoleAssignmentType' + created: + type: string + description: Timestamp when the object was created + format: date-time + readOnly: true + id: + type: string + description: Role assignment ID + readOnly: true + label: + type: string + description: Label for the role assignment + readOnly: true + lastUpdated: + type: string + description: Timestamp when the object was last updated + format: date-time + readOnly: true + status: + allOf: + - $ref: '#/components/schemas/LifecycleStatus' + - description: Status of the role assignment + type: + $ref: '#/components/schemas/RoleType' + _embedded: + type: object + description: Optional embedded resources for the role assignment + properties: + targets: + type: object + description: Targets configured for the role assignment + properties: + groups: + type: array + description: Group targets + items: + $ref: '#/components/schemas/Group' + catalog: + description: App targets + properties: + apps: + type: array + items: + $ref: '#/components/schemas/CatalogApplication' + type: object + _links: + $ref: '#/components/schemas/LinksAssignee' + CustomRole: + title: Custom role assignment + type: object + properties: + assignmentType: + $ref: '#/components/schemas/RoleAssignmentType' + created: + type: string + description: Timestamp when the object was created + format: date-time + readOnly: true + id: + type: string + description: Binding object ID + readOnly: true + label: + type: string + description: Label for the custom role assignment + readOnly: true + lastUpdated: + type: string + description: Timestamp when the object was last updated + format: date-time + readOnly: true + resource-set: + type: string + description: Resource set ID + readOnly: true + role: + type: string + description: Custom role ID + readOnly: true + status: + allOf: + - $ref: '#/components/schemas/LifecycleStatus' + - description: Status of the custom role assignment + type: + type: string + description: CUSTOM for a custom role + enum: + - CUSTOM + _links: + $ref: '#/components/schemas/LinksCustomRoleResponse' + StandardRoleAssignmentSchema: + title: Standard Role + type: object + properties: + type: + type: string + description: >- + Specify the standard or IAM-based role type. See [standard + roles](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#standard-roles). + CustomRoleAssignmentSchema: + title: Custom Role + type: object + properties: + resource-set: + type: string + description: Resource set ID + role: + type: string + description: Custom role ID + type: + type: string + description: The type of role. Specify `CUSTOM` for a custom role. + enum: + - CUSTOM + CatalogApplication: + description: An app in the OIN catalog + type: object + properties: + category: + type: string + description: Category for the app in the OIN catalog + example: SOCIAL + readOnly: true + description: + type: string + description: Description of the app in the OIN catalog + readOnly: true + displayName: + type: string + description: OIN catalog app display name + readOnly: true + features: + type: array + readOnly: true + description: >- + Features supported by the app. See app + [features](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/listApplications!c=200&path=0/features&t=response). + items: + type: string + id: + type: string + readOnly: true + description: >- + ID of the app instance. Okta returns this property only for apps not + in the OIN catalog. + lastUpdated: + type: string + description: Timestamp when the object was last updated + format: date-time + readOnly: true + example: '2024-09-19T23:37:37.000Z' + name: + type: string + description: >- + App key name. For OIN catalog apps, this is a unique key for the app + definition. + signOnModes: + type: array + description: >- + Authentication mode for the app. See app + [signOnMode](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/listApplications!c=200&path=0/signOnMode&t=response). + items: + type: string + status: + $ref: '#/components/schemas/CatalogApplicationStatus' + verificationStatus: + type: string + description: OIN verification status of the catalog app + example: OKTA_VERIFIED + website: + type: string + description: Website of the OIN catalog app + _links: + type: object + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using + the [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification + readOnly: true + properties: + logo: + type: array + description: List of app logo resources + items: + $ref: '#/components/schemas/HrefObjectLogoLink' + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + User: + type: object + properties: + activated: + type: string + description: The timestamp when the user status transitioned to `ACTIVE` + format: date-time + readOnly: true + nullable: true + created: + type: string + description: The timestamp when the user was created + format: date-time + readOnly: true + credentials: + $ref: '#/components/schemas/UserCredentials' + id: + type: string + description: The unique key for the user + readOnly: true + lastLogin: + type: string + description: The timestamp of the last login + format: date-time + readOnly: true + nullable: true + lastUpdated: + type: string + description: The timestamp when the user was last updated + format: date-time + readOnly: true + passwordChanged: + type: string + description: The timestamp when the user's password was last updated + format: date-time + readOnly: true + nullable: true + profile: + $ref: '#/components/schemas/UserProfile' + realmId: + type: string + description: >- + The ID of the realm in which the user is residing. See + [Realms](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Realm/). + example: guo1bfiNtSnZYILxO0g4 + readOnly: true + status: + $ref: '#/components/schemas/UserStatus' + statusChanged: + type: string + description: The timestamp when the status of the user last changed + format: date-time + readOnly: true + nullable: true + transitioningToStatus: + type: string + description: >- + The target status of an in-progress asynchronous status transition. + This property is only returned if the user's state is transitioning. + readOnly: true + nullable: true + enum: + - ACTIVE + - DEPROVISIONED + - PROVISIONED + type: + type: object + description: >- + The user type that determines the schema for the user's profile. The + `type` property is a map that identifies the [User + Types](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/#tag/UserType). + + + Currently it contains a single element, `id`. It can be specified + when creating a new user, and ca be updated by an admin on a full + replace of an existing user (but not a partial update). + properties: + id: + type: string + description: The ID of the user type + _embedded: + type: object + description: >- + Embedded resources related to the user using the [JSON Hypertext + Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification + additionalProperties: + type: object + properties: {} + readOnly: true + _links: + description: >- + Specifies link relations (see [Web + Linking](https://datatracker.ietf.org/doc/html/rfc8288) available + for the current status of a user. + + The links object is used for dynamic discovery of related resources, + lifecycle operations, and credential operations. The links object is + read-only. + + + For an individual user result, the links object contains a full set + of link relations available for that user as determined by your + policies. + + For a collection of users, the links object contains only the `self` + link. Operations that return a collection of users include [List all + users](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers) + and [List all group member + users](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroupUsers). + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + self: + description: URL to the individual user + allOf: + - $ref: '#/components/schemas/HrefObject' + activate: + description: URL to activate the user + allOf: + - $ref: '#/components/schemas/HrefObject' + resetPassword: + description: URL to reset the user's password + allOf: + - $ref: '#/components/schemas/HrefObject' + resetFactors: + description: URL to reset the user's factors + allOf: + - $ref: '#/components/schemas/HrefObject' + expirePassword: + description: URL to expire the user's password + allOf: + - $ref: '#/components/schemas/HrefObject' + forgotPassword: + description: URL to initiate a forgot password operation + allOf: + - $ref: '#/components/schemas/HrefObject' + changeRecoveryQuestion: + description: URL to change the user's recovery question + allOf: + - $ref: '#/components/schemas/HrefObject' + deactivate: + description: URL to deactivate a user + allOf: + - $ref: '#/components/schemas/HrefObject' + reactivate: + description: URL to reactivate the user + allOf: + - $ref: '#/components/schemas/HrefObject' + changePassword: + description: URL to change the user's password + allOf: + - $ref: '#/components/schemas/HrefObject' + schema: + description: URL to the user's profile schema + allOf: + - $ref: '#/components/schemas/HrefObject' + suspend: + description: URL to suspend the user + allOf: + - $ref: '#/components/schemas/HrefObject' + unsuspend: + description: URL to unsuspend the user + allOf: + - $ref: '#/components/schemas/HrefObject' + unlock: + description: URL to unlock the locked-out user + allOf: + - $ref: '#/components/schemas/HrefObject' + type: + description: URL to the user type + allOf: + - $ref: '#/components/schemas/HrefObject' + - readOnly: true + GroupProfile: + description: >- + Specifies required and optional properties for a group. The + `objectClass` of a group determines which additional properties are + available. + + + You can extend group profiles with custom properties, but you must first + add the properties to the group profile schema before you can reference + them. Use the Profile Editor in the Admin Console or the [Schemas + API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/)to + manage schema extensions. + + + Custom properties can contain HTML tags. It is the client's + responsibility to escape or encode this data before displaying it. Use + [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) + to prevent cross-site scripting. + anyOf: + - $ref: '#/components/schemas/OktaUserGroupProfile' + - $ref: '#/components/schemas/OktaActiveDirectoryGroupProfile' + GroupType: + description: Determines how a group's profile and memberships are managed + type: string + enum: + - APP_GROUP + - BUILT_IN + - OKTA_GROUP + x-enumDescriptions: + APP_GROUP: >- + Group profile and memberships are imported and must be managed within + the app (such as Active Directory or LDAP) that imported the group + BUILT_IN: >- + Group profile and memberships are managed by Okta and can't be + modified + OKTA_GROUP: >- + Group profile and memberships are directly managed in Okta via static + assignments or indirectly through group rules + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + GroupRuleAction: + description: Defines which users and groups to assign + type: object + properties: + assignUserToGroups: + $ref: '#/components/schemas/GroupRuleGroupAssignment' + GroupRuleConditions: + description: Defines group rule conditions + type: object + properties: + expression: + $ref: '#/components/schemas/GroupRuleExpression' + people: + $ref: '#/components/schemas/GroupRulePeopleCondition' + GroupRuleStatus: + description: Status of group rule + type: string + enum: + - ACTIVE + - INACTIVE + - INVALID + ApplicationAccessibility: + description: Specifies access settings for the app + type: object + properties: + errorRedirectUrl: + type: string + description: Custom error page URL for the app + loginRedirectUrl: + type: string + description: >- + Custom login page URL for the app + + > **Note:** The `loginRedirectUrl` property is deprecated in + Identity Engine. This property is used with the custom app login + feature. Orgs that actively use this feature can continue to do so. + See [Okta-hosted sign-in (redirect + authentication)](https://developer.okta.com/docs/guides/redirect-authentication/) + or [configure IdP routing + rules](https://help.okta.com/okta_help.htm?type=oie&id=ext-cfg-routing-rules) + to redirect users to the appropriate sign-in app for orgs that don't + use the custom app login feature. + selfService: + type: boolean + description: Represents whether the app can be self-assignable by users + ApplicationLabel: + description: User-defined display name for app + type: string + ApplicationLicensing: + description: Licenses for the app + type: object + properties: + seatCount: + type: integer + description: Number of licenses purchased for the app + ApplicationSignOnMode: + description: > + Authentication mode for the app + + + | signOnMode | Description | + + | ---------- | ----------- | + + | AUTO_LOGIN | Secure Web Authentication (SWA) | + + | BASIC_AUTH | HTTP Basic Authentication with Okta Browser Plugin | + + | BOOKMARK | Just a bookmark (no-authentication) | + + | BROWSER_PLUGIN | Secure Web Authentication (SWA) with Okta Browser + Plugin | + + | OPENID_CONNECT | Federated Authentication with OpenID Connect (OIDC) | + + | SAML_1_1 | Federated Authentication with SAML 1.1 WebSSO (not + supported for custom apps) | + + | SAML_2_0 | Federated Authentication with SAML 2.0 WebSSO | + + | SECURE_PASSWORD_STORE | Secure Web Authentication (SWA) with POST + (plugin not required) | + + | WS_FEDERATION | Federated Authentication with WS-Federation Passive + Requestor Profile | + + + Select the `signOnMode` for your custom app: + type: string + enum: + - AUTO_LOGIN + - BASIC_AUTH + - BOOKMARK + - BROWSER_PLUGIN + - OPENID_CONNECT + - SAML_1_1 + - SAML_2_0 + - SECURE_PASSWORD_STORE + - WS_FEDERATION + ApplicationLifecycleStatus: + description: App instance status + type: string + enum: + - ACTIVE + - DELETED + - INACTIVE + readOnly: true + ApplicationUniversalLogout: + description: >- +

+ + Universal Logout properties for the app. These properties are only + returned and can't be updated. + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + example: ACTIVE + type: object + properties: + identityStack: + type: string + description: >- + Indicates whether the app uses a shared identity stack that may + cause the user to sign out of other apps by the same company + enum: + - SHARED + - NOT_SHARED + example: SHARED + protocol: + type: string + description: The protocol used for Universal Logout + enum: + - PROPRIETARY + - GLOBAL_TOKEN_REVOCATION + x-enumDescriptions: + PROPRIETARY: Universal Logout is implemented with a proprietary method. + GLOBAL_TOKEN_REVOCATION: >- + Universal Logout is implemented with the [Global Token + Revocation](https://datatracker.ietf.org/doc/draft-parecki-oauth-global-token-revocation/) + protocol. See the [Global Token Revocation + API](https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/GlobalTokenRevocation/). + example: PROPRIETARY + status: + type: string + description: Universal Logout status for the app instance + enum: + - ENABLED + - DISABLED + - UNSUPPORTED + example: ENABLED + x-enumDescriptions: + ENABLED: >- + Universal Logout is enabled. Users are signed out of the app + instance when the Okta system or an admin initiates logout. + DISABLED: Universal Logout is disabled + UNSUPPORTED: The app doesn't support Universal Logout + supportType: + type: string + description: >- + Indicates whether the app supports full or partial Universal Logout + (UL). + enum: + - FULL + - PARTIAL + x-enumDescriptions: + FULL: >- + Full UL support (users are signed out of an app when the Okta + system or an admin initiates logout) + PARTIAL: >- + This app's sign-out behavior can be different from other supported + UL apps. + example: FULL + readOnly: true + ApplicationVisibility: + description: Specifies visibility settings for the app + type: object + properties: + appLinks: + type: object + description: >- + Links or icons that appear on the End-User Dashboard if they're set + to `true`. + additionalProperties: + type: boolean + autoLaunch: + type: boolean + description: Automatically signs in to the app when user signs into Okta + autoSubmitToolbar: + type: boolean + description: Automatically sign in when user lands on the sign-in page + hide: + $ref: '#/components/schemas/ApplicationVisibilityHide' + ApplicationLinks: + description: Discoverable resources related to the app + properties: + accessPolicy: + $ref: '#/components/schemas/AccessPolicyLink' + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + appLinks: + type: array + description: List of app link resources + items: + $ref: '#/components/schemas/HrefObject' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + groups: + $ref: '#/components/schemas/GroupsLink' + help: + $ref: '#/components/schemas/HelpLink' + logo: + type: array + description: List of app logo resources + items: + $ref: '#/components/schemas/HrefObject' + metadata: + $ref: '#/components/schemas/MetadataLink' + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + users: + $ref: '#/components/schemas/UsersLink' + readOnly: true + type: object + GroupOwnerOriginType: + description: The source where group ownership is managed + type: string + enum: + - APPLICATION + - OKTA_DIRECTORY + GroupOwnerType: + description: The entity type of the owner + type: string + enum: + - GROUP + - USER + RoleAssignmentType: + description: Role assignment type + type: string + enum: + - CLIENT + - GROUP + - USER + x-enumDescriptions: + USER: The role is assigned to a user + GROUP: The role is assigned to a group + CLIENT: The role is assigned to a client app + LifecycleStatus: + type: string + enum: + - ACTIVE + - INACTIVE + RoleType: + description: Standard role type + type: string + enum: + - ACCESS_CERTIFICATIONS_ADMIN + - ACCESS_REQUESTS_ADMIN + - API_ACCESS_MANAGEMENT_ADMIN + - API_ADMIN + - APP_ADMIN + - CUSTOM + - GROUP_MEMBERSHIP_ADMIN + - HELP_DESK_ADMIN + - MOBILE_ADMIN + - ORG_ADMIN + - READ_ONLY_ADMIN + - REPORT_ADMIN + - SUPER_ADMIN + - USER_ADMIN + - WORKFLOWS_ADMIN + x-enumDescriptions: + API_ACCESS_MANAGEMENT_ADMIN: Access Management Administrator + API_ADMIN: Access Management Administrator + APP_ADMIN: Application Administrator + CUSTOM: Custom label specified by the client + GROUP_MEMBERSHIP_ADMIN: Group Membership Administrator + HELP_DESK_ADMIN: Help Desk Administrator + MOBILE_ADMIN: Mobile Administrator + ORG_ADMIN: Organizational Administrator + READ_ONLY_ADMIN: Read-Only Administrator + REPORT_ADMIN: Report Administrator + SUPER_ADMIN: Super Administrator + USER_ADMIN: Group Administrator + WORKFLOWS_ADMIN: Workflows Administrator + ACCESS_CERTIFICATIONS_ADMIN: Access Certifications Administrator (predefined resource sets) + ACCESS_REQUESTS_ADMIN: Access Requests Administrator (predefined resource sets) + LinksAssignee: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. + type: object + properties: + assignee: + $ref: '#/components/schemas/HrefObjectAssigneeLink' + LinksCustomRoleResponse: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources. + type: object + properties: + assignee: + $ref: '#/components/schemas/HrefObjectAssigneeLink' + member: + $ref: '#/components/schemas/HrefObjectMemberLink' + permissions: + $ref: '#/components/schemas/HrefObjectPermissionsLink' + resource-set: + $ref: '#/components/schemas/HrefObjectResourceSetLink' + role: + $ref: '#/components/schemas/HrefObjectRoleLink' + CatalogApplicationStatus: + description: App status + type: string + enum: + - ACTIVE + - INACTIVE + HrefObjectLogoLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the logo resource + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + UserCredentials: + description: >- + Specifies primary authentication and recovery credentials for a user. + Credential types and requirements vary depending on the provider and + security policy of the org. + type: object + properties: + password: + $ref: '#/components/schemas/PasswordCredential' + provider: + $ref: '#/components/schemas/AuthenticationProvider' + recovery_question: + $ref: '#/components/schemas/RecoveryQuestionCredential' + UserProfile: + additionalProperties: true + description: >- + Specifies the default and custom profile properties for a user. + + + The default user profile is based on the [System for Cross-domain + Identity Management: Core + Schema](https://datatracker.ietf.org/doc/html/rfc7643). + + + The only permitted customizations of the default profile are to update + permissions, change whether the `firstName` and `lastName` properties + are nullable, and specify a + [pattern](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation) + for `login`. You can use the Profile Editor in the Admin Console or the + [Schemas + API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) + to make schema modifications. + + + You can extend user profiles with custom properties. You must first add + the custom property to the user profile schema before you reference it. + + You can use the Profile Editor in the Admin Console or the [Schemas + API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) + to manage schema extensions. + + + Custom attributes can contain HTML tags. It's the client's + responsibility to escape or encode this data before displaying it. Use + [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) + to prevent cross-site scripting. + type: object + properties: + city: + type: string + description: The city or locality of the user's address (`locality`) + maxLength: 128 + nullable: true + costCenter: + type: string + description: Name of the cost center assigned to a user + nullable: true + countryCode: + description: >- + The country name component of the user's address (`country`). For + validation, see [ISO 3166-1 alpha 2 "short" code + format](https://datatracker.ietf.org/doc/html/draft-ietf-scim-core-schema-22#ref-ISO3166). + type: string + maxLength: 2 + nullable: true + department: + type: string + description: Name of the user's department + displayName: + type: string + description: Name of the user suitable for display to end users + nullable: true + division: + type: string + description: Name of the user's division + nullable: true + email: + type: string + description: >- + The primary email address of the user. For validation, see [RFC 5322 + Section + 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). + format: email + minLength: 5 + maxLength: 100 + employeeNumber: + description: The organization or company assigned unique identifier for the user + type: string + firstName: + type: string + description: Given name of the user (`givenName`) + minLength: 1 + maxLength: 50 + nullable: true + honorificPrefix: + type: string + description: Honorific prefix(es) of the user, or title in most Western languages + nullable: true + honorificSuffix: + type: string + description: Honorific suffix(es) of the user + nullable: true + lastName: + type: string + description: The family name of the user (`familyName`) + minLength: 1 + maxLength: 50 + nullable: true + locale: + type: string + description: >- + The user's default location for purposes of localizing items such as + currency, date time format, numerical representations, and so on. + + A locale value is a concatenation of the ISO 639-1 two-letter + language code, an underscore, and the ISO 3166-1 two-letter country + code. For example, en_US specifies the language English and country + US. This value is `en_US` by default. + login: + type: string + description: >- + The unique identifier for the user (`username`). For validation, see + [Login pattern + validation](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation). + + + Every user within your Okta org must have a unique identifier for a + login. This constraint applies to all users you import from other + systems or applications such as Active Directory. Your organization + is the top-level namespace to mix and match logins from all your + connected applications or directories. Careful consideration of + naming conventions for your login identifier will make it easier to + onboard new applications in the future. + + + Logins are not considered unique if they differ only in case and/or + diacritical marks. If one of your users has a login of + Isaac.Brock@example.com, there cannot be another user whose login is + isaac.brock@example.com, nor isáàc.bröck@example.com. + + + Okta has a default ambiguous name resolution policy for usernames + that include @-signs. (By default, usernames must be formatted as + email addresses and thus always include @-signs. You can remove that + restriction using either the Admin Console or the [Schemas + API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/). + Users can sign in with their non-qualified short name (for example: + isaac.brock with username isaac.brock@example.com) as long as the + short name is still unique within the organization. + + maxLength: 100 + minLength: 5 + manager: + type: string + description: The `displayName` of the user's manager + nullable: true + managerId: + type: string + description: The `id` of the user's manager + nullable: true + middleName: + type: string + description: The middle name of the user + nullable: true + mobilePhone: + type: string + description: The mobile phone number of the user + maxLength: 100 + minLength: 0 + nullable: true + nickName: + type: string + description: The casual way to address the user in real life + nullable: true + organization: + type: string + description: Name of the the user's organization + nullable: true + postalAddress: + type: string + description: Mailing address component of the user's address + maxLength: 4096 + nullable: true + preferredLanguage: + type: string + description: >- + The user's preferred written or spoken language. For validation, see + [RFC 7231 Section + 5.3.5](https://datatracker.ietf.org/doc/html/rfc7231#section-5.3.5). + nullable: true + primaryPhone: + type: string + description: The primary phone number of the user such as a home number + maxLength: 100 + minLength: 0 + nullable: true + profileUrl: + type: string + description: >- + The URL of the user's online profile. For example, a web page. See + [URL](https://datatracker.ietf.org/doc/html/rfc1808). + nullable: true + secondEmail: + type: string + format: email + description: >- + The secondary email address of the user typically used for account + recovery. For validation, see [RFC 5322 Section + 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). + minLength: 5 + maxLength: 100 + nullable: true + state: + type: string + description: The state or region component of the user's address (`region`) + maxLength: 128 + nullable: true + streetAddress: + type: string + description: The full street address component of the user's address + maxLength: 1024 + nullable: true + timezone: + type: string + description: The user's time zone + nullable: true + title: + type: string + description: The user's title, such as Vice President + nullable: true + userType: + type: string + description: >- + The property used to describe the organization-to-user relationship, + such as employee or contractor + nullable: true + zipCode: + type: string + description: >- + The ZIP code or postal code component of the user's address + (`postalCode`) + maxLength: 50 + nullable: true + UserStatus: + description: >- + The current status of the user. + + + The status of a user changes in response to explicit events, such as + admin-driven lifecycle changes, user login, or self-service password + recovery. Okta doesn't asynchronously sweep through users and update + their password expiry state, for example. Instead, Okta evaluates + password policy at login time, notices the password has expired, and + moves the user to the expired state. When running reports, remember that + the data is valid as of the last login or lifecycle event for that user. + type: string + enum: + - ACTIVE + - DEPROVISIONED + - LOCKED_OUT + - PASSWORD_EXPIRED + - PROVISIONED + - RECOVERY + - STAGED + - SUSPENDED + readOnly: true + OktaActiveDirectoryGroupProfile: + description: |- + Profile for a group that is imported from Active Directory. + + The `objectClass` for such groups is `okta:windows_security_principal`. + type: object + properties: + description: + type: string + example: All users in the engineering department + description: Description of the Windows group + dn: + type: string + example: CN=West Coast users,OU=West Coast,DC=example,DC=com + description: The distinguished name of the Windows group + externalId: + type: string + example: VKzYZ1C+IkSZxIWlrW5ITg== + description: Base-64 encoded GUID (`objectGUID`) of the Windows group + name: + type: string + example: West Coast users + description: Name of the Windows group + samAccountName: + type: string + example: West Coast users + description: Pre-Windows 2000 name of the Windows group + windowsDomainQualifiedName: + type: string + example: EXAMPLE\\West Coast users + description: Fully qualified name of the Windows group + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + ErrorCause: + type: object + properties: + errorSummary: + type: string + GroupRuleGroupAssignment: + description: Contains the `groupIds` array + type: object + properties: + groupIds: + description: Array of `groupIds` to which users are added + type: array + items: + type: string + GroupRuleExpression: + description: >- + Defines Okta specific [group-rules + expression](https://developer.okta.com/docs/reference/okta-expression-language/#expressions-in-group-rules) + type: object + properties: + type: + type: string + description: Expression type. Only valid value is '`urn:okta:expression:1.0`'. + value: + type: string + description: Okta expression that would result in a Boolean value + example: user.role==\"Engineer\" + GroupRulePeopleCondition: + description: Defines conditions for `people` in a group rule + type: object + properties: + groups: + $ref: '#/components/schemas/GroupRuleGroupCondition' + users: + $ref: '#/components/schemas/GroupRuleUserCondition' + ApplicationVisibilityHide: + description: Hides the app for specific end-user apps + type: object + properties: + iOS: + type: boolean + description: Okta Mobile for iOS or Android (pre-dates Android) + default: false + example: false + web: + type: boolean + description: Okta End-User Dashboard on a web browser + default: false + example: true + AccessPolicyLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the app access policy resource + HrefObjectActivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to activate the resource + HrefObjectDeactivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to deactivate the resource + GroupsLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + Link to the [Application + Groups](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationGroups/#tag/ApplicationGroups/operation/listApplicationGroupAssignments) + resource + HelpLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the app help resource + MetadataLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + Link to the [SAML + metadata](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationSSO/#tag/ApplicationSSO/operation/previewSAMLmetadataForApplication) + for SSO + UsersLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + Link to the [Application + Users](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/#tag/ApplicationUsers/operation/listApplicationUsers) + resource + HrefObjectAssigneeLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the assignee resource + HrefObjectMemberLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the member resource + HrefObjectPermissionsLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the permissions resource + HrefObjectResourceSetLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource set resource + HrefObjectRoleLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the role resource + PasswordCredential: + description: >- + Specifies a password for a user. + + + When a user has a valid password, imported hashed password, or password + hook, and a response object contains + + a password credential, then the password object is a bare object without + the value property defined (for example, `password: {}`). This indicates + that a password value exists. You can modify password policy + requirements in the Admin Console by editing the Password + authenticator: **Security** > **Authenticators** > **Password** (or for + Okta Classic orgs, use **Security** > **Authentication** > + **Password**). + + + For information on defaults and configuring your password policies, see + [Configure the password + authenticator](https://help.okta.com/okta_help.htm?type=oie&id=ext-configure-password) + in the help documentation. + type: object + properties: + hash: + $ref: '#/components/schemas/PasswordCredentialHash' + hook: + $ref: '#/components/schemas/PasswordCredentialHook' + value: + type: string + writeOnly: true + description: >- + Specifies the password for a user. The password policy validates + this password. + format: password + example: pa$$word + AuthenticationProvider: + description: >- + Specifies the authentication provider that validates the user's password + credential. The user's current provider is managed by the **Delegated + Authentication** settings for your org. The provider object is + **read-only**. + type: object + properties: + name: + type: string + description: The name of the authentication provider + readOnly: true + example: OKTA + type: + $ref: '#/components/schemas/AuthenticationProviderType' + readOnly: true + RecoveryQuestionCredential: + description: >- + Specifies a secret question and answer that's validated (case + insensitive) when a user forgets their + + password or unlocks their account. The answer property is write-only. + type: object + properties: + answer: + type: string + description: The answer to the recovery question + minimum: 1 + maximum: 100 + writeOnly: true + example: se7en + question: + type: string + description: The recovery question + minimum: 1 + maximum: 100 + example: what is your favourite movie? + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + GroupRuleGroupCondition: + description: Currently not supported + type: object + properties: + exclude: + type: array + description: Currently not supported + items: + type: string + GroupRuleUserCondition: + description: Defines conditions specific to user exclusion + type: object + properties: + exclude: + type: array + description: Excluded `userIds` when processing rules + items: + type: string + PasswordCredentialHash: + description: >- + Specifies a hashed password to import into Okta. This allows an existing + password to be imported into Okta directly + + from some other store. Okta supports the BCRYPT, SHA-512, SHA-256, + SHA-1, MD5, and PBKDF2 hash functions for password import. + A hashed password may be specified in a password object when creating or updating a user, but not for other operations. + See the [Create user with imported hashed password](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-with-imported-hashed-password) description. When you update a user with a hashed password, the user must be in the `STAGED` status. + type: object + properties: + algorithm: + $ref: '#/components/schemas/PasswordCredentialHashAlgorithm' + digestAlgorithm: + $ref: '#/components/schemas/DigestAlgorithm' + iterationCount: + type: integer + description: >- + The number of iterations used when hashing passwords using PBKDF2. + Must be >= 4096. Only required for PBKDF2 algorithm. + keySize: + type: integer + description: >- + Size of the derived key in bytes. Only required for PBKDF2 + algorithm. + salt: + description: >- + Only required for salted hashes. For BCRYPT, this specifies Radix-64 + as the encoded salt used to generate the hash, + + which must be 22 characters long. For other salted hashes, this + specifies the Base64-encoded salt used to + + generate the hash. + type: string + saltOrder: + type: string + description: >- + Specifies whether salt was pre- or postfixed to the password before + hashing. Only required for salted algorithms. + value: + description: >- + For SHA-512, SHA-256, SHA-1, MD5, and PBKDF2, this is the actual + base64-encoded hash of the password (and salt, if used). + + This is the Base64-encoded `value` of the + SHA-512/SHA-256/SHA-1/MD5/PBKDF2 digest that was computed by either + pre-fixing or post-fixing + + the `salt` to the `password`, depending on the `saltOrder`. If a + `salt` was not used in the `source` system, then this should just be + + the Base64-encoded `value` of the password's + SHA-512/SHA-256/SHA-1/MD5/PBKDF2 digest. For BCRYPT, this is the + actual Radix-64 encoded hashed password. + type: string + workFactor: + type: integer + description: >- + Governs the strength of the hash and the time required to compute + it. Only required for BCRYPT algorithm. + minimum: 1 + maximum: 20 + PasswordCredentialHook: + description: >- + Specify a [password import inline + hook](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createPasswordImportInlineHook) + to trigger verification of the user's password the first time the user + signs in. This allows an existing password to be imported into Okta + directly from some other store. + type: object + properties: + type: + type: string + description: The type of password inline hook. Currently, must be set to default. + AuthenticationProviderType: + description: The type of authentication provider + type: string + enum: + - ACTIVE_DIRECTORY + - FEDERATION + - IMPORT + - LDAP + - OKTA + - SOCIAL + x-enumDescriptions: + ACTIVE_DIRECTORY: >- + Specifies the Microsoft Active Directory instance name as the `name` + property + FEDERATION: >- + Specifies a federated identity provider (such as an SAML IdP) that + validates the user's password credentials. Doesn't support a + `password` or `recovery question` credential. The user must + authenticate through a trusted identity provider. + IMPORT: Specifies a hashed password that was imported from an external source + LDAP: Specifies the LDAP directory instance name as the `name` property + OKTA: Specifies the Okta identity provider + SOCIAL: >- + Specifies an OIDC or third-party social identity provider. Doesn't + support a `password` or `recovery question` credential. The user must + authenticate through a trusted identity provider. + readOnly: true + PasswordCredentialHashAlgorithm: + description: >- + The algorithm used to generate the hash using the password (and salt, + when applicable). + type: string + enum: + - BCRYPT + - MD5 + - PBKDF2 + - SHA-1 + - SHA-256 + - SHA-512 + DigestAlgorithm: + description: >- + Algorithm used to generate the key. Only required for the PBKDF2 + algorithm. + type: string + enum: + - SHA256_HMAC + - SHA512_HMAC + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + pathGroupRuleId: + name: groupRuleId + description: The `id` of the group rule + in: path + required: true + schema: + type: string + example: 0pr3f7zMZZHPgUoWO0g4 + pathGroupId: + name: groupId + description: The `id` of the group + in: path + required: true + schema: + type: string + example: 00g1emaKYZTWRYYRRTSK + pathOwnerId: + description: The `id` of the group owner + name: ownerId + in: path + required: true + schema: + type: string + example: 00u1emaK22TWRYd3TtG + pathQueryRoleExpand: + name: expand + description: >- + An optional parameter used to return targets configured for the standard + role assignment in the `embedded` property. Supported values: + `targets/groups` or `targets/catalog/apps` + in: query + required: false + schema: + type: string + examples: + groupTarget: + value: targets/groups + summary: Return group targets + appTarget: + value: targets/catalog/apps + summary: Return app targets + pathRoleAssignmentId: + name: roleAssignmentId + description: The `id` of the role assignment + in: path + required: true + schema: + type: string + example: JBCUYUC7IRCVGS27IFCE2SKO + queryAfter: + name: after + in: query + schema: + type: string + description: >- + The cursor to use for pagination. It is an opaque string that specifies + your current location in the list and is obtained from the `Link` + response header. See + [Pagination](https://developer.okta.com/docs/api/#pagination). + queryLimit: + name: limit + in: query + schema: + type: integer + minimum: 1 + maximum: 200 + default: 20 + description: A limit on the number of objects to return + pathAppName: + name: appName + description: Name of the app definition (the OIN catalog app key name) + in: path + required: true + schema: + type: string + example: google + pathAppId: + name: appId + description: Application ID + in: path + required: true + schema: + type: string + example: 0oafxqCAJWWGELFTYASJ + pathTargetGroupId: + name: targetGroupId + in: path + required: true + schema: + type: string + example: 00g1e9dfjHeLAsdX983d + pathUserId: + name: userId + description: ID of an existing Okta user + in: path + required: true + schema: + type: string + example: 00ub0oNGTSWTBKOLGLNR + examples: + list-groups-examples: + summary: List all groups example + description: Lists an example of an OKTA_GROUP and an APP_GROUP + value: + - id: 00g1emaKYZTWRYYRRTSK + created: '2015-02-06T10:11:28.000Z' + lastUpdated: '2015-10-05T19:16:43.000Z' + lastMembershipUpdated: '2015-11-28T19:15:32.000Z' + objectClass: + - okta:user_group + type: OKTA_GROUP + profile: + name: West Coast users + description: All users West of The Rockies + _links: + logo: + - name: medium + href: https://{yourOktaDomain}/img/logos/groups/okta-medium.png + type: image/png + - name: large + href: https://{yourOktaDomain}/img/logos/groups/okta-large.png + type: image/png + users: + href: >- + https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/users + apps: + href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/apps + - id: 00garwpuyxHaWOkdV0g4 + created: '2015-08-15T19:15:17.000Z' + lastUpdated: '2015-11-18T04:02:19.000Z' + lastMembershipUpdated: '2015-08-15T19:15:17.000Z' + objectClass: + - okta:windows_security_principal + type: APP_GROUP + profile: + name: Engineering users + description: All users in the engineering department + groupType: Security + samAccountName: Engineering users + objectSid: S-1-5-21-717838489-685202119-709183397-1177 + groupScope: Global + dn: CN=Engineering users,OU=Engineering,DC=corp,DC=example,DC=com + windowsDomainQualifiedName: CORP\Engineering users + externalId: OZJdWdONCU6h7WjQKp+LPA== + source: + id: 0oa2v0el0gP90aqjJ0g7 + _links: + logo: + - name: medium + href: >- + https://{yourOktaDomain}/img/logos/groups/active_directory-medium.png + type: image/png + - name: large + href: >- + https://{yourOktaDomain}/img/logos/groups/active_directory-large.png + type: image/png + source: + href: https://{yourOktaDomain}/api/v1/apps/0oa2v0el0gP90aqjJ0g7 + users: + href: >- + https://{yourOktaDomain}/api/v1/groups/00garwpuyxHaWOkdV0g4/users + apps: + href: https://{yourOktaDomain}/api/v1/groups/00garwpuyxHaWOkdV0g4/apps + group-example: + summary: Group example + description: Example of a group + value: + id: 00g1emaKYZTWRYYRRTSK + created: '2015-02-06T10:11:28.000Z' + lastUpdated: '2015-10-05T19:16:43.000Z' + lastMembershipUpdated: '2015-11-28T19:15:32.000Z' + objectClass: + - okta:user_group + type: OKTA_GROUP + profile: + name: West Coast users + description: All users West of The Rockies + _links: + logo: + - name: medium + href: https://{yourOktaDomain}/img/logos/groups/okta-medium.png + type: image/png + - name: large + href: https://{yourOktaDomain}/img/logos/groups/okta-large.png + type: image/png + users: + href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/users + apps: + href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/apps + list-group-rules-example: + summary: List group rules example + description: List all group rules example + value: + - type: group_rule + id: 0pr3f7zMZZHPgUoWO0g4 + status: INACTIVE + name: Engineering group rule + created: '2016-12-01T14:40:04.000Z' + lastUpdated: '2016-12-01T14:40:04.000Z' + conditions: + people: + users: + exclude: + - 00u22w79JPMEeeuLr0g4 + groups: + exclude: [] + expression: + value: user.role=="Engineer" + type: urn:okta:expression:1.0 + actions: + assignUserToGroups: + groupIds: + - 00gjitX9HqABSoqTB0g3 + create-group-rule-request-example: + summary: Create group rule request example + value: + type: group_rule + name: Engineering group rule + conditions: + people: + users: + exclude: + - 00u22w79JPMEeeuLr0g4 + groups: + exclude: [] + expression: + value: user.role=="Engineer" + type: urn:okta:expression:1.0 + actions: + assignUserToGroups: + groupIds: + - 00gjitX9HqABSoqTB0g3 + group-rule-example: + summary: Group rule example + description: Example of a group rule + value: + type: group_rule + id: 0pr3f7zMZZHPgUoWO0g4 + status: INACTIVE + name: Engineering group rule + created: '2016-12-01T14:40:04.000Z' + lastUpdated: '2016-12-01T14:40:04.000Z' + conditions: + people: + users: + exclude: + - 00u22w79JPMEeeuLr0g4 + groups: + exclude: [] + expression: + value: user.role=="Engineer" + type: urn:okta:expression:1.0 + actions: + assignUserToGroups: + groupIds: + - 00gjitX9HqABSoqTB0g3 + list-apps-example: + summary: List apps example + description: List all apps example + value: + - id: 0oafwvZDWJKVLDCUWUAC + name: template_basic_auth + label: Sample Basic Auth App + status: ACTIVE + lastUpdated: '2013-09-30T00:56:52.000Z' + created: '2013-09-30T00:56:52.000Z' + accessibility: + selfService: false + errorRedirectUrl: null + visibility: + autoSubmitToolbar: false + hide: + iOS: false + web: false + appLinks: + login: true + features: [] + signOnMode: BASIC_AUTH + credentials: + scheme: EDIT_USERNAME_AND_PASSWORD + userNameTemplate: + template: ${source.login} + type: BUILT_IN + settings: + app: + url: https://example.com/login.html + authURL: https://example.com/auth.html + _links: + appLinks: + - href: >- + https://{yourOktaDomain}/home/template_basic_auth/0oafwvZDWJKVLDCUWUAC/1438 + name: login + type: text/html + users: + href: https://{yourOktaDomain}/api/v1/apps/0oafwvZDWJKVLDCUWUAC/users + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/apps/0oafwvZDWJKVLDCUWUAC/lifecycle/deactivate + groups: + href: https://{yourOktaDomain}/api/v1/apps/0oafwvZDWJKVLDCUWUAC/groups + ListsOwnerOneResponse: + summary: Lists a response with one owner + value: + - id: 00g1gae1k0znUcLuU0h8 + type: GROUP + resolved: true + originId: 'null' + originType: OKTA_DIRECTORY + displayName: Product & Engineering + lastUpdated: '2023-03-29 18:18:37.0' + ListsOwnersMultipleResponse: + summary: Lists a response with multiple owners + value: + - id: 00u1cmbqjkkmFXeqb0h8 + type: USER + resolved: true + originId: 'null' + originType: OKTA_DIRECTORY + displayName: Mabel Mora + lastUpdated: '2023-03-29T18:30:58.000Z' + - id: 00u1cmc52x5B86cnZ0h8 + type: USER + resolved: true + originId: 'null' + originType: OKTA_DIRECTORY + displayName: Cinda Canning + lastUpdated: '2023-03-29T18:30:55.000Z' + AssignGroupOwnerRequest: + summary: Assign a group owner request example + value: + id: 00u1cmc03xjzePoWD0h8 + type: USER + AssignGroupOwnerResponse: + summary: Assign a group owner response example + value: + id: 00u1cmc03xjzePoWD0h8 + type: USER + resolved: true + originId: null + originType: OKTA_DIRECTORY + displayName: Oliver Putnam + lastUpdated: Wed Mar 29 18:34:31 UTC 2023 + StandardRolesListResponseGroup: + value: + - id: IFIFAX2BIRGUSTQ + label: Application Administrator + type: APP_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: GROUP + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + CustomRolesListResponseGroup: + value: + - id: irb1q92TFAHzySt3x0g4 + role: cr0Yq6IJxGIr0ouum0g3 + label: UserCreatorRole + type: CUSTOM + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: GROUP + resource-set: iamoJDFKaJxGIr0oamd9g + _links: + assignee: + href": https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK + resource-set: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + member: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + permissions: + href: >- + https://{yourOktaDomain}/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions + IAMStandardRolesListResponseGroup: + value: + - id: irb5e92YgBazyyQ3x1q5 + role: ACCESS_CERTIFICATIONS_ADMIN + label: Access Certifications Administrator + type: ACCESS_CERTIFICATIONS_ADMIN + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: Group + resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK + resource-set: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY + member: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_CERTIFICATIONS_ADMIN/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: >- + https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_CERTIFICATIONS_ADMIN + permissions: + href: >- + https://{yourOktaDomain}/api/v1/iam/permission-sets/OKTA_IAM_TEST_DELIVERED_ROLE/permissions + CreateStandardRoleAssignmentResponseGroup: + value: + id: grasraHPx7i79ajaJ0g3 + label: Organization Administrator + type: ORG_ADMIN + status: ACTIVE + created: '2019-02-27T14:56:55.000Z' + lastUpdated: '2019-02-27T14:56:55.000Z' + assignmentType: GROUP + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/groups/00gsr2IepS8YhHRFf0g3 + CreateCustomRoleResponseGroup: + value: + id: irb1q92TFAHzySt3x0g4 + role: cr0Yq6IJxGIr0ouum0g3 + label: UserCreatorRole + type: CUSTOM + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: GROUP + resource-set: iamoJDFKaJxGIr0oamd9g + _links: + assignee: + href": https://{yourOktaDomain}/api/v1/groups/00gsr2IepS8YhHRFf0g3 + resource-set: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + permissions: + href: >- + https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions + CreateIAMStandardRoleResponseGroup: + value: + id: irb1q92TFAHzySt3x0g4 + role: ACCESS_REQUESTS_ADMIN + label: Access Requests Administrator + type: ACCESS_REQUESTS_ADMIN + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: GROUP + resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/groups/00gsr2IepS8YhHRFf0g3 + resource-set: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN + permissions: + href: >- + https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN/permissions + member: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_REQUESTS_ADMIN/members/irb4jlomnnDBuBDyJ0g7 + ListUsersResponse: + summary: List all users + value: + - id: 00u118oQYT4TBTemp0g4 + status: ACTIVE + created: '2022-04-04T15:56:05.000Z' + activated: null + statusChanged: null + lastLogin: '2022-05-04T19:50:52.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + passwordChanged: '2022-04-04T16:00:22.000Z' + type: + id: oty1162QAr8hJjTaq0g4 + profile: + firstName: Alice + lastName: Smith + mobilePhone: null + secondEmail: null + login: alice.smith@example.com + email: alice.smith@example.com + credentials: + password: {} + provider: + type: OKTA + name: OKTA + _links: + self: + href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4 + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + groups: + id: okta.groups.groups + name: groups + title: Groups + methods: + list_groups: + operation: + $ref: '#/paths/~1api~1v1~1groups/get' + response: + mediaType: application/json + openAPIDocKey: '200' + add_group: + operation: + $ref: '#/paths/~1api~1v1~1groups/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_group: + operation: + $ref: '#/paths/~1api~1v1~1groups~1{groupId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_group: + operation: + $ref: '#/paths/~1api~1v1~1groups~1{groupId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_group: + operation: + $ref: '#/paths/~1api~1v1~1groups~1{groupId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: '#/components/x-stackQL-resources/groups/methods/list_groups' + - $ref: '#/components/x-stackQL-resources/groups/methods/get_group' + insert: + - $ref: '#/components/x-stackQL-resources/groups/methods/add_group' + update: [] + delete: + - $ref: '#/components/x-stackQL-resources/groups/methods/delete_group' + replace: + - $ref: '#/components/x-stackQL-resources/groups/methods/replace_group' + rules: + id: okta.groups.rules + name: rules + title: Rules + methods: + list_group_rules: + operation: + $ref: '#/paths/~1api~1v1~1groups~1rules/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_group_rule: + operation: + $ref: '#/paths/~1api~1v1~1groups~1rules/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_group_rule: + operation: + $ref: '#/paths/~1api~1v1~1groups~1rules~1{groupRuleId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_group_rule: + operation: + $ref: '#/paths/~1api~1v1~1groups~1rules~1{groupRuleId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_group_rule: + operation: + $ref: '#/paths/~1api~1v1~1groups~1rules~1{groupRuleId}/delete' + response: + mediaType: '' + openAPIDocKey: '202' + activate_group_rule: + operation: + $ref: >- + #/paths/~1api~1v1~1groups~1rules~1{groupRuleId}~1lifecycle~1activate/post + response: + mediaType: '' + openAPIDocKey: '204' + deactivate_group_rule: + operation: + $ref: >- + #/paths/~1api~1v1~1groups~1rules~1{groupRuleId}~1lifecycle~1deactivate/post + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: '#/components/x-stackQL-resources/rules/methods/list_group_rules' + - $ref: '#/components/x-stackQL-resources/rules/methods/get_group_rule' + insert: + - $ref: '#/components/x-stackQL-resources/rules/methods/create_group_rule' + update: [] + delete: + - $ref: '#/components/x-stackQL-resources/rules/methods/delete_group_rule' + replace: + - $ref: '#/components/x-stackQL-resources/rules/methods/replace_group_rule' + assigned_apps: + id: okta.groups.assigned_apps + name: assigned_apps + title: Assigned Apps + methods: + list_assigned_applications_for_group: + operation: + $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1apps/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/assigned_apps/methods/list_assigned_applications_for_group + insert: [] + update: [] + delete: [] + replace: [] + owners: + id: okta.groups.owners + name: owners + title: Owners + methods: + list_group_owners: + operation: + $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1owners/get' + response: + mediaType: application/json + openAPIDocKey: '200' + assign_group_owner: + operation: + $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1owners/post' + response: + mediaType: application/json + openAPIDocKey: '201' + delete_group_owner: + operation: + $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1owners~1{ownerId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: '#/components/x-stackQL-resources/owners/methods/list_group_owners' + insert: + - $ref: '#/components/x-stackQL-resources/owners/methods/assign_group_owner' + update: [] + delete: + - $ref: '#/components/x-stackQL-resources/owners/methods/delete_group_owner' + replace: [] + assigned_roles: + id: okta.groups.assigned_roles + name: assigned_roles + title: Assigned Roles + methods: + list_group_assigned_roles: + operation: + $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1roles/get' + response: + mediaType: application/json + openAPIDocKey: '200' + assign_role_to_group: + operation: + $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1roles/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_group_assigned_role: + operation: + $ref: >- + #/paths/~1api~1v1~1groups~1{groupId}~1roles~1{roleAssignmentId}/get + response: + mediaType: application/json + openAPIDocKey: '200' + unassign_role_from_group: + operation: + $ref: >- + #/paths/~1api~1v1~1groups~1{groupId}~1roles~1{roleAssignmentId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/assigned_roles/methods/list_group_assigned_roles + - $ref: >- + #/components/x-stackQL-resources/assigned_roles/methods/get_group_assigned_role + insert: + - $ref: >- + #/components/x-stackQL-resources/assigned_roles/methods/assign_role_to_group + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/assigned_roles/methods/unassign_role_from_group + replace: [] + app_targets: + id: okta.groups.app_targets + name: app_targets + title: App Targets + methods: + list_application_targets_for_application_administrator_role_for_group: + operation: + $ref: >- + #/paths/~1api~1v1~1groups~1{groupId}~1roles~1{roleAssignmentId}~1targets~1catalog~1apps/get + response: + mediaType: application/json + openAPIDocKey: '200' + assign_app_target_to_admin_role_for_group: + operation: + $ref: >- + #/paths/~1api~1v1~1groups~1{groupId}~1roles~1{roleAssignmentId}~1targets~1catalog~1apps~1{appName}/put + response: + mediaType: '' + openAPIDocKey: '200' + unassign_app_target_to_admin_role_for_group: + operation: + $ref: >- + #/paths/~1api~1v1~1groups~1{groupId}~1roles~1{roleAssignmentId}~1targets~1catalog~1apps~1{appName}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/app_targets/methods/list_application_targets_for_application_administrator_role_for_group + insert: [] + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/app_targets/methods/unassign_app_target_to_admin_role_for_group + replace: + - $ref: >- + #/components/x-stackQL-resources/app_targets/methods/assign_app_target_to_admin_role_for_group + app_instance_targets: + id: okta.groups.app_instance_targets + name: app_instance_targets + title: App Instance Targets + methods: + assign_app_instance_target_to_app_admin_role_for_group: + operation: + $ref: >- + #/paths/~1api~1v1~1groups~1{groupId}~1roles~1{roleAssignmentId}~1targets~1catalog~1apps~1{appName}~1{appId}/put + response: + mediaType: '' + openAPIDocKey: '204' + unassign_app_instance_target_to_app_admin_role_for_group: + operation: + $ref: >- + #/paths/~1api~1v1~1groups~1{groupId}~1roles~1{roleAssignmentId}~1targets~1catalog~1apps~1{appName}~1{appId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: [] + insert: [] + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/app_instance_targets/methods/unassign_app_instance_target_to_app_admin_role_for_group + replace: + - $ref: >- + #/components/x-stackQL-resources/app_instance_targets/methods/assign_app_instance_target_to_app_admin_role_for_group + group_targets: + id: okta.groups.group_targets + name: group_targets + title: Group Targets + methods: + list_group_targets_for_group_role: + operation: + $ref: >- + #/paths/~1api~1v1~1groups~1{groupId}~1roles~1{roleAssignmentId}~1targets~1groups/get + response: + mediaType: application/json + openAPIDocKey: '200' + assign_group_target_to_group_admin_role: + operation: + $ref: >- + #/paths/~1api~1v1~1groups~1{groupId}~1roles~1{roleAssignmentId}~1targets~1groups~1{targetGroupId}/put + response: + mediaType: '' + openAPIDocKey: '204' + unassign_group_target_from_group_admin_role: + operation: + $ref: >- + #/paths/~1api~1v1~1groups~1{groupId}~1roles~1{roleAssignmentId}~1targets~1groups~1{targetGroupId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/group_targets/methods/list_group_targets_for_group_role + insert: [] + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/group_targets/methods/unassign_group_target_from_group_admin_role + replace: + - $ref: >- + #/components/x-stackQL-resources/group_targets/methods/assign_group_target_to_group_admin_role + users: + id: okta.groups.users + name: users + title: Users + methods: + list_group_users: + operation: + $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1users/get' + response: + mediaType: application/json + openAPIDocKey: '200' + assign_user_to_group: + operation: + $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1users~1{userId}/put' + response: + mediaType: '' + openAPIDocKey: '204' + unassign_user_from_group: + operation: + $ref: '#/paths/~1api~1v1~1groups~1{groupId}~1users~1{userId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: '#/components/x-stackQL-resources/users/methods/list_group_users' + insert: [] + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/users/methods/unassign_user_from_group + replace: + - $ref: >- + #/components/x-stackQL-resources/users/methods/assign_user_to_group +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/hook_keys.yaml b/providers/src/okta/v00.00.00000/services/hook_keys.yaml new file mode 100644 index 00000000..bc3d3860 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/hook_keys.yaml @@ -0,0 +1,635 @@ +openapi: 3.0.3 +info: + title: hook_keys API + description: okta hook_keys API + version: 5.1.0 +paths: + /api/v1/hook-keys: + get: + summary: List all keys + description: Lists all keys + operationId: listHookKeys + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/HookKey' + examples: + ResponseExample: + $ref: '#/components/examples/ListAllKeysResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.inlineHooks.read + tags: + - HookKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a key + description: >- + Creates a key for use with other parts of the application, such as + inline hooks + + + > **Note:** Use the key name to access this key for inline hook + operations. + + + The total number of keys that you can create in an Okta org is limited + to 50. + + The response is a [Key object](https://developer.okta.com/docs/reference/api/hook-keys/#key-object) that represents the + key that you create. The `id` property in the response serves as the unique ID for the key, which you can specify when + invoking other CRUD operations. The `keyId` provided in the response is the alias of the public key that you can use to get + details of the public key data in a separate call. + + > **Note:** The keyId is the alias of the public key that you can use to + retrieve the public key. + operationId: createHookKey + x-codegen-request-body-name: keyRequest + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeyRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/DetailedHookKeyInstance' + examples: + ResponseExample: + $ref: '#/components/examples/CreateHookKeyResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage + tags: + - HookKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/hook-keys/public/{keyId}: + get: + summary: Retrieve a public key + description: |- + Retrieves a public key by `keyId` + + >**Note:** keyId is the alias of the public key. + operationId: getPublicKey + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/_embedded' + examples: + ResponseExample: + $ref: '#/components/examples/RetrievePublicKeyResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.inlineHooks.read + tags: + - HookKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathPublicKeyId' + /api/v1/hook-keys/{id}: + get: + summary: Retrieve a key by ID + description: >- + Retrieves the public portion of the Key object using the `id` parameter + + + >**Note:** The `?expand=publickey` query parameter optionally returns + the full object including the details of the public key in the response + body's `_embedded` property. + operationId: getHookKey + parameters: + - name: id + description: A valid key ID + in: path + schema: + type: string + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/HookKey' + examples: + ResponseExample: + $ref: '#/components/examples/RetrieveKeyResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.inlineHooks.read + tags: + - HookKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a key + description: >- + Replaces a key by `id` + + + This request replaces existing properties after passing validation. + + + > **Note:** The only parameter that you can update is the name of the + key, which must be unique at all times. + operationId: replaceHookKey + x-codegen-request-body-name: keyRequest + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeyRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/DetailedHookKeyInstance' + examples: + ResponseExample: + $ref: '#/components/examples/ReplaceKeyResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage + tags: + - HookKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a key + description: > + Deletes a key by `id`. After being deleted, the key is unrecoverable. + + + As a safety precaution, only keys that aren't being used are eligible + for deletion. + operationId: deleteHookKey + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage + tags: + - HookKey + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathHookKeyId' +components: + schemas: + HookKey: + title: HookKeyInstance + description: >- + The `id` property in the response as `id` serves as the unique ID for + the key, which you can specify when invoking other CRUD operations. + + + The `keyId` provided in the response is the alias of the public key that + you can use to get details of the public key data in a separate call. + type: object + properties: + created: + type: string + format: date-time + description: Timestamp when the key was created + readOnly: true + nullable: true + id: + type: string + description: The unique identifier for the key + readOnly: true + nullable: false + isUsed: + type: string + format: boolean + description: Whether this key is currently in use by other applications + nullable: false + readOnly: true + keyId: + type: string + description: The alias of the public key + nullable: false + readOnly: true + lastUpdated: + type: string + format: date-time + description: Timestamp when the key was updated + readOnly: true + nullable: true + name: + type: string + description: Display name of the key + readOnly: false + nullable: false + minLength: 1 + maxLength: 255 + KeyRequest: + type: object + properties: + name: + description: Display name for the key + type: string + uniqueItems: true + readOnly: false + minLength: 1 + maxLength: 255 + nullable: false + DetailedHookKeyInstance: + title: DetailedHookKeyInstance + description: A key object with public key details + type: object + properties: + created: + type: string + format: date-time + description: Timestamp when the key was created + readOnly: true + nullable: true + id: + type: string + description: The unique Okta ID of this key record + readOnly: true + nullable: false + isUsed: + type: string + format: boolean + description: Whether this key is currently in use by other applications + nullable: false + readOnly: true + keyId: + type: string + description: The alias of the public key + nullable: false + readOnly: true + lastUpdated: + type: string + format: date-time + description: Timestamp when the key was updated + readOnly: true + nullable: true + name: + type: string + description: Display name of the key + readOnly: false + nullable: false + minLength: 1 + maxLength: 255 + _embedded: + $ref: '#/components/schemas/_embedded' + _embedded: + description: >- + The Public Key Details are defined in the `_embedded` property of the + Key object. + type: object + properties: + alg: + description: Algorithm used in the key + type: string + nullable: false + readOnly: true + e: + description: RSA key value (exponent) for key binding + type: string + nullable: false + readOnly: true + kid: + description: Unique identifier for the certificate + type: string + uniqueItems: true + nullable: false + readOnly: true + kty: + description: Cryptographic algorithm family for the certificate's keypair + type: string + nullable: false + readOnly: true + 'n': + description: RSA key value (modulus) for key binding + type: string + nullable: false + readOnly: true + use: + description: Acceptable use of the certificate + type: string + nullable: true + readOnly: true + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + ErrorCause: + type: object + properties: + errorSummary: + type: string + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + pathPublicKeyId: + name: keyId + description: id" of the Public Key + in: path + required: true + schema: + type: string + example: FcH2P9Eg7wr0o8N2FuV0 + pathHookKeyId: + name: id + description: ID of the Hook Key + in: path + required: true + schema: + type: string + example: XreKU5laGwBkjOTehusG + examples: + ListAllKeysResponse: + summary: List all keys response example + value: + - id: HKY1i2htmXF5UNQhL0g4 + keyId: bb5bed7d-6e4d-488f-9c86-59b93a2bb3fb + name: My new key + created: '2022-08-22T16:34:33.000Z' + lastUpdated: '2022-08-22T16:34:33.000Z' + isUsed: 'true' + - id: HKY1p7jWLndGQV9M60g4 + keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad + name: Test key + created: '2022-08-31T18:09:58.000Z' + lastUpdated: '2022-08-31T18:09:58.000Z' + isUsed: 'false' + CreateHookKeyResponse: + summary: Create a key response example + value: + id: HKY1p7jWLndGQV9M60g4 + keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad + name: My new key + created: '2022-08-31T18:09:58.000Z' + lastUpdated: '2022-08-31T18:09:58.000Z' + isUsed: 'false' + _embedded: + kty: RSA + alg: RSA + kid: 7fbc27fd-e3df-4522-86bf-1930110256ad + use: 'null' + e: AQAB + 'n': >- + 2naqCnv6r4xNQs7207lRtKQvdtnlVND-8k5iYBIiqoKGY3CqUmRm1jleoOniiQoMkFX8Wj2DmVqr002efF3vOQ7_gjtTatBTVUNbNIQLybun4dkVoUtfP7pRc5SLpcP3eGPRVar734ZrpQXzmCEdpqBt3jrVjwYjNE5DqOjbYXFJtMsy8CWE9LRJ3kyHEoHPzo22dG_vMrXH0_sAQoCk_4TgNCbvyzVmGVYXI_BkUnp0hv2pR4bQVRYzGB9dKJdctOh8zULqc_EJ8tiYsS05YnF7whrWEyARK0rH-e4d4W-OmBTga_zhY4kJ4NsoQ4PyvcatZkxjPO92QHQOFDnf3w` + RetrievePublicKeyResponse: + summary: Retrieve public key response example + value: + _embedded: + kty: RSA + alg: RSA + kid: 7fbc27fd-e3df-4522-86bf-1930110256ad + use: null + e: AQAB + 'n': >- + 2naqCnv6r4xNQs7207lRtKQvdtnlVND-8k5iYBIiqoKGY3CqUmRm1jleoOniiQoMkFX8Wj2DmVqr002efF3vOQ7_gjtTatBTVUNbNIQLybun4dkVoUtfP7pRc5SLpcP3eGPRVar734ZrpQXzmCEdpqBt3jrVjwYjNE5DqOjbYXFJtMsy8CWE9LRJ3kyHEoHPzo22dG_vMrXH0_sAQoCk_4TgNCbvyzVmGVYXI_BkUnp0hv2pR4bQVRYzGB9dKJdctOh8zULqc_EJ8tiYsS05YnF7whrWEyARK0rH-e4d4W-OmBTga_zhY4kJ4NsoQ4PyvcatZkxjPO92QHQOFDnf3w` + RetrieveKeyResponse: + summary: Retrieve a key by ID response example + value: + id: HKY1p7jWLndGQV9M60g4 + keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad + name: My new key + created: '2022-08-31T18:09:58.000Z' + lastUpdated: '2022-08-31T18:09:58.000Z' + isUsed: 'false' + ReplaceKeyResponse: + summary: Replace a key response example + value: + id: HKY1p7jWLndGQV9M60g4 + keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad + name: My updated new key + created: '2022-08-31T18:09:58.000Z' + lastUpdated: '2022-08-31T18:16:59.000Z' + isUsed: 'false' + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + hook_keys: + id: okta.hook_keys.hook_keys + name: hook_keys + title: Hook Keys + methods: + list_hook_keys: + operation: + $ref: '#/paths/~1api~1v1~1hook-keys/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_hook_key: + operation: + $ref: '#/paths/~1api~1v1~1hook-keys/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_hook_key: + operation: + $ref: '#/paths/~1api~1v1~1hook-keys~1{id}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_hook_key: + operation: + $ref: '#/paths/~1api~1v1~1hook-keys~1{id}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_hook_key: + operation: + $ref: '#/paths/~1api~1v1~1hook-keys~1{id}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: '#/components/x-stackQL-resources/hook_keys/methods/list_hook_keys' + - $ref: '#/components/x-stackQL-resources/hook_keys/methods/get_hook_key' + insert: + - $ref: '#/components/x-stackQL-resources/hook_keys/methods/create_hook_key' + update: [] + delete: + - $ref: '#/components/x-stackQL-resources/hook_keys/methods/delete_hook_key' + replace: + - $ref: >- + #/components/x-stackQL-resources/hook_keys/methods/replace_hook_key + public_keys: + id: okta.hook_keys.public_keys + name: public_keys + title: Public Keys + methods: + get_public_key: + operation: + $ref: '#/paths/~1api~1v1~1hook-keys~1public~1{keyId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/public_keys/methods/get_public_key + insert: [] + update: [] + delete: [] + replace: [] +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/iam.yaml b/providers/src/okta/v00.00.00000/services/iam.yaml new file mode 100644 index 00000000..a6d3fe2c --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/iam.yaml @@ -0,0 +1,3420 @@ +openapi: 3.0.3 +info: + title: iam API + description: okta iam API + version: 5.1.0 +paths: + /api/v1/iam/assignees/users: + get: + summary: List all users with role assignments + description: Lists all users with role assignments + operationId: listUsersWithRoleAssignments + parameters: + - name: after + description: Specifies the pagination cursor for the next page of targets + in: query + schema: + type: string + required: false + - name: limit + in: query + description: Specifies the number of results returned. Defaults to `100`. + schema: + type: integer + format: int32 + default: 100 + required: false + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/RoleAssignedUsers' + examples: + User List: + $ref: '#/components/examples/RoleAssignedUsersResponseExample' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleAssignmentAUser + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/governance/bundles: + get: + summary: List all governance bundles for the Admin Console + description: Lists all Governance Bundles for the Admin Console in your org + operationId: listGovernanceBundles + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/GovernanceBundlesResponse' + examples: + GovernanceBundlesResponse: + $ref: '#/components/examples/GovernanceBundlesResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - GovernanceBundle + post: + summary: Create a governance bundle for the Admin Console in RAMP + description: Creates a Governance Bundle for the Admin Console in RAMP + operationId: createGovernanceBundle + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/GovernanceBundleCreateRequest' + examples: + GovernanceBundleCreateRequestStandardRole: + $ref: >- + #/components/examples/GovernanceBundleCreateRequestStandardRole + GovernanceBundleCreateRequestScopedStandardRole: + $ref: >- + #/components/examples/GovernanceBundleCreateRequestScopedStandardRole + GovernanceBundleCreateRequestCustomRole: + $ref: '#/components/examples/GovernanceBundleCreateRequestCustomRole' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/GovernanceBundle' + examples: + createGovernanceBundleResponse: + $ref: '#/components/examples/GovernanceBundle' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - GovernanceBundle + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/iam/governance/bundles/{bundleId}: + get: + summary: Retrieve a governance bundle from RAMP + description: Retrieves a Governance Bundle from RAMP + operationId: getGovernanceBundle + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/GovernanceBundle' + examples: + GovernanceBundle: + $ref: '#/components/examples/GovernanceBundle' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - GovernanceBundle + put: + summary: Replace a governance bundle in RAMP + description: Replaces a Governance Bundle in RAMP + operationId: replaceGovernanceBundle + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/GovernanceBundleUpdateRequest' + examples: + GovernanceBundleUpdateRequestStandardRole: + $ref: >- + #/components/examples/GovernanceBundleUpdateRequestStandardRole + GovernanceBundleUpdateRequestScopedStandardRole: + $ref: >- + #/components/examples/GovernanceBundleUpdateRequestScopedStandardRole + GovernanceBundleUpdateRequestCustomRole: + $ref: '#/components/examples/GovernanceBundleUpdateRequestCustomRole' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/GovernanceBundle' + examples: + GovernanceBundle: + $ref: '#/components/examples/GovernanceBundle' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - GovernanceBundle + delete: + summary: Delete a governance bundle from RAMP + description: Deletes a Governance Bundle from RAMP + operationId: deleteGovernanceBundle + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - GovernanceBundle + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathBundleId' + /api/v1/iam/governance/bundles/{bundleId}/entitlements: + get: + summary: List all entitlements for a governance bundle + description: Lists all Entitlements specific to a Governance Bundle + operationId: listBundleEntitlements + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/BundleEntitlementsResponse' + examples: + BundleEntitlementsResponse: + $ref: '#/components/examples/BundleEntitlementsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - GovernanceBundle + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathBundleId' + /api/v1/iam/governance/bundles/{bundleId}/entitlements/{entitlementId}/values: + get: + summary: List all entitlement values for a bundle entitlement + description: Lists all Entitlement Values specific to a Bundle Entitlement + operationId: listBundleEntitlementValues + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/EntitlementValuesResponse' + examples: + EntitlementValuesResponse: + $ref: '#/components/examples/EntitlementValuesResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - GovernanceBundle + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathBundleId' + - $ref: '#/components/parameters/pathEntitlementId' + /api/v1/iam/governance/optIn: + get: + summary: Retrieve the opt-in status from RAMP + description: Retrieves the opt-in status of the Admin Console from RAMP + operationId: getOptInStatus + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/OptInStatusResponse' + examples: + OptInStatusResponse: + $ref: '#/components/examples/OptInStatusResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - GovernanceBundle + post: + summary: Opt in the Admin Console to RAMP + description: Opts in the Admin Console to RAMP + operationId: optIn + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OptInStatusResponse' + examples: + OptInStatusResponse: + $ref: '#/components/examples/OptInStatusResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - GovernanceBundle + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/iam/governance/optOut: + post: + summary: Opt out the Admin Console from RAMP + description: Opts out the Admin Console from RAMP + operationId: optOut + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OptInStatusResponse' + examples: + OptOutStatusResponse: + $ref: '#/components/examples/OptOutStatusResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - GovernanceBundle + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/iam/resource-sets: + get: + summary: List all resource sets + description: Lists all resource sets with pagination support + operationId: listResourceSets + parameters: + - $ref: '#/components/parameters/queryAfter' + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/ResourceSets' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleCResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a resource set + description: >- + Creates a new resource set. See [Supported + resources](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#supported-resources). + + + > **Note:** The maximum number of `resources` allowed in a resource set + object is 1000. Resources are identified by either an Okta Resource Name + (ORN) or by a REST URL format. See [Okta Resource + Name](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#okta-resource-name-orn). + operationId: createResourceSet + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CreateResourceSetRequest' + examples: + Example Request: + $ref: '#/components/examples/ResourceSetRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ResourceSet' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleCResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}: + get: + summary: Retrieve a resource set + description: Retrieves a resource set by `resourceSetIdOrLabel` + operationId: getResourceSet + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/ResourceSet' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleCResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a resource set + description: Replaces the label and description of a resource set + operationId: replaceResourceSet + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ResourceSet' + examples: + Example Request: + $ref: '#/components/examples/ReplaceResourceSetRequest' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/ResourceSet' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleCResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a resource set + description: Deletes a resource set by `resourceSetIdOrLabel` + operationId: deleteResourceSet + responses: + '204': + description: No Content + '403': + description: Forbidden + headers: {} + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleCResourceSet + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings: + get: + summary: List all role resource set bindings + description: >- + Lists all bindings for a resource set with pagination support. + + + The returned `roles` array contains the roles for each binding + associated with the specified resource set. If there are more than 100 + bindings for the specified resource set, `links.next` provides the + resource with pagination for the next list of bindings. + operationId: listBindings + parameters: + - $ref: '#/components/parameters/queryAfter' + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/ResourceSetBindings' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetBindingsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleDResourceSetBinding + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a role resource set binding + description: >- + Creates a binding for the resource set, custom role, and members (users + or groups) + + + > **Note:** If you use a custom role with permissions that don't apply + to the resources in the resource set, it doesn't affect the admin role. + For example, + the `okta.users.userprofile.manage` permission gives the admin no privileges if it's granted to a resource set that only includes `https://{yourOktaDomain}/api/v1/groups/{targetGroupId}` + resources. If you want the admin to be able to manage the users within the group, the resource set must include the corresponding `https://{yourOktaDomain}/api/v1/groups/{targetGroupId}/users` resource. + operationId: createResourceSetBinding + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ResourceSetBindingCreateRequest' + examples: + Example Request: + $ref: '#/components/examples/ResourceSetBindingCreateRequestExample' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ResourceSetBindingEditResponse' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetBindingResponseExample' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleDResourceSetBinding + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings/{roleIdOrLabel}: + get: + summary: Retrieve a role resource set binding + description: >- + Retrieves the binding of a role (identified by `roleIdOrLabel`) for a + resource set (identified by `resourceSetIdOrLabel`) + operationId: getBinding + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/ResourceSetBindingResponse' + examples: + Example Response: + $ref: >- + #/components/examples/ResourceSetBindingResponseWithIdExample + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleDResourceSetBinding + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a role resource set binding + description: >- + Deletes a binding of a role (identified by `roleIdOrLabel`) and a + resource set (identified by `resourceSetIdOrLabel`) + operationId: deleteBinding + responses: + '204': + description: No Content + '403': + description: Forbidden + headers: {} + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleDResourceSetBinding + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' + - $ref: '#/components/parameters/pathRoleIdOrLabel' + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings/{roleIdOrLabel}/members: + get: + summary: List all role resource set binding members + description: Lists all members of a role resource set binding with pagination support + operationId: listMembersOfBinding + parameters: + - $ref: '#/components/parameters/queryAfter' + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/ResourceSetBindingMembers' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetBindingMembersResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleDResourceSetBindingMember + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + patch: + summary: Add more role resource set binding members + description: Adds more members to a role resource set binding + operationId: addMembersToBinding + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ResourceSetBindingAddMembersRequest' + examples: + Example Request: + $ref: >- + #/components/examples/ResourceSetBindingAddMembersRequestExample + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ResourceSetBindingEditResponse' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetBindingResponseExample' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleDResourceSetBindingMember + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' + - $ref: '#/components/parameters/pathRoleIdOrLabel' + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings/{roleIdOrLabel}/members/{memberId}: + get: + summary: Retrieve a role resource set binding member + description: >- + Retrieves a member (identified by `memberId`) that belongs to a role + resource set binding + operationId: getMemberOfBinding + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/ResourceSetBindingMember' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetBindingMemberResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleDResourceSetBindingMember + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign a role resource set binding member + description: >- + Unassigns a member (identified by `memberId`) from a role resource set + binding + operationId: unassignMemberFromBinding + x-codegen-request-body-name: instance + responses: + '204': + description: No Content + '403': + description: Forbidden + headers: {} + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleDResourceSetBindingMember + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' + - $ref: '#/components/parameters/pathRoleIdOrLabel' + - $ref: '#/components/parameters/pathMemberId' + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/resources: + get: + summary: List all resource set resources + description: Lists all resources for the resource set + operationId: listResourceSetResources + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/ResourceSetResources' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetResourcesResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleCResourceSetResource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: Add a resource set resource with conditions + description: Adds a resource with conditions for a resource set + operationId: addResourceSetResource + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ResourceSetResourcePostRequest' + examples: + ConditionExample: + $ref: '#/components/examples/ResourceSetResourcePostRequestExample' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ResourceSetResource' + examples: + ConditionExample: + $ref: '#/components/examples/ResourceSetResourceResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleCResourceSetResource + patch: + summary: Add more resources to a resource set + description: Adds more resources to a resource set + operationId: addResourceSetResources + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ResourceSetResourcePatchRequest' + examples: + Example Request: + $ref: '#/components/examples/ResourceSetResourcePatchRequestExample' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ResourceSet' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleCResourceSetResource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' + /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/resources/{resourceId}: + get: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: Retrieve a resource set resource + description: Retrieves a resource identified by `resourceId` in a resource set + operationId: getResourceSetResource + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ResourceSetResource' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetResourceResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleCResourceSetResource + put: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: Replace the resource set resource conditions + description: >- + Replaces the conditions of a resource identified by `resourceId` in a + resource set + operationId: replaceResourceSetResource + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ResourceSetResourcePutRequest' + examples: + Example Request: + $ref: '#/components/examples/ResourceSetResourcePutRequestExample' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ResourceSetResource' + examples: + Example Response: + $ref: '#/components/examples/ResourceSetResourceResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleCResourceSetResource + delete: + summary: Delete a resource set resource + description: Deletes a resource (identified by `resourceId`) from a resource set + operationId: deleteResourceSetResource + responses: + '204': + description: No Content + '403': + description: Forbidden + headers: {} + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleCResourceSetResource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathResourceSetIdOrLabel' + - $ref: '#/components/parameters/pathResourceId' + /api/v1/iam/roles: + get: + summary: List all custom roles + description: Lists all custom roles with pagination support + operationId: listRoles + parameters: + - $ref: '#/components/parameters/queryAfter' + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/IamRoles' + examples: + Example Response: + $ref: '#/components/examples/RolesResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleECustom + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a custom role + description: Creates a custom role + operationId: createRole + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CreateIamRoleRequest' + examples: + Example Request: + $ref: '#/components/examples/RoleRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IamRole' + examples: + Example Response: + $ref: '#/components/examples/RoleResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleECustom + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/iam/roles/{roleIdOrLabel}: + get: + summary: Retrieve a role + description: Retrieves a role by `roleIdOrLabel` + operationId: getRole + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/IamRole' + examples: + Example Response: + $ref: '#/components/examples/RoleResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleECustom + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a custom role + description: Replaces the label and description for a custom role by `roleIdOrLabel` + operationId: replaceRole + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UpdateIamRoleRequest' + examples: + Example Request: + $ref: '#/components/examples/ReplaceRoleRequest' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/IamRole' + examples: + Example Response: + $ref: '#/components/examples/RoleResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleECustom + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a custom role + description: Deletes a custom role by `roleIdOrLabel` + operationId: deleteRole + responses: + '204': + description: No Content + '403': + description: Forbidden + headers: {} + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleECustom + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathRoleIdOrLabel' + /api/v1/iam/roles/{roleIdOrLabel}/permissions: + get: + summary: List all custom role permissions + description: Lists all permissions for a custom role by `roleIdOrLabel` + operationId: listRolePermissions + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/Permissions' + examples: + Example Response: + $ref: '#/components/examples/PermissionsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleECustomPermission + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathRoleIdOrLabel' + /api/v1/iam/roles/{roleIdOrLabel}/permissions/{permissionType}: + get: + summary: Retrieve a custom role permission + description: >- + Retrieves a permission (identified by `permissionType`) for a custom + role + operationId: getRolePermission + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/Permission' + examples: + Example Response without conditions: + $ref: '#/components/examples/PermissionResponse' + Example Response with conditions: + $ref: '#/components/examples/PermissionResponseWithConditions' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleECustomPermission + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a custom role permission + description: Creates a permission (specified by `permissionType`) for a custom role + operationId: createRolePermission + x-codegen-request-body-name: instance + requestBody: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + content: + application/json: + schema: + $ref: '#/components/schemas/CreateUpdateIamRolePermissionRequest' + examples: + Example Request with include: + $ref: >- + #/components/examples/CreateUpdateIamRolePermissionRequestExampleWithInclude + Example Request with exclude: + $ref: >- + #/components/examples/CreateUpdateIamRolePermissionRequestExampleWithExclude + required: false + responses: + '204': + description: No Content + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleECustomPermission + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: Replace a custom role permission + description: Replaces a permission (specified by `permissionType`) for a custom role + operationId: replaceRolePermission + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CreateUpdateIamRolePermissionRequest' + examples: + Example Request with include: + $ref: >- + #/components/examples/CreateUpdateIamRolePermissionRequestExampleWithInclude + Example Request with exclude: + $ref: >- + #/components/examples/CreateUpdateIamRolePermissionRequestExampleWithExclude + required: false + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/Permission' + examples: + Example Response: + $ref: '#/components/examples/PermissionResponseWithConditions' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleECustomPermission + delete: + summary: Delete a custom role permission + description: Deletes a permission (identified by `permissionType`) from a custom role + operationId: deleteRolePermission + responses: + '204': + description: No Content + '403': + description: Forbidden + headers: {} + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleECustomPermission + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathRoleIdOrLabel' + - $ref: '#/components/parameters/pathPermissionType' +components: + schemas: + RoleAssignedUsers: + type: object + properties: + value: + type: array + items: + $ref: '#/components/schemas/RoleAssignedUser' + _links: + $ref: '#/components/schemas/LinksNextForRoleAssignments' + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + GovernanceBundlesResponse: + type: object + properties: + bundles: + type: array + items: + $ref: '#/components/schemas/GovernanceBundle' + _links: + anyOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksNext' + GovernanceBundleCreateRequest: + type: object + properties: + description: + type: string + entitlements: + type: array + items: + $ref: '#/components/schemas/IAMBundleEntitlement' + name: + type: string + GovernanceBundle: + type: object + properties: + description: + type: string + id: + type: string + name: + type: string + orn: + type: string + status: + type: string + _links: + allOf: + - properties: + entitlements: + $ref: '#/components/schemas/HrefObject' + type: object + GovernanceBundleUpdateRequest: + type: object + properties: + description: + type: string + entitlements: + type: array + items: + $ref: '#/components/schemas/IAMBundleEntitlement' + name: + type: string + BundleEntitlementsResponse: + type: object + properties: + entitlements: + type: array + items: + $ref: '#/components/schemas/BundleEntitlement' + _links: + type: object + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using + the [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification + readOnly: true + properties: + next: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the next resource + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + bundle: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the bundle resource + EntitlementValuesResponse: + type: object + properties: + entitlementValues: + type: array + items: + $ref: '#/components/schemas/EntitlementValue' + _links: + anyOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksNext' + - properties: + bundle: + $ref: '#/components/schemas/HrefObject' + entitlements: + $ref: '#/components/schemas/HrefObject' + type: object + OptInStatusResponse: + type: object + properties: + optInStatus: + type: string + enum: + - OPTING_IN + - OPTED_IN + - OPTING_OUT + - OPTED_OUT + _links: + allOf: + - properties: + optInStatus: + $ref: '#/components/schemas/HrefObject' + type: object + ResourceSets: + type: object + properties: + resource-sets: + type: array + items: + $ref: '#/components/schemas/ResourceSet' + _links: + $ref: '#/components/schemas/LinksNext' + CreateResourceSetRequest: + type: object + properties: + description: + type: string + description: Description of the resource set + label: + type: string + description: Unique name for the resource set + resources: + type: array + description: >- + The endpoint (URL) that references all resource objects included in + the resource set. Resources are identified by either an Okta + Resource Name (ORN) or by a REST URL format. See [Okta Resource + Name](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#okta-resource-name-orn). + maximum: 1000 + items: + type: string + required: + - description + - label + - resources + ResourceSet: + type: object + properties: + created: + type: string + format: date-time + description: Timestamp when the role was created + readOnly: true + description: + type: string + description: Description of the resource set + id: + type: string + description: Unique ID for the resource set object + readOnly: true + label: + type: string + description: Unique label for the resource set + lastUpdated: + type: string + format: date-time + description: Timestamp when the role was last updated + readOnly: true + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + resources: + $ref: '#/components/schemas/HrefObjectResourceSetResourcesLink' + bindings: + $ref: '#/components/schemas/HrefObjectBindingsLink' + type: object + ResourceSetBindings: + type: object + properties: + roles: + type: array + description: >- + Roles associated with the resource set binding. If there are more + than 100 bindings for the specified resource set, then the + `_links.next` resource is returned with the next list of bindings. + items: + $ref: '#/components/schemas/ResourceSetBindingRole' + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + next: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + Link to the next list of bindings for the specified + resource set + resource-set: + $ref: '#/components/schemas/HrefObjectResourceSetLink' + type: object + ResourceSetBindingCreateRequest: + type: object + properties: + members: + type: array + description: URLs to user and/or group instances that are assigned to the role + items: + type: string + role: + type: string + description: Unique key for the role + ResourceSetBindingEditResponse: + type: object + properties: + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + resource-set: + $ref: '#/components/schemas/HrefObjectResourceSetLink' + bindings: + $ref: '#/components/schemas/HrefObjectBindingsLink' + type: object + ResourceSetBindingResponse: + type: object + properties: + id: + type: string + description: '`id` of the role resource set binding' + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + resource-set: + $ref: '#/components/schemas/HrefObjectResourceSetLink' + members: + $ref: '#/components/schemas/HrefObjectMembersLink' + type: object + ResourceSetBindingMembers: + type: object + properties: + members: + type: array + description: >- + The members of the role resource set binding. If there are more than + 100 members for the binding, then the `_links.next` resource is + returned with the next list of members. + items: + $ref: '#/components/schemas/ResourceSetBindingMember' + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + next: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + Link to the next list of binding members for the + specified role and resource set + binding: + $ref: '#/components/schemas/HrefObjectBindingLink' + type: object + ResourceSetBindingAddMembersRequest: + type: object + properties: + additions: + type: array + description: A list of member resources to add to the role resource set binding + items: + type: string + description: User or group resources + example: https://{yourOktaDomain}/api/v1/groups/{groupId} + ResourceSetBindingMember: + type: object + properties: + created: + type: string + format: date-time + description: Timestamp when the member was created + readOnly: true + id: + type: string + description: Role resource set binding member ID + readOnly: true + lastUpdated: + type: string + format: date-time + description: Timestamp when the member was last updated + readOnly: true + _links: + $ref: '#/components/schemas/LinksSelf' + ResourceSetResources: + type: object + properties: + resources: + type: array + items: + $ref: '#/components/schemas/ResourceSetResource' + _links: + allOf: + - $ref: '#/components/schemas/LinksNext' + - properties: + resource-set: + $ref: '#/components/schemas/HrefObject' + type: object + ResourceSetResourcePostRequest: + type: object + properties: + conditions: + $ref: '#/components/schemas/ResourceConditions' + resourceOrnOrUrl: + type: string + description: Resource in ORN or REST API URL format + required: + - resourceOrnOrUrl + - conditions + ResourceSetResource: + type: object + properties: + conditions: + $ref: '#/components/schemas/ResourceConditions' + created: + type: string + format: date-time + description: Timestamp when the resource set resource object was created + readOnly: true + id: + type: string + description: Unique ID of the resource set resource object + readOnly: true + lastUpdated: + type: string + format: date-time + description: Timestamp when this object was last updated + readOnly: true + orn: + type: string + description: The Okta Resource Name (ORN) of the resource + _links: + description: Related discoverable resources + readOnly: true + properties: + self: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: The REST API URL of the related resource + resource: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to this resource set resource object (self) + groups: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + If applicable, the REST API URL of the related groups + resource + users: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + If applicable, the REST API URL of the related users + resource + type: object + ResourceSetResourcePatchRequest: + type: object + properties: + additions: + type: array + description: A list of resources to add to the resource set + items: + type: string + description: Resource in ORN or REST API URL format + ResourceSetResourcePutRequest: + type: object + properties: + conditions: + $ref: '#/components/schemas/ResourceConditions' + IamRoles: + type: object + properties: + roles: + type: array + items: + $ref: '#/components/schemas/IamRole' + _links: + $ref: '#/components/schemas/LinksNext' + CreateIamRoleRequest: + type: object + properties: + description: + type: string + description: Description of the role + label: + type: string + description: Unique label for the role + permissions: + type: array + description: >- + Array of permissions that the role grants. See + [Permissions](https://developer.okta.com/docs/api/openapi/okta-management/guides/permissions). + required: + - label + - description + - permissions + IamRole: + type: object + properties: + created: + type: string + format: date-time + description: Timestamp when the role was created + readOnly: true + description: + type: string + description: Description of the role + id: + type: string + description: Unique key for the role + readOnly: true + label: + type: string + description: Unique label for the role + lastUpdated: + type: string + format: date-time + description: Timestamp when the role was last updated + readOnly: true + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + permissions: + $ref: '#/components/schemas/HrefObject' + type: object + required: + - label + - description + UpdateIamRoleRequest: + type: object + properties: + description: + type: string + description: Description of the role + label: + type: string + description: Unique label for the role + required: + - label + - description + Permissions: + description: Permissions assigned to the role + type: object + properties: + permissions: + type: array + description: >- + Array of permissions assigned to the role. See + [Permissions](https://developer.okta.com/docs/api/openapi/okta-management/guides/permissions). + items: + $ref: '#/components/schemas/Permission' + Permission: + type: object + properties: + conditions: + $ref: '#/components/schemas/PermissionConditions' + created: + type: string + format: date-time + description: Timestamp when the permission was assigned + readOnly: true + label: + type: string + description: >- + The assigned Okta + [permission](https://developer.okta.com/docs/api/openapi/okta-management/guides/permissions) + readOnly: true + example: okta.users.read + lastUpdated: + type: string + format: date-time + description: Timestamp when the permission was last updated + readOnly: true + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + role: + $ref: '#/components/schemas/HrefObjectRoleLink' + type: object + CreateUpdateIamRolePermissionRequest: + type: object + properties: + conditions: + $ref: '#/components/schemas/PermissionConditions' + RoleAssignedUser: + type: object + properties: + id: + type: string + readOnly: true + description: The ID of the user + orn: + type: string + readOnly: true + description: ORN representing the assignee + _links: + $ref: '#/components/schemas/LinksSelfAndRoles' + LinksNextForRoleAssignments: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. + type: object + properties: + next: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + The next page of results if [pagination](#pagination) is + required + readOnly: true + ErrorCause: + type: object + properties: + errorSummary: + type: string + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + LinksNext: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the + current status of an application using the [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. Use the `LinksNext` object for dynamic discovery of + related resources and lifecycle operations. + type: object + properties: + next: + $ref: '#/components/schemas/HrefObject' + readOnly: true + IAMBundleEntitlement: + type: object + properties: + resourceSets: + type: array + items: + type: string + role: + type: string + targets: + type: array + items: + type: string + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + BundleEntitlement: + type: object + properties: + description: + type: string + id: + type: string + name: + type: string + role: + type: string + _links: + allOf: + - properties: + values: + $ref: '#/components/schemas/HrefObject' + type: object + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + EntitlementValue: + type: object + properties: + id: + type: string + name: + type: string + value: + type: string + _links: + type: object + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using + the [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification + readOnly: true + properties: + group: + $ref: '#/components/schemas/HrefObjectGroupLink' + app: + $ref: '#/components/schemas/HrefObjectAppLink' + resource-set: + $ref: '#/components/schemas/HrefObjectResourceSetLink' + HrefObjectResourceSetResourcesLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to resource set resources + HrefObjectBindingsLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the bindings resource + ResourceSetBindingRole: + type: object + properties: + id: + type: string + description: '`id` of the role' + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + members: + $ref: '#/components/schemas/HrefObjectMembersLink' + type: object + HrefObjectResourceSetLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource set resource + HrefObjectMembersLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the members resource + HrefObjectBindingLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the binding resource + ResourceConditions: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + description: Conditions for further restricting a resource. + nullable: false + type: object + properties: + Exclude: + type: object + description: Specific resources to exclude + properties: + okta:ORN: + type: array + description: List of specific resources to exclude in ORN format + items: + type: string + PermissionConditions: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + description: >- + Conditions for further restricting a permission. See [Permission + conditions](https://help.okta.com/okta_help.htm?type=oie&id=ext-permission-conditions). + nullable: true + type: object + properties: + exclude: + type: object + description: Exclude attributes with specific values for the permission + additionalProperties: + type: object + properties: {} + nullable: true + include: + type: object + description: Include attributes with specific values for the permission + additionalProperties: + type: object + properties: {} + nullable: true + HrefObjectRoleLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the role resource + LinksSelfAndRoles: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + roles: + $ref: '#/components/schemas/HrefObjectRoleLink' + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HrefObjectGroupLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the group resource + HrefObjectAppLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the app resource + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + queryAfter: + name: after + in: query + schema: + type: string + description: >- + The cursor to use for pagination. It is an opaque string that specifies + your current location in the list and is obtained from the `Link` + response header. See + [Pagination](https://developer.okta.com/docs/api/#pagination). + queryLimit: + name: limit + in: query + schema: + type: integer + minimum: 1 + maximum: 200 + default: 20 + description: A limit on the number of objects to return + pathBundleId: + name: bundleId + in: path + schema: + type: string + example: enbllojq9J9J105DL1d6 + required: true + description: The `id` of a bundle + pathEntitlementId: + name: entitlementId + in: path + schema: + type: string + example: ent4rg7fltWSgrlDT8g6 + required: true + description: The `id` of a bundle entitlement + pathResourceSetIdOrLabel: + name: resourceSetIdOrLabel + in: path + schema: + type: string + example: iamoJDFKaJxGIr0oamd9g + required: true + description: '`id` or `label` of the resource set' + pathRoleIdOrLabel: + name: roleIdOrLabel + in: path + schema: + type: string + example: cr0Yq6IJxGIr0ouum0g3 + required: true + description: '`id` or `label` of the role' + pathMemberId: + name: memberId + in: path + schema: + type: string + example: irb1qe6PGuMc7Oh8N0g4 + required: true + description: '`id` of the member' + pathResourceId: + name: resourceId + in: path + schema: + type: string + example: ire106sQKoHoXXsAe0g4 + required: true + description: '`id` of the resource' + pathPermissionType: + name: permissionType + in: path + schema: + type: string + example: okta.users.manage + required: true + description: An Okta [permission](https://developer.okta.com/docs/api/openapi/okta-management/guides/permissions) + examples: + RoleAssignedUsersResponseExample: + value: + value: + - id: 00u118oQYT4TBGuay0g4 + orn: orn:okta:00o5rb5mt2H3d1TJd0h7:users:00u118oQYT4TBGuay0g4 + _links: + self: + href: >- + http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4 + roles: + href: >- + http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4/roles + _links: + next: + href: >- + http://your-subdomain.okta.com/api/v1/iam/assignees/users?after=00u118oQYT4TBGuay0g4&limit=1 + GovernanceBundlesResponse: + summary: List of governance bundles + value: + bundles: + - id: 0bbfxqCAJWWGELFTYAAA + name: Group admin bundle + description: Group bundle for administrative access + status: ACTIVE + orn: >- + orn:okta:governance:00o5rb5mt2H3d1TJd0h7:bundles:0bbfxqCAJWWGELFTYAAA + _links: + entitlements: >- + http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA/entitlements + _links: + self: + href: >- + http://your-subdomain.okta.com/api/v1/iam/governance/bundles?limit=2&after=10 + next: + href: >- + http://your-subdomain.okta.com/api/v1/iam/governance/bundles?after=bundleId12 + GovernanceBundleCreateRequestStandardRole: + summary: Create governance bundle with non-scoped standard role + value: + name: Group admin bundle + description: Group bundle for administrative access + entitlements: + role: GROUP_MEMBERSHIP_ADMIN + GovernanceBundleCreateRequestScopedStandardRole: + summary: Create governance bundle with scoped standard role + value: + name: Group admin bundle + description: Group bundle for administrative access + entitlements: + role: GROUP_MEMBERSHIP_ADMIN + targets: + - 00guaxWZ0AOa5NFAj0g3 + GovernanceBundleCreateRequestCustomRole: + summary: Create governance bundle with custom role + value: + name: Custom admin bundle + description: Custom bundle for administrative access + entitlements: + role: cr0WxyzJxGIr0ouum0g4 + resourceSets: + - iamoJDFKaJxGIr0oamd9g + GovernanceBundle: + summary: Governance bundle + value: + id: 0bbfxqCAJWWGELFTYAAA + name: Group admin bundle + description: Group bundle for administrative access + status: ACTIVE + orn: orn:okta:governance:00o5rb5mt2H3d1TJd0h7:bundles:0bbfxqCAJWWGELFTYAAA + _links: + self: >- + http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA + entitlements: >- + http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA/entitlements + GovernanceBundleUpdateRequestStandardRole: + summary: Update governance bundle with non-scoped standard role + value: + name: Group admin bundle + description: Group bundle for administrative access + entitlements: + role: GROUP_MEMBERSHIP_ADMIN + GovernanceBundleUpdateRequestScopedStandardRole: + summary: Update governance bundle with scoped standard role + value: + name: Group admin bundle + description: Group bundle for administrative access + entitlements: + role: GROUP_MEMBERSHIP_ADMIN + targets: + - 00guaxWZ0AOa5NFAj0g3 + GovernanceBundleUpdateRequestCustomRole: + summary: Update governance bundle with custom role + value: + name: Custom admin bundle + description: Custom bundle for administrative access + entitlements: + role: cr0WxyzJxGIr0ouum0g4 + resourceSets: + - iamoJDFKaJxGIr0oamd9g + BundleEntitlementsResponse: + summary: List of governance bundle entitlements + value: + entitlements: + - id: espfxqCAJWWGELFTYASJ + role: GROUP_MEMBERSHIP_ADMIN + name: Group Membership Admin + description: Perform all admin activities for groups in the org + _links: + values: >- + http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA/entitlements/espfxqCAJWWGELFTYASJ/values + _links: + self: + href: >- + http://your-subdomain.okta.com/api/v1/iam/governance/bundles?limit=2&after=10 + next: + href: >- + http://your-subdomain.okta.com/api/v1/iam/governance/bundles?after=bundleId12 + bundle: + href: >- + http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA + EntitlementValuesResponse: + summary: List of bundle entitlement values + value: + entitlementValues: + - id: entfxqCAJWWGELFTYAAA + value: orn:okta:00o5rb5mt2H3d1TJd0h7:groups:00guaxWZ0AOa5NFAj0g3 + name: Restricted users group + _links: + group: >- + http://your-subdomain.okta.com/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + _links: + self: + href: >- + http://your-subdomain.okta.com/api/v1/iam/governance/bundles?limit=2&after=10 + bundle: + href: >- + http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA + entitlements: + href: >- + http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA/entitlements + OptInStatusResponse: + summary: Opt in response + value: + optInStatus: OPTING_IN + _links: + optInStatus: + href: http://your-subdomain.okta.com/api/v1/iam/governance/optIn + OptOutStatusResponse: + summary: Opt out response + value: + optInStatus: OPTING_OUT + _links: + optInStatus: + href: http://your-subdomain.okta.com/api/v1/iam/governance/optIn + ResourceSetsResponse: + value: + resource-sets: + - id: iamoJDFKaJxGIr0oamd9g + label: SF-IT-1 + description: First San Francisco IT Resource Set + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + resources: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources + bindings: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings + - id: iamoJDFKaJxGIr0oamd0q + label: SF-IT-2 + description: Second San Francisco IT Resource Set + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q + resources: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q/resources + bindings: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q/bindings + _links: + next: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets?after=iamoJDFKaJxGIr0oamd0q + ResourceSetRequest: + value: + label: SF-IT-People + description: People in the IT department of San Francisco + resources: + - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + - https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users + - https://{yourOktaDomain}/api/v1/users + - https://{yourOktaDomain}/api/v1/realms/00guaxWZ0AOa5NFAj0g3 + - https://{yourOktaDomain}/api/v1/realms + ResourceSetResponse: + value: + id: iamoJDFKaJxGIr0oamd9g + label: SF-IT-People + description: People in the IT department of San Francisco + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + resources: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources + bindings: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ReplaceResourceSetRequest: + value: + label: SF-IT-People + description: People in the IT department of San Francisco + ResourceSetBindingsResponse: + value: + roles: + - id: cr0WxyzJxGIr0ouum0g4 + _links: + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0WxyzJxGIr0ouum0g4 + members: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0WxyzJxGIr0ouum0g4/members + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings + resource-set: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + next: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings?after=cr0WxyzJxGIr0ouum0g4 + ResourceSetBindingCreateRequestExample: + value: + role: cr0Yq6IJxGIr0ouum0g3 + members: + - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + ResourceSetBindingResponseExample: + value: + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3 + bindings: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings + resource-set: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + ResourceSetBindingResponseWithIdExample: + value: + id: cr0Yq6IJxGIr0ouum0g3 + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3 + members: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members + resource-set: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + ResourceSetBindingMembersResponse: + value: + members: + - id: irb1qe6PGuMc7Oh8N0g4 + created: '2024-12-19T00:00:00.000Z' + lastUpdated: '2024-12-19T00:00:00.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00uuk41Hjga5qGfQ30g3 + - id: irb1q92TFAHzySt3x0g4 + created: '2024-12-19T00:00:00.000Z' + lastUpdated: '2024-12-19T00:00:00.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members + binding: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3 + ResourceSetBindingAddMembersRequestExample: + value: + additions: + - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + - https://{yourOktaDomain}/api/v1/users/00u67DU2qNCjNZYO0g3 + ResourceSetBindingMemberResponse: + value: + id: irb1qe6PGuMc7Oh8N0g4 + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00uuk41Hjga5qGfQ30g3 + ResourceSetResourcesResponse: + value: + resources: + - id: ire106sQKoHoXXsAe0g4 + orn: orn:{partition}:directory:{yourOrgId}:groups:00guaxWZ0AOa5NFAj0g3 + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + resource: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g1 + - id: ire106riDrTYl4qA70g4 + orn: >- + orn:{partition}:directory:{yourOrgId}:groups:00gu67DU2qNCjNZYO0g3:contained_resources + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users + resource: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g2 + - id: irezvo4AwE2ngpMw40g3 + orn: orn:{partition}:directory:{yourOrgId}:users + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/users + users: + href: https://{yourOktaDomain}/api/v1/users + - id: ire2j4iDnxHhUFaZN0g4 + orn: orn:{partition}:directory:{yourOrgId}:groups + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/groups + groups: + href: https://{yourOktaDomain}/api/v1/groups + resource: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g3 + _links: + next: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources?after=irezvn1ZZxLSIBM2J0g3 + resource-set: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + ResourceSetResourcePostRequestExample: + summary: Resource set with conditions request + value: + resourceOrnOrUrl: https://{yourOktaDomain}/api/v1/apps + conditions: + Exclude: + okta:ORN: + - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:0oa1014FmyZ2H0oRY0g4 + - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:slack + ResourceSetResourceResponse: + summary: Resource set response + value: + id: ire106sQKoHoXXsAe0g4 + orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps + conditions: + Exclude: + okta:ORN: + - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:0oa1014FmyZ2H0oRY0g4 + - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:slack + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps + resource: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g1 + ResourceSetResourcePatchRequestExample: + value: + additions: + - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 + - https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users + ResourceSetResourcePutRequestExample: + value: + conditions: + Exclude: + okta:ORN: + - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:0oa1014FmyZ2H0oRY0g4 + - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:slack + RolesResponse: + value: + roles: + - id: cr0Yq6IJxGIr0ouum0g3 + label: UserCreator + description: Create users + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + permissions: + href: >- + https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + - id: cr0Fw7HKcWIroo88m3r1 + label: GroupMembershipManager + description: Manage group membership + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + permissions: + href: >- + https://{yourOktaDomain}/api/v1/iam/roles/cr0Fw7HKcWIroo88m3r1/permissions + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Fw7HKcWIroo88m3r1 + _links: + next: + href: >- + https://{yourOktaDomain}/api/v1/iam/roles?after=cr0Fw7HKcWIroo88m3r1 + RoleRequest: + value: + label: UserCreator + description: Create users + permissions: + - okta.users.create + - okta.users.read + - okta.groups.read + - okta.users.userprofile.manage + RoleResponse: + value: + id: cr0Yq6IJxGIr0ouum0g3 + label: UserCreator + description: Create users + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + permissions: + href: >- + https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions + self: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + ReplaceRoleRequest: + value: + label: UserCreator + description: Create users + PermissionsResponse: + value: + permissions: + - label: okta.users.create + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + self: + href: >- + https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.create + - label: okta.users.read + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + conditions: + include: + okta:ResourceAttribute/User/Profile: + - city + - state + - zipCode + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + self: + href: >- + https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.read + - label: okta.groups.read + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + self: + href: >- + https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.groups.read + - label: okta.users.userprofile.manage + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + self: + href: >- + https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.userprofile.manage + PermissionResponse: + value: + label: okta.users.manage + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + self: + href: >- + https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.manage + PermissionResponseWithConditions: + value: + label: okta.users.read + conditions: + include: + okta:ResourceAttribute/User/Profile: + - city + - state + - zipCode + created: '2021-02-06T16:20:57.000Z' + lastUpdated: '2021-02-06T16:20:57.000Z' + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + self: + href: >- + https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.read + CreateUpdateIamRolePermissionRequestExampleWithInclude: + value: + conditions: + include: + okta:ResourceAttribute/User/Profile: + - city + - state + CreateUpdateIamRolePermissionRequestExampleWithExclude: + value: + conditions: + exclude: + okta:ResourceAttribute/User/Profile: + - zipCode + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + users_with_role_assignments: + id: okta.iam.users_with_role_assignments + name: users_with_role_assignments + title: Users With Role Assignments + methods: + list_users_with_role_assignments: + operation: + $ref: '#/paths/~1api~1v1~1iam~1assignees~1users/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/users_with_role_assignments/methods/list_users_with_role_assignments + insert: [] + update: [] + delete: [] + replace: [] + governance_bundles: + id: okta.iam.governance_bundles + name: governance_bundles + title: Governance Bundles + methods: + list_governance_bundles: + operation: + $ref: '#/paths/~1api~1v1~1iam~1governance~1bundles/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_governance_bundle: + operation: + $ref: '#/paths/~1api~1v1~1iam~1governance~1bundles/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_governance_bundle: + operation: + $ref: '#/paths/~1api~1v1~1iam~1governance~1bundles~1{bundleId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_governance_bundle: + operation: + $ref: '#/paths/~1api~1v1~1iam~1governance~1bundles~1{bundleId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_governance_bundle: + operation: + $ref: '#/paths/~1api~1v1~1iam~1governance~1bundles~1{bundleId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/governance_bundles/methods/list_governance_bundles + - $ref: >- + #/components/x-stackQL-resources/governance_bundles/methods/get_governance_bundle + insert: + - $ref: >- + #/components/x-stackQL-resources/governance_bundles/methods/create_governance_bundle + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/governance_bundles/methods/delete_governance_bundle + replace: + - $ref: >- + #/components/x-stackQL-resources/governance_bundles/methods/replace_governance_bundle + bundle_entitlements: + id: okta.iam.bundle_entitlements + name: bundle_entitlements + title: Bundle Entitlements + methods: + list_bundle_entitlements: + operation: + $ref: >- + #/paths/~1api~1v1~1iam~1governance~1bundles~1{bundleId}~1entitlements/get + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/bundle_entitlements/methods/list_bundle_entitlements + insert: [] + update: [] + delete: [] + replace: [] + bundle_entitlement_values: + id: okta.iam.bundle_entitlement_values + name: bundle_entitlement_values + title: Bundle Entitlement Values + methods: + list_bundle_entitlement_values: + operation: + $ref: >- + #/paths/~1api~1v1~1iam~1governance~1bundles~1{bundleId}~1entitlements~1{entitlementId}~1values/get + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/bundle_entitlement_values/methods/list_bundle_entitlement_values + insert: [] + update: [] + delete: [] + replace: [] + opt_in_status: + id: okta.iam.opt_in_status + name: opt_in_status + title: Opt In Status + methods: + get_opt_in_status: + operation: + $ref: '#/paths/~1api~1v1~1iam~1governance~1optIn/get' + response: + mediaType: application/json + openAPIDocKey: '200' + opt_in: + operation: + $ref: '#/paths/~1api~1v1~1iam~1governance~1optIn/post' + response: + mediaType: application/json + openAPIDocKey: '200' + opt_out: + operation: + $ref: '#/paths/~1api~1v1~1iam~1governance~1optOut/post' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/opt_in_status/methods/get_opt_in_status + insert: [] + update: [] + delete: [] + replace: [] + role_resource_sets: + id: okta.iam.role_resource_sets + name: role_resource_sets + title: Role Resource Sets + methods: + list_resource_sets: + operation: + $ref: '#/paths/~1api~1v1~1iam~1resource-sets/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_resource_set: + operation: + $ref: '#/paths/~1api~1v1~1iam~1resource-sets/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_resource_set: + operation: + $ref: '#/paths/~1api~1v1~1iam~1resource-sets~1{resourceSetIdOrLabel}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_resource_set: + operation: + $ref: '#/paths/~1api~1v1~1iam~1resource-sets~1{resourceSetIdOrLabel}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_resource_set: + operation: + $ref: >- + #/paths/~1api~1v1~1iam~1resource-sets~1{resourceSetIdOrLabel}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/role_resource_sets/methods/list_resource_sets + - $ref: >- + #/components/x-stackQL-resources/role_resource_sets/methods/get_resource_set + insert: + - $ref: >- + #/components/x-stackQL-resources/role_resource_sets/methods/create_resource_set + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/role_resource_sets/methods/delete_resource_set + replace: + - $ref: >- + #/components/x-stackQL-resources/role_resource_sets/methods/replace_resource_set + role_resource_set_bindings: + id: okta.iam.role_resource_set_bindings + name: role_resource_set_bindings + title: Role Resource Set Bindings + methods: + list_bindings: + operation: + $ref: >- + #/paths/~1api~1v1~1iam~1resource-sets~1{resourceSetIdOrLabel}~1bindings/get + response: + mediaType: application/json + openAPIDocKey: '200' + create_resource_set_binding: + operation: + $ref: >- + #/paths/~1api~1v1~1iam~1resource-sets~1{resourceSetIdOrLabel}~1bindings/post + response: + mediaType: application/json + openAPIDocKey: '200' + get_binding: + operation: + $ref: >- + #/paths/~1api~1v1~1iam~1resource-sets~1{resourceSetIdOrLabel}~1bindings~1{roleIdOrLabel}/get + response: + mediaType: application/json + openAPIDocKey: '200' + delete_binding: + operation: + $ref: >- + #/paths/~1api~1v1~1iam~1resource-sets~1{resourceSetIdOrLabel}~1bindings~1{roleIdOrLabel}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/role_resource_set_bindings/methods/list_bindings + - $ref: >- + #/components/x-stackQL-resources/role_resource_set_bindings/methods/get_binding + insert: + - $ref: >- + #/components/x-stackQL-resources/role_resource_set_bindings/methods/create_resource_set_binding + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/role_resource_set_bindings/methods/delete_binding + replace: [] + role_resource_set_binding_members: + id: okta.iam.role_resource_set_binding_members + name: role_resource_set_binding_members + title: Role Resource Set Binding Members + methods: + list_members_of_binding: + operation: + $ref: >- + #/paths/~1api~1v1~1iam~1resource-sets~1{resourceSetIdOrLabel}~1bindings~1{roleIdOrLabel}~1members/get + response: + mediaType: application/json + openAPIDocKey: '200' + add_members_to_binding: + operation: + $ref: >- + #/paths/~1api~1v1~1iam~1resource-sets~1{resourceSetIdOrLabel}~1bindings~1{roleIdOrLabel}~1members/patch + response: + mediaType: application/json + openAPIDocKey: '200' + get_member_of_binding: + operation: + $ref: >- + #/paths/~1api~1v1~1iam~1resource-sets~1{resourceSetIdOrLabel}~1bindings~1{roleIdOrLabel}~1members~1{memberId}/get + response: + mediaType: application/json + openAPIDocKey: '200' + unassign_member_from_binding: + operation: + $ref: >- + #/paths/~1api~1v1~1iam~1resource-sets~1{resourceSetIdOrLabel}~1bindings~1{roleIdOrLabel}~1members~1{memberId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/role_resource_set_binding_members/methods/list_members_of_binding + - $ref: >- + #/components/x-stackQL-resources/role_resource_set_binding_members/methods/get_member_of_binding + insert: [] + update: + - $ref: >- + #/components/x-stackQL-resources/role_resource_set_binding_members/methods/add_members_to_binding + delete: + - $ref: >- + #/components/x-stackQL-resources/role_resource_set_binding_members/methods/unassign_member_from_binding + replace: [] + role_resource_set_resources: + id: okta.iam.role_resource_set_resources + name: role_resource_set_resources + title: Role Resource Set Resources + methods: + list_resource_set_resources: + operation: + $ref: >- + #/paths/~1api~1v1~1iam~1resource-sets~1{resourceSetIdOrLabel}~1resources/get + response: + mediaType: application/json + openAPIDocKey: '200' + add_resource_set_resource: + operation: + $ref: >- + #/paths/~1api~1v1~1iam~1resource-sets~1{resourceSetIdOrLabel}~1resources/post + response: + mediaType: application/json + openAPIDocKey: '200' + add_resource_set_resources: + operation: + $ref: >- + #/paths/~1api~1v1~1iam~1resource-sets~1{resourceSetIdOrLabel}~1resources/patch + response: + mediaType: application/json + openAPIDocKey: '200' + get_resource_set_resource: + operation: + $ref: >- + #/paths/~1api~1v1~1iam~1resource-sets~1{resourceSetIdOrLabel}~1resources~1{resourceId}/get + response: + mediaType: application/json + openAPIDocKey: '200' + replace_resource_set_resource: + operation: + $ref: >- + #/paths/~1api~1v1~1iam~1resource-sets~1{resourceSetIdOrLabel}~1resources~1{resourceId}/put + response: + mediaType: application/json + openAPIDocKey: '200' + delete_resource_set_resource: + operation: + $ref: >- + #/paths/~1api~1v1~1iam~1resource-sets~1{resourceSetIdOrLabel}~1resources~1{resourceId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/role_resource_set_resources/methods/list_resource_set_resources + - $ref: >- + #/components/x-stackQL-resources/role_resource_set_resources/methods/get_resource_set_resource + insert: [] + update: + - $ref: >- + #/components/x-stackQL-resources/role_resource_set_resources/methods/add_resource_set_resources + delete: + - $ref: >- + #/components/x-stackQL-resources/role_resource_set_resources/methods/delete_resource_set_resource + replace: + - $ref: >- + #/components/x-stackQL-resources/role_resource_set_resources/methods/replace_resource_set_resource + roles: + id: okta.iam.roles + name: roles + title: Roles + methods: + list_roles: + operation: + $ref: '#/paths/~1api~1v1~1iam~1roles/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_role: + operation: + $ref: '#/paths/~1api~1v1~1iam~1roles/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_role: + operation: + $ref: '#/paths/~1api~1v1~1iam~1roles~1{roleIdOrLabel}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_role: + operation: + $ref: '#/paths/~1api~1v1~1iam~1roles~1{roleIdOrLabel}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_role: + operation: + $ref: '#/paths/~1api~1v1~1iam~1roles~1{roleIdOrLabel}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: '#/components/x-stackQL-resources/roles/methods/list_roles' + - $ref: '#/components/x-stackQL-resources/roles/methods/get_role' + insert: + - $ref: '#/components/x-stackQL-resources/roles/methods/create_role' + update: [] + delete: + - $ref: '#/components/x-stackQL-resources/roles/methods/delete_role' + replace: + - $ref: '#/components/x-stackQL-resources/roles/methods/replace_role' + role_permissions: + id: okta.iam.role_permissions + name: role_permissions + title: Role Permissions + methods: + list_role_permissions: + operation: + $ref: '#/paths/~1api~1v1~1iam~1roles~1{roleIdOrLabel}~1permissions/get' + response: + mediaType: application/json + openAPIDocKey: '200' + get_role_permission: + operation: + $ref: >- + #/paths/~1api~1v1~1iam~1roles~1{roleIdOrLabel}~1permissions~1{permissionType}/get + response: + mediaType: application/json + openAPIDocKey: '200' + create_role_permission: + operation: + $ref: >- + #/paths/~1api~1v1~1iam~1roles~1{roleIdOrLabel}~1permissions~1{permissionType}/post + response: + mediaType: '' + openAPIDocKey: '204' + replace_role_permission: + operation: + $ref: >- + #/paths/~1api~1v1~1iam~1roles~1{roleIdOrLabel}~1permissions~1{permissionType}/put + response: + mediaType: application/json + openAPIDocKey: '200' + delete_role_permission: + operation: + $ref: >- + #/paths/~1api~1v1~1iam~1roles~1{roleIdOrLabel}~1permissions~1{permissionType}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/role_permissions/methods/list_role_permissions + - $ref: >- + #/components/x-stackQL-resources/role_permissions/methods/get_role_permission + insert: + - $ref: >- + #/components/x-stackQL-resources/role_permissions/methods/create_role_permission + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/role_permissions/methods/delete_role_permission + replace: + - $ref: >- + #/components/x-stackQL-resources/role_permissions/methods/replace_role_permission +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/identity_sources.yaml b/providers/src/okta/v00.00.00000/services/identity_sources.yaml new file mode 100644 index 00000000..cdd4f5f4 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/identity_sources.yaml @@ -0,0 +1,681 @@ +openapi: 3.0.3 +info: + title: identity_sources API + description: okta identity_sources API + version: 5.1.0 +paths: + /api/v1/identity-sources/{identitySourceId}/sessions: + get: + summary: List all identity source sessions + description: >- + Lists all identity source sessions for the given identity source + instance + operationId: listIdentitySourceSessions + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/IdentitySourceSession' + examples: + sessionsList: + $ref: '#/components/examples/ListSessionsResponseForGetSessions' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.identitySources.read + tags: + - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + post: + summary: Create an identity source session + description: >- + Creates an identity source session for the given identity source + instance + operationId: createIdentitySourceSession + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IdentitySourceSession' + examples: + session: + $ref: '#/components/examples/GetSessionResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.identitySources.manage + tags: + - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathIdentitySourceId' + /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}: + get: + summary: Retrieve an identity source session + description: >- + Retrieves an identity source session for a given identity source ID and + session ID + operationId: getIdentitySourceSession + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IdentitySourceSession' + examples: + session: + $ref: '#/components/examples/GetSessionResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.identitySources.read + tags: + - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + delete: + summary: Delete an identity source session + description: >- + Deletes an identity source session for a given identity source ID and + session Id + operationId: deleteIdentitySourceSession + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.identitySources.manage + tags: + - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathIdentitySourceId' + - $ref: '#/components/parameters/pathIdentitySourceSessionId' + /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/bulk-delete: + post: + summary: Upload the data to be deleted in Okta + description: >- + Uploads external IDs of entities that need to be deleted in Okta from + the identity source for the given session + operationId: uploadIdentitySourceDataForDelete + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/BulkDeleteRequestBody' + examples: + bulkDeletePayload: + $ref: '#/components/examples/bulkDeletePayload' + responses: + '202': + description: Accepted + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.identitySources.manage + tags: + - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathIdentitySourceId' + - $ref: '#/components/parameters/pathIdentitySourceSessionId' + /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/bulk-upsert: + post: + summary: Upload the data to be upserted in Okta + description: >- + Uploads entities that need to be inserted or updated in Okta from the + identity source for the given session + operationId: uploadIdentitySourceDataForUpsert + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/BulkUpsertRequestBody' + examples: + bulkUpsertPayload: + $ref: '#/components/examples/bulkUpsertPayload' + responses: + '202': + description: Accepted + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.identitySources.manage + tags: + - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathIdentitySourceId' + - $ref: '#/components/parameters/pathIdentitySourceSessionId' + /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/start-import: + post: + summary: Start the import from the identity source + description: >- + Starts the import from the identity source described by the uploaded + bulk operations + operationId: startImportFromIdentitySource + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IdentitySourceSession' + examples: + triggeredSession: + $ref: '#/components/examples/TriggerSessionResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.identitySources.manage + tags: + - IdentitySource + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathIdentitySourceId' + - $ref: '#/components/parameters/pathIdentitySourceSessionId' +components: + schemas: + IdentitySourceSession: + type: object + properties: + created: + type: string + description: The timestamp when the identity source session was created + format: date-time + readOnly: true + id: + type: string + description: The ID of the identity source session + readOnly: true + identitySourceId: + type: string + description: >- + The ID of the custom identity source for which the session is + created + readOnly: true + importType: + type: string + description: The type of import. All imports are `INCREMENTAL` imports. + readOnly: true + lastUpdated: + type: string + description: The timestamp when the identity source session was created + format: date-time + readOnly: true + status: + $ref: '#/components/schemas/IdentitySourceSessionStatus' + BulkDeleteRequestBody: + type: object + properties: + entityType: + description: >- + The type of data to bulk delete in a session. Currently, only + `USERS` is supported. + type: string + enum: + - USERS + profiles: + type: array + description: Array of profiles to be deleted + items: + $ref: '#/components/schemas/IdentitySourceUserProfileForDelete' + BulkUpsertRequestBody: + type: object + properties: + entityType: + description: >- + The type of data to upsert into the session. Currently, only `USERS` + is supported. + type: string + enum: + - USERS + profiles: + type: array + description: Array of user profiles to be uploaded + items: + type: object + properties: + externalId: + type: string + description: >- + The external ID of the entity that needs to be created or + updated in Okta + maxLength: 512 + profile: + $ref: '#/components/schemas/IdentitySourceUserProfileForUpsert' + IdentitySourceSessionStatus: + description: The current status of the identity source session + type: string + enum: + - CLOSED + - COMPLETED + - CREATED + - ERROR + - EXPIRED + - IN_PROGRESS + - TRIGGERED + x-enumDescriptions: + CREATED: >- + This is a new identity source session that hasn't been processed. You + can upload bulk data in this stage. + IN_PROGRESS: The bulk data is being uploaded to Okta. + TRIGGERED: >- + Okta is processing the import data in this session. You can't load + bulk data in this stage. + COMPLETED: The bulk data was processed and imported into Okta. + CLOSED: >- + The identity source session was canceled and isn't available for + further activity. + EXPIRED: >- + This identity source session had the `CREATED` status and timed-out + after 24 hours of inactivity. + ERROR: >- + The processing of import data in the session encountered an error. You + need to open a new session to upload the data again. + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + IdentitySourceUserProfileForDelete: + type: object + properties: + externalId: + type: string + description: The external ID of the entity that needs to be deleted in Okta + maxLength: 512 + IdentitySourceUserProfileForUpsert: + description: >- + Contains a set of external user attributes and their values that are + mapped to Okta standard and custom profile properties. See the + [`profile` + object](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/getUser!c=200&path=profile&t=response) + and Declaration of a Custom Identity Source Schema in [Using anything as + a + source](https://help.okta.com/okta_help.htm?type=oie&id=ext-anything-as-a-source). + + > **Note:** Profile attributes can only be of the string type. + type: object + properties: + email: + type: string + format: email + description: Email address of the user + minLength: 5 + maxLength: 100 + firstName: + type: string + description: First name of the user + minLength: 1 + maxLength: 50 + nullable: true + homeAddress: + type: string + description: Home address of the user + maxLength: 4096 + nullable: true + lastName: + type: string + description: Last name of the user + minLength: 1 + maxLength: 50 + nullable: true + mobilePhone: + type: string + description: Mobile phone number of the user + maxLength: 100 + nullable: true + secondEmail: + type: string + description: Alternative email address of the user + format: email + minLength: 5 + maxLength: 100 + userName: + type: string + description: Username of the user + maxLength: 100 + ErrorCause: + type: object + properties: + errorSummary: + type: string + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + parameters: + pathIdentitySourceId: + name: identitySourceId + in: path + required: true + description: The ID of the identity source for which the session is created + example: 0oa3l6l6WK6h0R0QW0g4 + schema: + type: string + pathIdentitySourceSessionId: + name: sessionId + in: path + required: true + description: The ID of the identity source session + example: aps1qqonvr2SZv6o70h8 + schema: + type: string + examples: + ListSessionsResponseForGetSessions: + value: + - id: aps1qqonvr2SZv6o70h8 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: CREATED + importType: INCREMENTAL + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T16:15:44.000Z' + - id: aps1quck606ngubVq0h8 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: TRIGGERED + importType: INCREMENTAL + created: '2022-04-04T16:56:05.000Z' + lastUpdated: '2022-05-05T17:15:44.000Z' + - id: aps1qzy2acb5jDlUc0h8 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: IN_PROGRESS + importType: INCREMENTAL + created: '2022-04-04T17:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + - id: aps1qqne8c1JHkMdF0h8 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: EXPIRED + importType: INCREMENTAL + created: '2022-04-04T18:56:05.000Z' + lastUpdated: '2022-05-05T19:15:44.000Z' + - id: aps1qqonvr2SZv6o70h8 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: CLOSED + importType: INCREMENTAL + created: '2022-04-04T19:56:05.000Z' + lastUpdated: '2022-05-05T20:15:44.000Z' + GetSessionResponse: + value: + id: aps1qqonvr2SZv6o70h8 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: CREATED + importType: INCREMENTAL + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T16:15:44.000Z' + bulkDeletePayload: + value: + entityType: USERS + profiles: + - externalId: EXT123456784C2IF + - externalId: EXT123456784C3IF + - externalId: EXT123456784C4IF + bulkUpsertPayload: + value: + entityType: USERS + profiles: + - externalId: EXT123456784C2IF + profile: + userName: isaac.brock@example.com + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + secondEmail: isaac2.brock@example.com + mobilePhone: 123-456-7890 + homeAddress: Kirkland, WA + TriggerSessionResponse: + value: + - id: aps1qqonvr2SZv6o70h8 + identitySourceId: 0oa3l6l6WK6h0R0QW0g4 + status: TRIGGERED + importType: INCREMENTAL + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + x-stackQL-resources: + sessions: + id: okta.identity_sources.sessions + name: sessions + title: Sessions + methods: + list_identity_source_sessions: + operation: + $ref: >- + #/paths/~1api~1v1~1identity-sources~1{identitySourceId}~1sessions/get + response: + mediaType: application/json + openAPIDocKey: '200' + create_identity_source_session: + operation: + $ref: >- + #/paths/~1api~1v1~1identity-sources~1{identitySourceId}~1sessions/post + response: + mediaType: application/json + openAPIDocKey: '200' + get_identity_source_session: + operation: + $ref: >- + #/paths/~1api~1v1~1identity-sources~1{identitySourceId}~1sessions~1{sessionId}/get + response: + mediaType: application/json + openAPIDocKey: '200' + delete_identity_source_session: + operation: + $ref: >- + #/paths/~1api~1v1~1identity-sources~1{identitySourceId}~1sessions~1{sessionId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/sessions/methods/list_identity_source_sessions + - $ref: >- + #/components/x-stackQL-resources/sessions/methods/get_identity_source_session + insert: + - $ref: >- + #/components/x-stackQL-resources/sessions/methods/create_identity_source_session + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/sessions/methods/delete_identity_source_session + replace: [] + identity_sources: + id: okta.identity_sources.identity_sources + name: identity_sources + title: Identity Sources + methods: + upload_identity_source_data_for_delete: + operation: + $ref: >- + #/paths/~1api~1v1~1identity-sources~1{identitySourceId}~1sessions~1{sessionId}~1bulk-delete/post + response: + mediaType: '' + openAPIDocKey: '202' + upload_identity_source_data_for_upsert: + operation: + $ref: >- + #/paths/~1api~1v1~1identity-sources~1{identitySourceId}~1sessions~1{sessionId}~1bulk-upsert/post + response: + mediaType: '' + openAPIDocKey: '202' + start_import_from_identity_source: + operation: + $ref: >- + #/paths/~1api~1v1~1identity-sources~1{identitySourceId}~1sessions~1{sessionId}~1start-import/post + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: [] + insert: [] + update: [] + delete: [] + replace: [] +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/idps.yaml b/providers/src/okta/v00.00.00000/services/idps.yaml new file mode 100644 index 00000000..3b21573b --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/idps.yaml @@ -0,0 +1,5345 @@ +openapi: 3.0.3 +info: + title: idps API + description: okta idps API + version: 5.1.0 +paths: + /api/v1/idps: + get: + summary: List all IdPs + description: >- + Lists all identity provider (IdP) integrations with pagination. A subset + of IdPs can be returned that match a supported filter expression or + query. + operationId: listIdentityProviders + parameters: + - name: q + in: query + description: Searches the `name` property of IdPs for matching value + schema: + type: string + example: Example SAML + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + - name: type + in: query + description: Filters IdPs by `type` + schema: + $ref: '#/components/schemas/IdentityProviderType' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/IdentityProvider' + examples: + MultipleIdPsResponse: + $ref: '#/components/examples/MultipleIdPsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.read + tags: + - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create an IdP + description: >- + Creates a new identity provider (IdP) integration. + + + #### SAML 2.0 IdP + + + You must first add the IdP's signature certificate to the IdP key store + before you can add a SAML 2.0 IdP with a `kid` credential reference. + + + Don't use `fromURI` to automatically redirect a user to a particular app + after successfully authenticating with a third-party IdP. Instead, use + SAML deep links. Using `fromURI` isn't tested or supported. For more + information about using deep links when signing users in using an + SP-initiated flow, see [Understanding SP-Initiated Login + flow](https://developer.okta.com/docs/concepts/saml/#understanding-sp-initiated-login-flow). + + + Use SAML deep links to automatically redirect the user to an app after + successfully authenticating with a third-party IdP. To use deep links, + assemble these three parts into a URL: + + + * SP ACS URL
+ + For example: `https://${yourOktaDomain}/sso/saml2/:idpId` + + * The app to which the user is automatically redirected after + successfully authenticating with the IdP
+ + For example: `/app/:app-location/:appId/sso/saml` + + * Optionally, if the app is an outbound SAML app, you can specify the + `relayState` passed to it.
+ + For example: `?RelayState=:anyUrlEncodedValue` + + + The deep link for the above three parts is:
+ + `https://${yourOktaDomain}/sso/saml2/:idpId/app/:app-location/:appId/sso/saml?RelayState=:anyUrlEncodedValue` + + + #### Smart Card X509 IdP + + + You must first add the IdP's server certificate to the IdP key store + before you can add a Smart Card `X509` IdP with a `kid` credential + reference. + + You need to upload the whole trust chain as a single key using the [Key + Store + API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProviderKeys/#tag/IdentityProviderKeys/operation/createIdentityProviderKey). + + Depending on the information stored in the smart card, select the proper + [template](https://developer.okta.com/docs/reference/okta-expression-language/#idp-user-profile) + `idpuser.subjectAltNameEmail` or `idpuser.subjectAltNameUpn`. + + + #### Identity verification vendors as identity providers + + + Identity verification vendors (IDVs) work like IdPs, with a few key + differences. IDVs verify your user's identities by requiring them to + submit a proof of identity. There are many ways to verify user + identities. For example, a proof of identity can be a selfie to + determine liveliness or it can be requiring users to submit a photo of + their driver's license and matching that information with a database. + + + There are three IDVs that you can configure as IdPs in your org by + creating an account with the vendor, and then creating an IdP + integration. Control how the IDVs verify your users by using [Okta + account management policy + rules](https://developer.okta.com/docs/guides/okta-account-management-policy/main/). + + + * [Persona](https://withpersona.com/) + + + * [CLEAR Verified](https://www.clearme.com/) + + + * [Incode](https://incode.com/) + operationId: createIdentityProvider + x-codegen-request-body-name: identityProvider + requestBody: + description: IdP settings + content: + application/json: + schema: + $ref: '#/components/schemas/IdentityProvider' + examples: + CreateGenericOidcIdPRequest: + $ref: '#/components/examples/CreateGenericOidcIdPRequest' + CreateSamlIdPRequest: + $ref: '#/components/examples/CreateSamlIdPRequest' + CreateAppleIdPRequest: + $ref: '#/components/examples/CreateAppleIdPRequest' + CreateFacebookIdPRequest: + $ref: '#/components/examples/CreateFacebookIdPRequest' + CreateGoogleIdPRequest: + $ref: '#/components/examples/CreateGoogleIdPRequest' + CreateMicrosoftIdPRequest: + $ref: '#/components/examples/CreateMicrosoftIdPRequest' + CreateSmartCardIdPRequest: + $ref: '#/components/examples/CreateSmartCardIdPRequest' + CreatePersonaIDVRequest: + $ref: '#/components/examples/CreatePersonaIDVRequest' + CreateCLEARIDVRequest: + $ref: '#/components/examples/CreateCLEARIDVRequest' + CreateIncodeIDVRequest: + $ref: '#/components/examples/CreateIncodeIDVRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IdentityProvider' + examples: + CreateGenericOidcIdpResponse: + $ref: '#/components/examples/GenericOidcIdpResponse' + CreateSamlIdPResponse: + $ref: '#/components/examples/SamlIdPResponse' + CreateAppleIdPResponse: + $ref: '#/components/examples/AppleIdPResponse' + CreateFacebookIdPResponse: + $ref: '#/components/examples/FacebookIdPResponse' + CreateGoogleIdPResponse: + $ref: '#/components/examples/GoogleIdPResponse' + CreateMicrosoftIdPResponse: + $ref: '#/components/examples/MicrosoftIdPResponse' + CreateSmartCardIdPResponse: + $ref: '#/components/examples/SmartCardIdPResponse' + CreatePersonaIDVResponse: + $ref: '#/components/examples/PersonaIDVResponse' + CreateCLEARIDVResponse: + $ref: '#/components/examples/CLEARIDVResponse' + CreateIncodeIDVResponse: + $ref: '#/components/examples/IncodeIDVResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.manage + tags: + - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/credentials/keys: + get: + summary: List all IdP key credentials + description: Lists all identity provider (IdP) key credentials + operationId: listIdentityProviderKeys + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/IdPKeyCredential' + examples: + ListIdPKeyCredentialsResponse: + $ref: '#/components/examples/MultipleIdPKeyCredentialsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.read + tags: + - IdentityProviderKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create an IdP key credential + description: >- + Creates a new X.509 certificate credential in the identity provider + (IdP) key store + + > **Note:** RSA-based certificates are supported for all IdP types. Okta + currently supports EC-based certificates only for the `X509` IdP type. + For EC-based certificates we support only P-256, P-384, and P-521 + curves. + operationId: createIdentityProviderKey + x-codegen-request-body-name: jsonWebKey + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/IdPCertificateCredential' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPKeyCredentialResponse: + $ref: '#/components/examples/IdPKeyCredentialResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.manage + tags: + - IdentityProviderKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/idps/credentials/keys/{kid}: + get: + summary: Retrieve an IdP key credential + description: Retrieves a specific identity provider (IdP) key credential by `kid` + operationId: getIdentityProviderKey + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPKeyCredentialResponse: + $ref: '#/components/examples/IdPKeyCredentialResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.read + tags: + - IdentityProviderKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace an IdP key credential + description: Replaces an identity provider (IdP) key credential by `kid` + operationId: replaceIdentityProviderKey + requestBody: + description: Updated IdP key credential + content: + application/json: + schema: + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPKeyCredentialRequest: + $ref: '#/components/examples/IdPKeyCredentialRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPKeyCredentialResponse: + $ref: '#/components/examples/IdPKeyCredentialResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.manage + tags: + - IdentityProviderKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete an IdP key credential + description: >- + Deletes a specific identity provider (IdP) key credential by `kid` if it + isn't currently being used by an active or inactive IdP + operationId: deleteIdentityProviderKey + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.manage + tags: + - IdentityProviderKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathKid' + /api/v1/idps/{idpId}: + get: + summary: Retrieve an IdP + description: Retrieves an identity provider (IdP) integration by `idpId` + operationId: getIdentityProvider + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IdentityProvider' + examples: + GenericOidcIdpResponse: + $ref: '#/components/examples/GenericOidcIdpResponse' + SamlIdPResponse: + $ref: '#/components/examples/SamlIdPResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.read + tags: + - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace an IdP + description: Replaces an identity provider (IdP) integration by `idpId` + operationId: replaceIdentityProvider + x-codegen-request-body-name: identityProvider + requestBody: + description: Updated configuration for the IdP + content: + application/json: + schema: + $ref: '#/components/schemas/IdentityProvider' + examples: + ReplaceIdPRequest: + $ref: '#/components/examples/ReplaceIdPRequestResponse' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IdentityProvider' + examples: + ReplaceIdPResponse: + $ref: '#/components/examples/ReplaceIdPRequestResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.manage + tags: + - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete an IdP + description: >- + Deletes an identity provider (IdP) integration by `idpId` + + * All existing IdP users are unlinked with the highest order profile + source taking precedence for each IdP user. + + * Unlinked users keep their existing authentication provider such as + `FEDERATION` or `SOCIAL`. + operationId: deleteIdentityProvider + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.manage + tags: + - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathIdpId' + /api/v1/idps/{idpId}/credentials/csrs: + get: + summary: List all certificate signing requests + description: >- + Lists all certificate signing requests (CSRs) for an identity provider + (IdP) + operationId: listCsrsForIdentityProvider + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/IdPCsr' + examples: + MultipleIdPCsrsResponse: + $ref: '#/components/examples/MultipleIdPCsrsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.read + tags: + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Generate a certificate signing request + description: >- + Generates a new key pair and returns a certificate signing request (CSR) + for it + + > **Note:** The private key isn't listed in the [signing key credentials + for the identity provider + (IdP)](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProviderSigningKeys/#tag/IdentityProviderSigningKeys/operation/listIdentityProviderSigningKeys) + until it's published. + operationId: generateCsrForIdentityProvider + x-codegen-request-body-name: metadata + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CsrMetadata' + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/IdPCsr' + examples: + CsrJsonResponse: + $ref: '#/components/examples/CsrJsonResponse' + application/pkcs10: + schema: + $ref: '#/components/schemas/IdPCsrPkcs10' + examples: + CsrPkcs10Response: + $ref: '#/components/examples/CsrPkcs10Response' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.manage + tags: + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathIdpId' + /api/v1/idps/{idpId}/credentials/csrs/{idpCsrId}: + get: + summary: Retrieve a certificate signing request + description: Retrieves a specific certificate signing request (CSR) by `id` + operationId: getCsrForIdentityProvider + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IdPCsr' + examples: + CsrJsonResponse: + $ref: '#/components/examples/CsrJsonResponse' + application/pkcs10: + schema: + $ref: '#/components/schemas/IdPCsrPkcs10' + examples: + CsrPkcs10Response: + $ref: '#/components/examples/CsrPkcs10Response' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.read + tags: + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Revoke a certificate signing request + description: >- + Revokes a certificate signing request (CSR) and deletes the key pair + from the identity provider (IdP) + operationId: revokeCsrForIdentityProvider + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.manage + tags: + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathIdpId' + - $ref: '#/components/parameters/pathIdpCsrId' + /api/v1/idps/{idpId}/credentials/csrs/{idpCsrId}/lifecycle/publish: + post: + summary: Publish a certificate signing request + description: >- + Publishes the certificate signing request (CSR) with a signed X.509 + certificate and adds it into the signing key credentials for the + identity provider (IdP) + + > **Notes:** + + > * Publishing a certificate completes the lifecycle of the CSR, and + it's no longer accessible. + + > * If the validity period of the certificate is less than 90 days, a + 400 error response is returned. + operationId: publishCsrForIdentityProvider + requestBody: + required: true + content: + application/pkix-cert: + schema: + type: string + format: binary + description: >- + X.509 certificate in `DER` format. + + The client can either post in binary or Base64URL-encoded. If + the post is Base64URL-encoded, set the + `Content-Transfer-Encoding` header to `base64`. + example: >- + MIIFgjCCA2qgAwIBAgICEAcwDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARPa3RhMQwwCgYDVQQLDANFbmcxDTALBgNVBAMMBFJvb3QwHhcNMTcwMzI3MjEyMDQ3WhcNMTgwNDA2MjEyMDQ3WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEGA1UECgwKT2t0YSwgSW5jLjEQMA4GA1UECwwHSmFua3lDbzEVMBMGA1UEAwwMSWRQIElzc3VlciA3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmkC6yAJVvFwUlmM9gKjb2d+YK5qHFt+mXSsbjWKKs4EfNm+BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL/q7n0f/SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH+bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQIDAQABo4IBLjCCASowCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUVqJukDmyENw/2pTApbxc/HRKbngwgZAGA1UdIwSBiDCBhYAUFx245ZZXqWTTbARfMlFWN77L9EahYqRgMF4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEMMAoGA1UECwwDRW5nMQ0wCwYDVQQDDARSb290ggkAlIfpwZjO5o8wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQCcoBSRtY+9cJY00hLvq6AloYZcdn/kUQupfmyz4n3lKE3wV2FB0swKnK0QDi8iNuQJFdag/19vDHC4/LhoSuv1Q+KXM61pPZVRXXPyC1+e7Y6hj93tEI5HcqLPcDRH1AIG2l8tE7LBn+MQB5Vh6oxjG2IdoWxg6abMfISU+MauPWql4vMDUWo9iNShAo44Z5fd+nuz+hlAinU9Xn9Jf2QsfKvcbMRq7iuqgkabgdmObmWb9KK0Vm7TDkxCH0pB0onPr6epVUP8Obg/pT1Oj/1hOLbfR8CHHWdAWzUBGGvp2TIy2A8LUaEoFnwkxZfdL7Bnd0RH/ClBtAjzLOxmUo7NbZmEnYCcD5pZz7BdZI0db/eBXFqfOlA88rEe+9Sv+NndIq0/WNIIsJi2RgjJnxsxvB5MjhhzmItpFIUl5yqoO3C9jcCp6HDBJxtCGbvAr5ALPn5RCJeBIr67WpAiTd7L3Ebu9SQZlXnoHX8kP04EA6ylR3W0EFbh7KUtq8M2H2vo0wjMj7ysl/3tT7cEZ97s1ygO5iJx3GfMDyrDhtLXSBJ20uSxTJeptRw8SDiwTqunIh1WyKlcQz1WGauSbW4eXdj/r9KYMJ3qMMkdP/9THQUtTcOYx51r8RV9pdzqF2HPnZZNziBa+wXJZHEWp70NyoakNthgYwtypqiDHs2f3Q== + x-okta-operationId: publishBinaryDerCertForIdentityProvider + application/x-x509-ca-cert: + schema: + type: string + format: binary + description: >- + X.509 certificate in `CER` format. + + The client can either post in binary or Base64URL-encoded. If + the post is Base64URL-encoded, set the + `Content-Transfer-Encoding` header to `base64`. + example: '@certificate.cer' + x-okta-operationId: publishBinaryCerCertForIdentityProvider + application/x-pem-file: + schema: + type: string + format: binary + description: X.509 certificate in `PEM` format + example: '@certificate.pem' + x-okta-operationId: publishBinaryPemCertForIdentityProvider + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/IdPKeyCredential' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.manage + tags: + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathIdpId' + - $ref: '#/components/parameters/pathIdpCsrId' + /api/v1/idps/{idpId}/credentials/keys: + get: + summary: List all signing key credentials for IdP + description: Lists all signing key credentials for an identity provider (IdP) + operationId: listIdentityProviderSigningKeys + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/IdPKeyCredential' + examples: + MultipleIdPSigningKeyCredentialsResponse: + $ref: >- + #/components/examples/MultipleIdPSigningKeyCredentialsResponse + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.read + tags: + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathIdpId' + /api/v1/idps/{idpId}/credentials/keys/active: + get: + summary: List the active signing key credential for IdP + description: Lists the active signing key credential for an identity provider (IdP) + operationId: listActiveIdentityProviderSigningKey + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/IdPKeyCredential' + examples: + ActiveIdPSigningKeyCredentialResponse: + $ref: '#/components/examples/ActiveIdPSigningKeyCredentialResponse' + '204': + description: No Content + content: {} + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.read + tags: + - IdentityProviderSigningKeys + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathIdpId' + /api/v1/idps/{idpId}/credentials/keys/generate: + post: + summary: Generate a new signing key credential for IdP + description: >- + Generates a new X.509 certificate for an identity provider (IdP) signing + key credential to be used for signing assertions sent to the IdP. IdP + signing keys are read-only. + + > **Note:** To update an IdP with the newly generated key credential, + [update your + IdP](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/replaceIdentityProvider) + using the returned key's `kid` in the [signing + credential](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/replaceIdentityProvider!path=protocol/0/credentials/signing/kid&t=request). + operationId: generateIdentityProviderSigningKey + parameters: + - name: validityYears + in: query + description: expiry of the IdP key credential + required: true + schema: + type: integer + format: int32 + minimum: 2 + maximum: 10 + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPSigningKeyCredentialResponse: + $ref: '#/components/examples/IdPSigningKeyCredentialResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.manage + tags: + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathIdpId' + /api/v1/idps/{idpId}/credentials/keys/{kid}: + get: + summary: Retrieve a signing key credential for IdP + description: Retrieves a specific identity provider (IdP) key credential by `kid` + operationId: getIdentityProviderSigningKey + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPSigningKeyCredentialResponse: + $ref: '#/components/examples/IdPSigningKeyCredentialResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.read + tags: + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathIdpId' + - $ref: '#/components/parameters/pathKid' + /api/v1/idps/{idpId}/credentials/keys/{kid}/clone: + post: + summary: Clone a signing key credential for IdP + description: >- + Clones an X.509 certificate for an identity provider (IdP) signing key + credential from a source IdP to target IdP + + > **Caution:** Sharing certificates isn't a recommended security + practice. + + + > **Note:** If the key is already present in the list of key credentials + for the target IdP, you receive a 400 error response. + operationId: cloneIdentityProviderKey + parameters: + - name: targetIdpId + in: query + required: true + description: '`id` of the target IdP' + schema: + type: string + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/IdPKeyCredential' + examples: + IdPSigningKeyCredentialResponse: + $ref: '#/components/examples/IdPSigningKeyCredentialResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.manage + tags: + - IdentityProviderSigningKeys + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathIdpId' + - $ref: '#/components/parameters/pathKid' + /api/v1/idps/{idpId}/lifecycle/activate: + post: + summary: Activate an IdP + description: Activates an inactive identity provider (IdP) + operationId: activateIdentityProvider + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IdentityProvider' + examples: + ActivateIdPResponse: + $ref: '#/components/examples/ActivateIdPResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.manage + tags: + - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathIdpId' + /api/v1/idps/{idpId}/lifecycle/deactivate: + post: + summary: Deactivate an IdP + description: Deactivates an active identity provider (IdP) + operationId: deactivateIdentityProvider + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IdentityProvider' + examples: + DeactivateIdPResponse: + $ref: '#/components/examples/DeactivateIdPResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.manage + tags: + - IdentityProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathIdpId' + /api/v1/idps/{idpId}/users: + get: + summary: List all users for IdP + description: Lists all the users linked to an identity provider (IdP) + operationId: listIdentityProviderApplicationUsers + parameters: + - $ref: '#/components/parameters/queryFilter' + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + - name: expand + in: query + description: Expand user data + schema: + type: string + example: user + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/IdentityProviderApplicationUser' + examples: + ListIdPUsersResponse: + $ref: '#/components/examples/ListIdPUsersResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.read + tags: + - IdentityProviderUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathIdpId' + /api/v1/idps/{idpId}/users/{userId}: + get: + summary: Retrieve a user for IdP + description: Retrieves a linked identity provider (IdP) user by ID + operationId: getIdentityProviderApplicationUser + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IdentityProviderApplicationUser' + examples: + IdPAppUserResponse: + $ref: '#/components/examples/IdPAppUserResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.read + tags: + - IdentityProviderUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Link a user to IdP + description: >- + Links an Okta user to an existing SAML or social identity provider + (IdP). + + + The SAML IdP must have `honorPersistentNameId` set to `true` to use this + API. + + The [Name Identifier + Format](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/replaceIdentityProvider!path=protocol/0/settings&t=request) + of the incoming assertion must be + `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`. + operationId: linkUserToIdentityProvider + x-codegen-request-body-name: userIdentityProviderLinkRequest + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UserIdentityProviderLinkRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/IdentityProviderApplicationUser' + examples: + LinkIdPAppUserResponse: + $ref: '#/components/examples/LinkIdPAppUserResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - IdentityProviderUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unlink a user from IdP + description: >- + Unlinks the Okta user and the identity provider (IdP) user. The next + time the user federates into Okta through this IdP, they have to re-link + their account according to the account link policy. + operationId: unlinkUserFromIdentityProvider + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.manage + tags: + - IdentityProviderUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathIdpId' + - $ref: '#/components/parameters/pathUserId' + /api/v1/idps/{idpId}/users/{userId}/credentials/tokens: + get: + summary: List all tokens from OIDC IdP + description: >- + Lists the tokens minted by the social authentication provider when the + user authenticates with Okta via Social Auth. + + + Okta doesn't import all the user information from a social provider. If + the app needs information that isn't imported, it can get the user token + from this endpoint. Then the app can make an API call to the social + provider with the token to request the additional information. + operationId: listSocialAuthTokens + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/SocialAuthToken' + examples: + SocialAuthTokensResponse: + $ref: '#/components/examples/SocialAuthTokensResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.idps.read + tags: + - IdentityProviderUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathIdpId' + - $ref: '#/components/parameters/pathUserId' +components: + schemas: + IdentityProviderType: + description: >- + The IdP object's `type` property identifies the social or enterprise IdP + used for authentication. + + Each IdP uses a specific protocol, therefore the `protocol` object must + correspond with the IdP `type`. + + If the protocol is OAuth 2.0-based, the `protocol` object's `scopes` + property must also correspond with the scopes supported by the IdP + `type`. + + For policy actions supported by each IdP type, see [IdP type policy + actions](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy&t=request). + + + | Type | + Description + | Corresponding protocol | Corresponding protocol + scopes | + + | ------------------ | + ----------------------------------------------------------------------------------------------------------------------------------------------------- + | ---------------------- | + -------------------------------------------------------------------- | + + | `AMAZON` | + [Amazon](https://developer.amazon.com/settings/console/registration?return_to=/) as + the IdP | OpenID Connect + | `profile`, `profile:user_id` + | + + | `APPLE` | + [Apple](https://developer.apple.com/sign-in-with-apple/) as the + IdP | + OpenID Connect | `names`, `email`, + `openid` | + + | `DISCORD` | [Discord](https://discord.com/login) as the + IdP + | OAuth 2.0 | `identify`, + `email` | + + | `FACEBOOK` | + [Facebook](https://developers.facebook.com) as the + IdP + | OAuth 2.0 | `public_profile`, + `email` | + + | `GITHUB` | [GitHub](https://github.com/join) as the + IdP + | OAuth 2.0 | + `user` | + + | `GITLAB` | + [GitLab](https://gitlab.com/users/sign_in) as the + IdP + | OpenID Connect | `openid`, `read_user`, `profile`, + `email` | + + | `GOOGLE` | + [Google](https://accounts.google.com/signup) as the + IdP + | OpenID Connect | `openid`, `email`, + `profile` | + + | `IDV_PERSONA` | + [Persona](https://app.withpersona.com/dashboard/login) as the IDV + IdP | ID + verification + | + | + + | `IDV_CLEAR` | [CLEAR + Verified](https://www.clearme.com/) as the IDV + IdP + | ID verification | `openid`, `profile`, + `identity_assurance` | + + | `IDV_INCODE` | [Incode](https://incode.com/) as the IDV + IdP + | ID verification | `openid`, `profile`, + `identity_assurance` | + + | `LINKEDIN` | + [LinkedIn](https://developer.linkedin.com/) as the + IdP + | OAuth 2.0 | `r_emailaddress`, + `r_liteprofile` | + + | `LOGINGOV` | + [Login.gov](https://developers.login.gov/) as the + IdP + | OpenID Connect | `email`, `profile`, + `profile:name` | + + | `LOGINGOV_SANDBOX` | [Login.gov's identity + sandbox](https://developers.login.gov/testing/) as the + IdP | OpenID + Connect | `email`, `profile`, + `profile:name` | + + | `MICROSOFT` | [Microsoft Enterprise + SSO](https://azure.microsoft.com/) as the + IdP | + OpenID Connect | `openid`, `email`, `profile`, + `https://graph.microsoft.com/User.Read` | + + | `OIDC` | IdP that supports [OpenID + Connect](https://openid.net/specs/openid-connect-core-1_0.html) + | OpenID Connect | `openid`, `email`, + `profile` | + + | `PAYPAL` | [Paypal](https://www.paypal.com/signin) as + the + IdP + | OpenID Connect | `openid`, `email`, + `profile` | + + | `PAYPAL_SANDBOX` | [Paypal + Sandbox](https://developer.paypal.com/tools/sandbox/) as the + IdP | OpenID + Connect | `openid`, `email`, + `profile` | + + | `SALESFORCE` | + [SalesForce](https://login.salesforce.com/) as the + IdP + | OAuth 2.0 | `id`, `email`, + `profile` | + + | `SAML2` | Enterprise IdP that supports the [SAML 2.0 Web + Browser SSO + Profile](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf)| + SAML 2.0 + | + | + + | `SPOTIFY` | [Spotify](https://developer.spotify.com/) as + the + IdP + | OpenID Connect | `user-read-email`, + `user-read-private` | + + | `X509` | [Smart Card + IdP](https://tools.ietf.org/html/rfc5280) + | Mutual TLS + | + | + + | `XERO` | + [Xero](https://www.xero.com/us/signup/api/) as the + IdP + | OpenID Connect | `openid`, `profile`, + `email` | + + | `YAHOO` | [Yahoo](https://login.yahoo.com/) as the + IdP + | OpenID Connect | `openid`, `profile`, + `email` | + + | `YAHOOJP` | [Yahoo + Japan](https://login.yahoo.co.jp/config/login) as the + IdP | + OpenID Connect | `openid`, `profile`, + `email` | + + | `OKTA_INTEGRATION` | IdP that supports the [OpenID + Connect](https://openid.net/specs/openid-connect-core-1_0.html) Org2Org + IdP | OpenID + Connect | `openid`, `email`, + `profile` | + type: string + enum: + - AMAZON + - APPLE + - DISCORD + - FACEBOOK + - GITHUB + - GITLAB + - GOOGLE + - IDV_CLEAR + - IDV_INCODE + - IDV_PERSONA + - LINKEDIN + - LOGINGOV + - LOGINGOV_SANDBOX + - MICROSOFT + - OIDC + - OKTA_INTEGRATION + - PAYPAL + - PAYPAL_SANDBOX + - SALESFORCE + - SAML2 + - SPOTIFY + - X509 + - XERO + - YAHOO + - YAHOOJP + IdentityProvider: + type: object + properties: + created: + $ref: '#/components/schemas/Created' + id: + type: string + readOnly: true + description: Unique key for the IdP + example: 0oaWma58liwx40w6boYD + issuerMode: + $ref: '#/components/schemas/IdentityProviderIssuerMode' + lastUpdated: + $ref: '#/components/schemas/LastUpdated' + name: + type: string + maxLength: 100 + description: Unique name for the IdP + example: Sample IdP + policy: + $ref: '#/components/schemas/IdentityProviderPolicy' + properties: + $ref: '#/components/schemas/IdentityProviderProperties' + protocol: + description: >- + IdP-specific protocol settings for endpoints, bindings, and + algorithms used to connect with the IdP and validate messages + oneOf: + - $ref: '#/components/schemas/ProtocolSaml' + - $ref: '#/components/schemas/ProtocolOAuth' + - $ref: '#/components/schemas/ProtocolOidc' + - $ref: '#/components/schemas/ProtocolMtls' + - $ref: '#/components/schemas/ProtocolIdVerification' + status: + $ref: '#/components/schemas/LifecycleStatus' + type: + $ref: '#/components/schemas/IdentityProviderType' + _links: + type: object + additionalProperties: true + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + acs: + description: SAML 2.0 Assertion Consumer Service URL for the Okta SP + allOf: + - $ref: '#/components/schemas/HrefObject' + authorize: + description: >- + OAuth 2.0 authorization endpoint for the IdP OAuth 2.0 + Authorization Code flow + allOf: + - $ref: '#/components/schemas/HrefObject' + clientRedirectUri: + description: Redirect URI for the OAuth 2.0 Authorization Code flow + allOf: + - $ref: '#/components/schemas/HrefObject' + metadata: + description: >- + Federation metadata document for the IdP (for example: SAML + 2.0 Metadata) + allOf: + - $ref: '#/components/schemas/HrefObject' + users: + description: IdP users + allOf: + - $ref: '#/components/schemas/HrefObject' + deactivate: + description: Deactivate IdP + allOf: + - $ref: '#/components/schemas/HrefObject' + activate: + description: Activate IdP + allOf: + - $ref: '#/components/schemas/HrefObject' + keys: + description: IdP keys + allOf: + - $ref: '#/components/schemas/HrefObject' + type: object + IdPKeyCredential: + description: >- + A [JSON Web Key](https://tools.ietf.org/html/rfc7517) for a signature or + encryption credential for an IdP + additionalProperties: true + type: object + properties: + created: + $ref: '#/components/schemas/Created' + e: + description: The exponent value for the RSA public key + type: string + example: AQAB + expiresAt: + $ref: '#/components/schemas/ExpiresAt' + kid: + description: Unique identifier for the key + type: string + example: your-key-id + kty: + description: Identifies the cryptographic algorithm family used with the key + type: string + example: RSA + lastUpdated: + $ref: '#/components/schemas/LastUpdated' + 'n': + description: The modulus value for the RSA public key + type: string + example: >- + 101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747 + use: + description: Intended use of the public key + type: string + example: sig + x5c: + $ref: '#/components/schemas/X5c' + x5t#S256: + description: >- + Base64url-encoded SHA-256 thumbprint of the DER encoding of an X.509 + certificate + type: string + example: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE + IdPCertificateCredential: + type: object + properties: + x5c: + $ref: '#/components/schemas/X5c' + required: + - x5c + IdPCsr: + description: Defines a CSR for a signature or decryption credential for an IdP + type: object + properties: + created: + $ref: '#/components/schemas/Created' + csr: + description: Base64-encoded CSR in DER format + type: string + readOnly: true + example: >- + MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= + id: + description: Unique identifier for the CSR + type: string + readOnly: true + example: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + kty: + description: Cryptographic algorithm family for the CSR's keypair + type: string + example: RSA + _links: + type: object + additionalProperties: true + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + publish: + description: Publish the CSR + allOf: + - $ref: '#/components/schemas/HrefObject' + type: object + CsrMetadata: + type: object + properties: + subject: + $ref: '#/components/schemas/CsrMetadataSubject' + subjectAltNames: + $ref: '#/components/schemas/CsrMetadataSubjectAltNames' + IdPCsrPkcs10: + description: Base64URL-encoded CSR in DER format + format: base64 + type: string + IdentityProviderApplicationUser: + type: object + properties: + created: + $ref: '#/components/schemas/Created' + externalId: + type: string + description: Unique IdP-specific identifier for the user + readOnly: true + maxLength: 512 + example: saml.jackson@example.com + id: + type: string + description: Unique key of the user + readOnly: true + lastUpdated: + $ref: '#/components/schemas/LastUpdated' + profile: + type: object + description: >- + IdP-specific profile for the user. + + + IdP user profiles are IdP-specific but may be customized by the + Profile Editor in the Admin Console. + + + > **Note:** Okta variable names have reserved characters that may + conflict with the name of an IdP assertion attribute. You can use + the **External name** to define the attribute name as defined in an + IdP assertion such as a SAML attribute name. + additionalProperties: + type: object + properties: {} + example: + lastName: Jackson + subjectNameQualifier: example.com + subjectSpNameQualifier: urn:federation:example + authnContextClassRef: null + subjectNameId: saml.jackson@example.com + subjectConfirmationAddress: null + displayName: Saml Jackson + mobilePhone: +1-415-555-5141 + email: saml.jackson@example.com + subjectNameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + firstName: Saml + subjectSpProvidedId: null + subjectConfirmationMethod: null + _embedded: + type: object + description: Embedded resources related to the IdP user + additionalProperties: + type: object + properties: {} + readOnly: true + _links: + type: object + additionalProperties: true + allOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksNext' + - properties: + idp: + description: The IdP instance + example: + href: https://{yourOktaDomain}/api/v1/idps/0oa1k5d68qR2954hb0g4 + allOf: + - $ref: '#/components/schemas/HrefObject' + user: + description: The linked Okta user + example: + href: https://{yourOktaDomain}/api/v1/users/00ulwodIu7wCfdiVR0g3 + allOf: + - $ref: '#/components/schemas/HrefObject' + type: object + UserIdentityProviderLinkRequest: + type: object + properties: + externalId: + type: string + description: Unique IdP-specific identifier for a user + example: '121749775026145' + SocialAuthToken: + description: >- + The social authentication token object provides the tokens and + associated metadata provided by social providers during social + authentication. + type: object + properties: + expiresAt: + $ref: '#/components/schemas/ExpiresAt' + id: + type: string + description: Unique identifier for the token + readOnly: true + example: NXp9GaX1eOA-XVF_H9fn2Q + scopes: + type: array + description: The scopes that the token is good for + readOnly: true + items: + type: string + example: + - openid + - foo + token: + type: string + description: The raw token + readOnly: true + example: JBTWGV22G4ZGKV3N + tokenAuthScheme: + type: string + readOnly: true + description: The token authentication scheme as defined by the social provider + example: Bearer + tokenType: + type: string + readOnly: true + description: >- + The type of token defined by the [OAuth Token Exchange + Spec](https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07#section-3) + example: urn:ietf:params:oauth:token-type:access_token + Created: + format: date-time + description: Timestamp when the object was created + example: '2016-01-03T18:15:47.000Z' + type: string + readOnly: true + IdentityProviderIssuerMode: + description: >- + Indicates whether Okta uses the original Okta org domain URL or a custom + domain URL in the request to the social IdP + default: DYNAMIC + type: string + enum: + - CUSTOM_URL + - DYNAMIC + - ORG_URL + x-enumDescriptions: + ORG_URL: >- + In the authorize request to the social IdP, Okta uses the Okta org's + original domain URL (`https://${yourOktaDomain}`) as the domain in the + `redirect_uri`. + CUSTOM_URL: >- + In the authorize request to the social IdP, Okta uses the custom + domain URL as the domain in the `redirect_uri`. You can set + `issuerMode` to `CUSTOM_URL` only if you have a custom URL domain + configured. + DYNAMIC: >- + In the authorize request to the social IdP, Okta uses the custom + domain URL as the domain in the `redirect_uri` if the request was made + from the custom domain URL. Otherwise, Okta uses the Okta org's + original domain URL if the request was made from the Okta org domain. + LastUpdated: + format: date-time + description: Timestamp when the object was last updated + example: '2016-01-03T18:15:47.000Z' + type: string + readOnly: true + IdentityProviderPolicy: + description: >- + Policy settings for the IdP. + + The following provisioning and account linking actions are supported by + each IdP provider: + + | IdP type | + User provisioning actions | Group provisioning actions | + Account link actions | Account link filters | + + | ----------------------------------------------------------------- | + ------------------------- | ------------------------------------- | + -------------------- | -------------------- | + + | `SAML2` | + `AUTO` or `DISABLED` | `NONE`, `ASSIGN`, `APPEND`, or `SYNC` | + `AUTO`, `DISABLED` | `groups`, `users` | + + | `X509`, `IDV_PERSONA`, `IDV_INCODE`, and `IDV_CLEAR` | + `DISABLED` | No support for JIT provisioning + | | | + + | All other IdP types | + `AUTO`, `DISABLED` | `NONE` or `ASSIGN` | + `AUTO`, `DISABLED` | `groups`, `users` | + allOf: + - type: object + properties: + accountLink: + $ref: '#/components/schemas/PolicyAccountLink' + maxClockSkew: + type: integer + description: >- + Maximum allowable clock skew when processing messages from the + IdP + example: 120000 + provisioning: + $ref: '#/components/schemas/Provisioning' + subject: + $ref: '#/components/schemas/PolicySubject' + IdentityProviderProperties: + nullable: true + description: >- + The properties in the IdP `properties` object vary depending on the IdP + type + type: object + properties: + aalValue: + type: string + nullable: true + description: >- + The [authentication assurance + level](https://developers.login.gov/oidc/#aal-values) (AAL) value + for the Login.gov IdP. + + See [Add a Login.gov + IdP](https://developer.okta.com/docs/guides/add-logingov-idp/). + Applies to `LOGINGOV` and `LOGINGOV_SANDBOX` IdP types. + additionalAmr: + type: array + description: >- + The additional Assurance Methods References (AMR) values for Smart + Card IdPs. Applies to `X509` IdP type. + nullable: true + items: + type: string + enum: + - sc + - hwk + - pin + - mfa + x-enumDescriptions: + sc: Smart card + hwk: Hardware-secured key + pin: Personal identification number + mfa: Multifactor authentication + ialValue: + type: string + nullable: true + description: >- + The [type of identity + verification](https://developers.login.gov/oidc/#ial-values) (IAL) + value for the Login.gov IdP. + + See [Add a Login.gov + IdP](https://developer.okta.com/docs/guides/add-logingov-idp/). + Applies to `LOGINGOV` and `LOGINGOV_SANDBOX` IdP types. + inquiryTemplateId: + type: string + description: >- + The ID of the inquiry template from your Persona dashboard. The + inquiry template always starts with `itmpl`. Applies to the + `IDV_PERSONA` IdP type. + example: itmpl_HSctx8fNvXoHtrQfz2hxUVH8RBjG + required: + - inquiryTemplateId + ProtocolSaml: + title: SAML 2.0 Protocol + description: >- + Protocol settings for the [SAML 2.0 Authentication Request + Protocol](http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) + type: object + properties: + algorithms: + $ref: '#/components/schemas/SamlAlgorithms' + credentials: + $ref: '#/components/schemas/SamlCredentials' + endpoints: + $ref: '#/components/schemas/SamlEndpoints' + relayState: + $ref: '#/components/schemas/SamlRelayState' + settings: + $ref: '#/components/schemas/SamlSettings' + type: + type: string + description: SAML 2.0 protocol + enum: + - SAML2 + ProtocolOAuth: + title: OAuth 2.0 Protocol + description: >- + Protocol settings for authentication using the [OAuth 2.0 Authorization + Code flow](https://tools.ietf.org/html/rfc6749#section-4.1) + type: object + properties: + credentials: + $ref: '#/components/schemas/OAuthCredentials' + endpoints: + $ref: '#/components/schemas/OAuthEndpoints' + scopes: + $ref: '#/components/schemas/OAuthScopes' + type: + type: string + description: OAuth 2.0 Authorization Code flow + enum: + - OAUTH2 + ProtocolOidc: + title: OpenID Connect Protocol + description: >- + Protocol settings for authentication using the [OpenID Connect + Protocol](http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) + type: object + properties: + algorithms: + $ref: '#/components/schemas/OidcAlgorithms' + credentials: + $ref: '#/components/schemas/OAuthCredentials' + endpoints: + $ref: '#/components/schemas/OAuthEndpoints' + oktaIdpOrgUrl: + type: string + description: URL of the IdP org + example: https://idp.example.com + scopes: + type: array + description: >- + OpenID Connect and IdP-defined permission bundles to request + delegated access from the user + + > **Note:** The [IdP + type](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request) + table lists the scopes that are supported for each IdP. + items: + type: string + example: openid + settings: + $ref: '#/components/schemas/OidcSettings' + type: + type: string + description: OpenID Connect Authorization Code flow + enum: + - OIDC + ProtocolMtls: + title: Mutual TLS Protocol + description: >- + Protocol settings for the [MTLS + Protocol](https://tools.ietf.org/html/rfc5246#section-7.4.4) + type: object + properties: + credentials: + $ref: '#/components/schemas/MtlsCredentials' + endpoints: + $ref: '#/components/schemas/MtlsEndpoints' + type: + type: string + description: Mutual TLS + enum: + - MTLS + ProtocolIdVerification: + title: ID Verification + description: Protocol settings for the IDV + type: object + properties: + credentials: + $ref: '#/components/schemas/IDVCredentials' + endpoints: + $ref: '#/components/schemas/IDVEndpoints' + scopes: + $ref: '#/components/schemas/OAuthScopes' + type: + type: string + description: ID verification protocol + enum: + - ID_PROOFING + LifecycleStatus: + type: string + enum: + - ACTIVE + - INACTIVE + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + ExpiresAt: + format: date-time + description: Timestamp when the object expires + example: '2016-01-03T18:15:47.000Z' + type: string + readOnly: true + X5c: + description: Base64-encoded X.509 certificate chain with DER encoding + items: + type: string + example: >- + MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 + type: array + CsrMetadataSubject: + type: object + properties: + commonName: + type: string + description: Common name of the subject + example: SP Issuer + countryName: + type: string + description: Country name or code + example: US + localityName: + type: string + description: Locality (city) name + example: San Francisco + organizationalUnitName: + type: string + description: >- + Name of the smaller organization, for example, the department or the + division + example: Dev + organizationName: + type: string + description: Large organization name + example: Okta, Inc. + stateOrProvinceName: + type: string + description: State or province name + example: California + CsrMetadataSubjectAltNames: + type: object + properties: + dnsNames: + type: array + description: DNS names of the subject + items: + type: string + example: dev.okta.com + LinksNext: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the + current status of an application using the [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. Use the `LinksNext` object for dynamic discovery of + related resources and lifecycle operations. + type: object + properties: + next: + $ref: '#/components/schemas/HrefObject' + readOnly: true + PolicyAccountLink: + description: Specifies the behavior for linking an IdP user to an existing Okta user + type: object + properties: + action: + $ref: '#/components/schemas/PolicyAccountLinkAction' + filter: + $ref: '#/components/schemas/PolicyAccountLinkFilter' + Provisioning: + description: >- + Specifies the behavior for just-in-time (JIT) provisioning of an IdP + user as a new Okta user and their group memberships + type: object + properties: + action: + $ref: '#/components/schemas/ProvisioningAction' + conditions: + $ref: '#/components/schemas/ProvisioningConditions' + groups: + $ref: '#/components/schemas/ProvisioningGroups' + profileMaster: + type: boolean + description: >- + Determines if the IdP should act as a source of truth for user + profile attributes + PolicySubject: + description: >- + Specifies the behavior for establishing, validating, and matching a + username for an IdP user + type: object + properties: + filter: + type: string + description: >- + Optional [regular expression + pattern](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions) + used to filter untrusted IdP usernames. + + * As a best security practice, you should define a regular + expression pattern to filter untrusted IdP usernames. This is + especially important if multiple IdPs are connected to your org. The + filter prevents an IdP from issuing an assertion for any user, + including partners or directory users in your Okta org. + + * For example, the filter pattern `(\S+@example\.com)` allows only + Users that have an `@example.com` username suffix. It rejects + assertions that have any other suffix such as `@corp.example.com` or + `@partner.com`. + + * Only `SAML2` and `OIDC` IdP providers support the `filter` + property. + maxLength: 1024 + example: (\S+@example\.com) + matchAttribute: + type: string + description: >- + Okta user profile attribute for matching a transformed IdP username. + Only for matchType `CUSTOM_ATTRIBUTE`. + + The `matchAttribute` must be a valid Okta user profile attribute of + one of the following types: + + * String (with no format or 'email' format only) + + * Integer + + * Number + example: login + matchType: + $ref: '#/components/schemas/PolicySubjectMatchType' + userNameTemplate: + $ref: '#/components/schemas/PolicyUserNameTemplate' + SamlAlgorithms: + description: Settings for signing and verifying SAML messages + type: object + properties: + request: + $ref: '#/components/schemas/SamlRequestAlgorithm' + response: + $ref: '#/components/schemas/SamlResponseAlgorithm' + SamlCredentials: + description: >- + Federation Trust Credentials for verifying assertions from the IdP and + signing requests to the IdP + type: object + properties: + signing: + $ref: '#/components/schemas/SamlSigningCredentials' + trust: + $ref: '#/components/schemas/SamlTrustCredentials' + SamlEndpoints: + description: SAML 2.0 HTTP binding settings for IdP and SP (Okta) + type: object + properties: + acs: + $ref: '#/components/schemas/SamlAcsEndpoint' + slo: + $ref: '#/components/schemas/SamlSloEndpoint' + sso: + $ref: '#/components/schemas/SamlSsoEndpoint' + SamlRelayState: + description: Relay state settings for IdP + type: object + properties: + format: + $ref: '#/components/schemas/SamlRelayStateFormat' + SamlSettings: + description: Advanced settings for the SAML 2.0 protocol + type: object + properties: + honorPersistentNameId: + type: boolean + description: >- + Determines if the IdP should persist account linking when the + incoming assertion NameID format is + `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` + default: true + nameFormat: + $ref: '#/components/schemas/SamlNameIdFormat' + participateSlo: + type: boolean + description: >- + Set to `true` to have Okta send a logout request to the upstream IdP + when a user signs out of Okta or a downstream app. + sendApplicationContext: + type: boolean + description: >- + Determines if the IdP should send the application context as + `` and `` in the + `` element of the `` message + default: false + OAuthCredentials: + description: >- + Client authentication credentials for an [OAuth 2.0 Authorization + Server](https://tools.ietf.org/html/rfc6749#section-2.3) + type: object + properties: + client: + $ref: '#/components/schemas/OAuthCredentialsClient' + signing: + $ref: '#/components/schemas/AppleClientSigning' + OAuthEndpoints: + description: >- + The `OAUTH2` and `OIDC` protocols support the `authorization` and + `token` endpoints. Also, the `OIDC` protocol supports the `userInfo` and + `jwks` endpoints. + + + The IdP Authorization Server (AS) endpoints are currently defined as + part of the [IdP + provider]((https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request)) + and are read-only. + type: object + properties: + authorization: + $ref: '#/components/schemas/OAuthAuthorizationEndpoint' + jwks: + $ref: '#/components/schemas/OidcJwksEndpoint' + slo: + $ref: '#/components/schemas/OidcSloEndpoint' + token: + $ref: '#/components/schemas/OAuthTokenEndpoint' + userInfo: + $ref: '#/components/schemas/OidcUserInfoEndpoint' + OAuthScopes: + description: >- + IdP-defined permission bundles to request delegated access from the + user. + + > **Note:** The [identity provider + type](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request) + table lists the scopes that are supported for each IdP. + items: + type: string + example: public_profile + type: array + OidcAlgorithms: + type: object + properties: + request: + $ref: '#/components/schemas/OidcRequestAlgorithm' + OidcSettings: + description: Advanced settings for the OpenID Connect protocol + type: object + properties: + participateSlo: + type: boolean + description: >- + Set to `true` to have Okta send a logout request to the upstream IdP + when a user signs out of Okta or a downstream app. + sendApplicationContext: + type: boolean + description: >- + Determines if the IdP should send the application context as + `OktaAppInstanceId` and `OktaAppName` params in the request + default: false + MtlsCredentials: + description: >- + Certificate chain description for verifying assertions from the Smart + Card + type: object + properties: + trust: + $ref: '#/components/schemas/MtlsTrustCredentials' + MtlsEndpoints: + type: object + properties: + sso: + $ref: '#/components/schemas/MtlsSsoEndpoint' + IDVCredentials: + description: Credentials for verifying requests to the IDV + type: object + properties: + bearer: + type: object + description: Client credential for `IDV_PERSONA` IdP type + properties: + apiKey: + type: string + description: The API key that you generate in your Persona dashboard + required: + - apiKey + client: + type: object + description: >- + Client credentials + for `IDV_CLEAR` and `IDV_INCODE` IdP types + properties: + client_id: + type: string + description: The client ID that you generate in your IDV + client_secret: + type: string + description: The client secret that you generate in your IDV + required: + - client_id + - client_secret + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: [] + IDVEndpoints: + description: Contains the endpoints for the IDV + type: object + properties: + authorization: + $ref: '#/components/schemas/IDVAuthorizationEndpoint' + par: + $ref: '#/components/schemas/IDVParEndpoint' + token: + $ref: '#/components/schemas/IDVTokenEndpoint' + readOnly: true + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + ErrorCause: + type: object + properties: + errorSummary: + type: string + PolicyAccountLinkAction: + description: Specifies the account linking action for an IdP user + type: string + enum: + - AUTO + - DISABLED + x-enumDescriptions: + AUTO: >- + The IdP user is automatically linked to an Okta user when the + transformed IdP user matches an existing Okta user according to + [subject match + rules](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy/subject&t=request). + DISABLED: >- + Okta never attempts to link the IdP user to an existing Okta user, but + may still attempt to provision a new Okta user according to the + [provisioning action + type](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy/provisioning/action&t=request). + PolicyAccountLinkFilter: + description: >- + Specifies filters on which users are available for account linking by an + IdP + type: object + properties: + groups: + $ref: '#/components/schemas/PolicyAccountLinkFilterGroups' + users: + $ref: '#/components/schemas/PolicyAccountLinkFilterUsers' + ProvisioningAction: + description: >- + Specifies the user provisioning action during authentication when an IdP + user isn't linked to an existing Okta user. + + * To successfully provision a new Okta user, you must enable + just-in-time (JIT) provisioning in your org security settings. + + * If the target username isn't unique or the resulting Okta user profile + is missing a required profile attribute, JIT provisioning may fail. + + * New Okta users are provisioned with either a `FEDERATION` or `SOCIAL` + authentication provider depending on the IdP type. + type: string + enum: + - AUTO + - DISABLED + x-enumDescriptions: + AUTO: >- + The IdP user profile is transformed through defined universal + directory profile mappings to an Okta user profile and automatically + provisioned as an Okta user. + DISABLED: >- + Okta rejects the authentication request and skips provisioning of a + new Okta user if the IdP user isn't linked to an existing Okta user. + ProvisioningConditions: + description: Conditional behaviors for an IdP user during authentication + type: object + properties: + deprovisioned: + $ref: '#/components/schemas/ProvisioningDeprovisionedCondition' + suspended: + $ref: '#/components/schemas/ProvisioningSuspendedCondition' + ProvisioningGroups: + description: Provisioning settings for a user's group memberships + type: object + properties: + action: + $ref: '#/components/schemas/ProvisioningGroupsAction' + assignments: + type: array + description: >- + List of `OKTA_GROUP` group identifiers to add an IdP user as a + member with the `ASSIGN` action + items: + type: string + example: 00gak46y5hydV6NdM0g4 + filter: + type: array + description: >- + Allowlist of `OKTA_GROUP` group identifiers for the `APPEND` or + `SYNC` provisioning action + items: + type: string + example: 00gak46y5hydV6NdM0g4 + sourceAttributeName: + type: string + description: >- + IdP user profile attribute name (case-insensitive) for an array + value that contains group memberships + maxLength: 1024 + example: Groups + PolicySubjectMatchType: + description: >- + Determines the Okta user profile attribute match conditions for account + linking and authentication of the transformed IdP username + type: string + enum: + - CUSTOM_ATTRIBUTE + - EMAIL + - USERNAME + - USERNAME_OR_EMAIL + PolicyUserNameTemplate: + description: >- + [Okta Expression Language (EL) + expression](https://developer.okta.com/docs/reference/okta-expression-language/) + to generate or transform a unique username for the IdP user. + + * IdP user profile attributes can be referenced with the `idpuser` + prefix such as `idpuser.subjectNameId`. + + * You must define an IdP user profile attribute before it can be + referenced in an Okta EL expression. To define an IdP user attribute + policy, you may need to create a new IdP instance without a base profile + property. Then edit the IdP user profile to update the IdP instance with + an expression that references the IdP user profile attribute that you + just created. + type: object + properties: + template: + type: string + minLength: 9 + maxLength: 1024 + example: idpuser.subjectNameId + SamlRequestAlgorithm: + description: Algorithm settings used to secure an `` message + type: object + properties: + signature: + $ref: '#/components/schemas/SamlRequestSignatureAlgorithm' + SamlResponseAlgorithm: + description: >- + Algorithm settings for verifying `` messages and + `` elements from the IdP + type: object + properties: + signature: + $ref: '#/components/schemas/SamlResponseSignatureAlgorithm' + SamlSigningCredentials: + description: Key used for signing requests to the IdP + type: object + properties: + kid: + $ref: '#/components/schemas/ProtocolCredentialsKeyId' + SamlTrustCredentials: + description: Federation Trust Credentials for verifying assertions from the IdP + type: object + properties: + additionalKids: + description: >- + Additional IdP key credential reference to the Okta X.509 signature + certificate + type: array + maxItems: 1 + items: + $ref: '#/components/schemas/ProtocolCredentialsKeyId' + audience: + type: string + description: >- + URI that identifies the target Okta IdP instance (SP) for an + `` + maxLength: 1024 + example: https://www.okta.com/saml2/service-provider/spgv32vOnpdyeGSaiUpL + issuer: + type: string + description: >- + URI that identifies the issuer (IdP) of a `` message + `` element + maxLength: 1024 + example: urn:example:idp + kid: + $ref: '#/components/schemas/ProtocolCredentialsKeyId' + SamlAcsEndpoint: + description: >- + Okta's `SPSSODescriptor` endpoint where the IdP sends a `` + message + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + type: + $ref: '#/components/schemas/SamlEndpointType' + SamlSloEndpoint: + description: >- + IdP's `SingleLogoutService` endpoint where Okta sends a + `` message + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + url: + type: string + description: >- + URL of the binding-specific IdP endpoint where Okta sends a + `` + maxLength: 1014 + example: https://idp.example.com/saml2/slo + SamlSsoEndpoint: + description: >- + IdP's `SingleSignOnService` endpoint where Okta sends an + `` message + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + destination: + type: string + description: >- + URI reference that indicates the address to which the + `` message is sent. + + The `destination` property is required if request signatures are + specified. See [SAML 2.0 Request Algorithm + object](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=protocol/0/algorithms/request&t=request). + maxLength: 512 + example: https://idp.example.com/saml2/sso + url: + type: string + description: >- + URL of the binding-specific endpoint to send an `` + message to the IdP. + + The value of `url` defaults to the same value as the `sso` endpoint + if omitted during creation of a new IdP instance. + + The `url` should be the same value as the `Location` attribute for a + published binding in the IdP's SAML Metadata `IDPSSODescriptor`. + maxLength: 1014 + example: https://idp.example.com/saml2/sso + SamlRelayStateFormat: + description: >- + The format used to generate the `relayState` in the SAML request. The + `FROM_URL` format is used if this value is null. + type: string + enum: + - FROM_URL + - OPAQUE + SamlNameIdFormat: + description: SAML 2.0 Name Identifier formats + default: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + type: string + enum: + - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + - urn:oasis:names:tc:SAML:2.0:nameid-format:transient + OAuthCredentialsClient: + description: >- + OAuth 2.0 and OpenID Connect Client object + + > **Note:** You must complete client registration with the IdP + Authorization Server for your Okta IdP instance to obtain client + credentials. + type: object + properties: + client_id: + type: string + description: >- + The [Unique + identifier](https://tools.ietf.org/html/rfc6749#section-2.2) issued + by the AS for the Okta IdP instance + maxLength: 1024 + example: your-client-id + client_secret: + type: string + description: >- + The [Client + secret](https://tools.ietf.org/html/rfc6749#section-2.3.1) issued by + the AS for the Okta IdP instance + maxLength: 1024 + example: your-client-secret + pkce_required: + type: boolean + description: >- + Require Proof Key for Code Exchange (PKCE) for additional + verification + token_endpoint_auth_method: + type: string + description: Client authentication methods supported by the token endpoint + enum: + - private_key_jwt + AppleClientSigning: + description: >- + Information used to generate the secret JSON Web Token for the token + requests to Apple IdP + + > **Note:** The `privateKey` property is required for a CREATE request. + For an UPDATE request, it can be null and keeps the existing value if + it's null. The `privateKey` property isn't returned for LIST and GET + requests or UPDATE requests if it's null. + type: object + properties: + kid: + type: string + description: >- + The key ID that you obtained from Apple when you created the private + key for the client + maxLength: 1024 + example: test key id + privateKey: + type: string + description: >- + The PKCS \#8 encoded private key that you created for the client and + downloaded from Apple + maxLength: 1024 + example: MIGTAgEAMBM........Cb9PnybCnzDv+3cWSGWqpAIsQQZ + teamId: + type: string + description: The Team ID associated with your Apple developer account + maxLength: 1024 + example: test team id + OAuthAuthorizationEndpoint: + description: >- + Endpoint for an [OAuth 2.0 Authorization Server + (AS)](https://tools.ietf.org/html/rfc6749#page-18) + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + url: + type: string + description: URL of the IdP Authorization Server (AS) authorization endpoint + example: https://idp.example.com/authorize + OidcJwksEndpoint: + description: >- + Endpoint for the JSON Web Key Set (JWKS) document. This document + contains signing keys that are used to validate the signatures from the + provider. For more information on JWKS, see [JSON Web + Key](https://tools.ietf.org/html/rfc7517). + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + url: + type: string + description: URL of the endpoint to the JWK Set + example: https://idp.example.com/keys + OidcSloEndpoint: + description: OIDC IdP logout endpoint + type: object + properties: + url: + type: string + description: IdP logout endpoint URL + maxLength: 1014 + example: https://idp.example.com/saml2/slo + OAuthTokenEndpoint: + description: >- + Endpoint for an [OAuth 2.0 Authorization Server + (AS)](https://tools.ietf.org/html/rfc6749#page-18) + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + url: + type: string + description: URL of the IdP Authorization Server (AS) token endpoint + example: https://idp.example.com/token + OidcUserInfoEndpoint: + description: >- + Endpoint for getting identity information about the user. For more + information on the `/userinfo` endpoint, see [OpenID + Connect](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo). + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + url: + type: string + description: URL of the resource server's `/userinfo` endpoint + example: https://idp.example.com/userinfo + OidcRequestAlgorithm: + description: Algorithm settings used to sign an authorization request + type: object + properties: + signature: + $ref: '#/components/schemas/OidcRequestSignatureAlgorithm' + MtlsTrustCredentials: + type: object + properties: + audience: + type: string + description: Not used + example: null + issuer: + type: string + description: Description of the certificate issuer + maxLength: 1024 + example: CN=Test Smart Card, OU=Test OU, O=Test O, C=US + kid: + $ref: '#/components/schemas/ProtocolCredentialsKeyId' + revocation: + $ref: '#/components/schemas/MtlsTrustCredentialsRevocation' + revocationCacheLifetime: + type: number + description: Time in minutes to cache the certificate revocation information + maximum: 4320 + example: 2880 + MtlsSsoEndpoint: + description: >- + The Single Sign-On (SSO) endpoint is the IdP's `SingleSignOnService` + endpoint + type: object + properties: + url: + type: string + maxLength: 1014 + example: https://{yourOktaDomain}.okta.com/login/cert + IDVAuthorizationEndpoint: + description: IDV authorization endpoint + type: object + properties: + binding: + type: string + enum: + - HTTP-REDIRECT + url: + type: string + description: URL of the IDV `authorization` endpoint + readOnly: true + IDVParEndpoint: + description: IDV [PAR](https://datatracker.ietf.org/doc/html/rfc9126) endpoint + type: object + properties: + binding: + type: string + enum: + - HTTP-POST + url: + type: string + description: URL of the IDV `par` endpoint + readOnly: true + IDVTokenEndpoint: + description: IDV token endpoint + type: object + properties: + binding: + type: string + enum: + - HTTP-POST + url: + type: string + description: URL of the IDV `token` endpoint + readOnly: true + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + PolicyAccountLinkFilterGroups: + description: Group memberships used to determine link candidates + type: object + properties: + include: + type: array + description: >- + Specifies the allowlist of Group identifiers to match against. Group + memberships are restricted to type `OKTA_GROUP`. + items: + type: string + example: 00gjg5lzfBpn62wuF0g3 + PolicyAccountLinkFilterUsers: + description: Filters on which users are available for account linking + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + type: object + properties: + exclude: + type: array + description: >- + Specifies the blocklist of user identifiers to exclude from account + linking + items: + type: string + example: 00u2c0nz7wj4UBs8V0g5 + excludeAdmins: + type: boolean + description: >- + Specifies whether admin users should be excluded from account + linking + default: false + ProvisioningDeprovisionedCondition: + description: >- + Behavior for a previously deprovisioned IdP user during authentication. + Not supported with OIDC IdPs. + type: object + properties: + action: + $ref: '#/components/schemas/ProvisioningDeprovisionedAction' + ProvisioningSuspendedCondition: + description: >- + Behavior for a previously suspended IdP user during authentication. Not + supported with OIDC IdPs. + type: object + properties: + action: + $ref: '#/components/schemas/ProvisioningSuspendedAction' + ProvisioningGroupsAction: + description: >- + Provisioning action for the IdP user's group memberships + + + | Enum | + Description + | Existing OKTA_GROUP + Memberships + | Existing APP_GROUP Memberships | Existing BUILT_IN Memberships | + + | -------- | + ----------------------------------------------------------------------------------------------------------------------------------------------------------------- + | + ----------------------------------------------------------------------------------------------------- + | ------------------------------ | ----------------------------- | + + | `APPEND` | Adds a user to any group defined by the IdP as a value of + the `sourceAttributeName` array that matches the name of the allow + listed group defined in the `filter` | + Unchanged + | Unchanged | Unchanged | + + | `ASSIGN` | Assigns a user to groups defined in the `assignments` + array + | + Unchanged + | Unchanged | Unchanged | + + | `NONE` | Skips processing of group + memberships + | + Unchanged + | Unchanged | Unchanged | + + | `SYNC` | Group memberships are sourced by the IdP as a value of the + `sourceAttributeName` array that matches the name of the group defined + in the `filter` | Removed if not defined by the IdP in + `sourceAttributeName` and matching name of the group in `filter` | + Unchanged | Unchanged | + + + > **Note:** Group provisioning action is processed independently from + profile sourcing. You can sync group memberships through SAML with + profile sourcing disabled. + type: string + enum: + - APPEND + - ASSIGN + - NONE + - SYNC + SamlRequestSignatureAlgorithm: + description: >- + XML digital Signature Algorithm settings for signing `` + messages sent to the IdP + + > **Note:** The `algorithm` property is ignored when you disable + request signatures (`scope` set as `NONE`). + type: object + properties: + algorithm: + $ref: '#/components/schemas/SamlSigningAlgorithm' + scope: + $ref: '#/components/schemas/ProtocolAlgorithmRequestScope' + SamlResponseSignatureAlgorithm: + description: >- + XML digital Signature Algorithm settings for verifying `` + messages and `` elements from the IdP + type: object + properties: + algorithm: + $ref: '#/components/schemas/SamlSigningAlgorithm' + scope: + $ref: '#/components/schemas/ProtocolAlgorithmResponseScope' + ProtocolCredentialsKeyId: + description: IdP key credential reference to the Okta X.509 signature certificate + example: your-key-id + type: string + ProtocolEndpointBinding: + type: string + enum: + - HTTP-POST + - HTTP-REDIRECT + SamlEndpointType: + description: >- + Determines whether to publish an instance-specific (trust) or + organization (shared) ACS endpoint in the SAML metadata + default: INSTANCE + type: string + enum: + - INSTANCE + - ORG + OidcRequestSignatureAlgorithm: + description: >- + Signature Algorithm settings for signing authorization requests sent to + the IdP + + > **Note:** The `algorithm` property is ignored when you disable + request signatures (`scope` set as `NONE`). + type: object + properties: + algorithm: + $ref: '#/components/schemas/OidcSigningAlgorithm' + scope: + $ref: '#/components/schemas/ProtocolAlgorithmRequestScope' + MtlsTrustCredentialsRevocation: + description: Mechanism to validate the certificate + example: CRL + type: string + enum: + - CRL + - DELTA_CRL + - OCSP + ProvisioningDeprovisionedAction: + description: >- + Specifies the action during authentication when an IdP user is linked to + a previously deprovisioned Okta user + type: string + enum: + - NONE + - REACTIVATE + x-enumDescriptions: + NONE: >- + Take no action. If an IdP user that matches a previously deprovisioned + Okta user attempts to authenticate, authentication fails. + REACTIVATE: >- + If an IdP user that matches a previously deprovisioned Okta user + attempts to authenticate, reactivate the matching user in Okta and + allow the authentication attempt to proceed. + ProvisioningSuspendedAction: + description: >- + Specifies the action during authentication when an IdP user is linked to + a previously suspended Okta user + type: string + enum: + - NONE + - UNSUSPEND + x-enumDescriptions: + NONE: >- + Take no action. If an IdP user that matches a previously suspended + Okta user attempts to authenticate, authentication fails. + UNSUSPEND: >- + If an IdP user that matches a previously suspended Okta user attempts + to authenticate, unsuspend the matching user in Okta and allow the + authentication attempt to proceed. + SamlSigningAlgorithm: + example: SHA-256 + type: string + enum: + - SHA-1 + - SHA-256 + ProtocolAlgorithmRequestScope: + description: Specifies whether to digitally sign authorization requests to the IdP + example: REQUEST + type: string + enum: + - NONE + - REQUEST + ProtocolAlgorithmResponseScope: + description: Specifies whether to verify responses from the IdP + example: ANY + type: string + enum: + - ANY + - RESPONSE + - TOKEN + OidcSigningAlgorithm: + type: string + enum: + - HS256 + - HS384 + - HS512 + - RS256 + - RS384 + - RS512 + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + queryAfter: + name: after + in: query + schema: + type: string + description: >- + The cursor to use for pagination. It is an opaque string that specifies + your current location in the list and is obtained from the `Link` + response header. See + [Pagination](https://developer.okta.com/docs/api/#pagination). + queryLimit: + name: limit + in: query + schema: + type: integer + minimum: 1 + maximum: 200 + default: 20 + description: A limit on the number of objects to return + pathKid: + name: kid + description: Unique `id` of the IdP key credential + in: path + required: true + schema: + type: string + example: KmMo85SSsU7TZzOShcGb + pathIdpId: + name: idpId + description: '`id` of IdP' + in: path + required: true + schema: + type: string + example: 0oa62bfdjnK55Z5x80h7 + pathIdpCsrId: + name: idpCsrId + description: '`id` of the IdP CSR' + in: path + required: true + schema: + type: string + example: 1uEhyE65oV3H6KM9gYcN + queryFilter: + name: q + in: query + description: Searches the records for matching value + schema: + type: string + pathUserId: + name: userId + description: ID of an existing Okta user + in: path + required: true + schema: + type: string + example: 00ub0oNGTSWTBKOLGLNR + examples: + MultipleIdPsResponse: + summary: Multiple IdPs + value: + - id: 0oa62b57p7c8PaGpU0h7 + type: FACEBOOK + name: Facebook + status: ACTIVE + created: '2016-03-24T23:18:27.000Z' + lastUpdated: '2016-03-24T23:18:27.000Z' + protocol: + type: OAUTH2 + endpoints: + authorization: + url: https://www.facebook.com/dialog/oauth + binding: HTTP-REDIRECT + token: + url: https://graph.facebook.com/v2.5/oauth/access_token + binding: HTTP-POST + scopes: + - public_profile + - email + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: >- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62b57p7c8PaGpU0h7&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oa62bc8wppPw0UGr0h7 + type: SAML2 + name: Example SAML IdP + status: ACTIVE + created: '2016-03-24T23:14:54.000Z' + lastUpdated: '2016-03-24T23:14:54.000Z' + protocol: + type: SAML2 + endpoints: + sso: + url: https://idp.example.com + binding: HTTP-POST + destination: https://idp.example.com + acs: + binding: HTTP-POST + type: INSTANCE + algorithms: + request: + signature: + algorithm: SHA-256 + scope: REQUEST + response: + signature: + algorithm: SHA-256 + scope: ANY + settings: + nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + credentials: + trust: + issuer: https://idp.example.com + audience: http://www.okta.com/123 + kid: your-key-id + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: saml.subjectNameId + filter: (\S+@example\.com) + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + metadata: + href: >- + https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/metadata.xml + type: application/xml + hints: + allow: + - GET + acs: + href: https://{yourOktaDomain}/sso/saml2/0oa62bc8wppPw0UGr0h7 + type: application/xml + hints: + allow: + - POST + users: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/users + hints: + allow: + - GET + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/lifecycle/deactivate + hints: + allow: + - POST + - id: 0oa62bfdiumsUndnZ0h7 + type: GOOGLE + name: Google + status: ACTIVE + created: '2016-03-24T23:21:49.000Z' + lastUpdated: '2016-03-24T23:21:49.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://accounts.google.com/o/oauth2/auth + binding: HTTP-REDIRECT + token: + url: https://www.googleapis.com/oauth2/v3/token + binding: HTTP-POST + scopes: + - profile + - email + - openid + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: >- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oa62bfdjnK55Z5x80h7 + type: LINKEDIN + name: LinkedIn + status: ACTIVE + created: '2016-03-24T23:23:59.000Z' + lastUpdated: '2016-03-24T23:23:59.000Z' + protocol: + type: OAUTH2 + endpoints: + authorization: + url: https://www.linkedin.com/uas/oauth2/authorization + binding: HTTP-REDIRECT + token: + url: https://www.linkedin.com/uas/oauth2/accessToken + binding: HTTP-POST + scopes: + - r_basicprofile + - r_emailaddress + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: >- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdjnK55Z5x80h7&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oajmvdFawBih4gey0g3 + type: MICROSOFT + name: Microsoft + status: ACTIVE + created: '2016-03-29T16:47:36.000Z' + lastUpdated: '2016-03-29T16:47:36.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://login.microsoftonline.com/common/oauth2/v2.0/authorize + binding: HTTP-REDIRECT + token: + url: https://login.microsoftonline.com/common/oauth2/v2.0/token + binding: HTTP-POST + scopes: + - openid + - email + - profile + - https://graph.microsoft.com/User.Read + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: >- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oajmvdFawBih4gey0g3&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oaulob4BFVa4zQvt0g3 + type: OIDC + name: Example OpenID Connect IdP + status: ACTIVE + created: '2019-02-07T20:07:47.000Z' + lastUpdated: '2019-02-07T20:07:47.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://idp.example.com/authorize + binding: HTTP-REDIRECT + token: + url: https://idp.example.com/token + binding: HTTP-POST + userInfo: + url: https://idp.example.com/userinfo + binding: HTTP-REDIRECT + jwks: + url: https://idp.example.com/keys + binding: HTTP-REDIRECT + scopes: + - openid + issuer: + url: https://idp.example.com + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: false + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.email + filter: null + matchType: USERNAME + matchAttribute: null + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: >- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oaulob4BFVa4zQvt0g3&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state}&nonce={nonce} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oa6jxasyhwM2ZHJh0g4 + type: X509 + name: Smart Card IDP Name + status: ACTIVE + created: '2020-01-07T00:19:27.000Z' + lastUpdated: '2020-01-07T00:19:27.000Z' + properties: + additionalAmr: + - sc + - hwk + - pin + - mfa + protocol: + type: MTLS + endpoints: + sso: + url: https://{yourOktaDomain}.okta.com/login/cert + credentials: + trust: + issuer: CN=Test Smart Card, OU=Test OU, O=Test O, C=US + audience: null + kid: 45dec5ff-8cdc-48c0-85fe-a4869f1753dc + revocation: CRL + revocationCacheLifetime: 2880 + policy: + provisioning: + action: DISABLED + profileMaster: false + groups: null + subject: + userNameTemplate: + template: idpuser.subjectAltNameEmail + filter: null + matchType: EMAIL + matchAttribute: null + mapAMRClaims: false + maxClockSkew: 0 + _links: + deactivate: + href: >- + https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/lifecycle/deactivate + hints: + allow: + - POST + users: + href: >- + https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/users + hints: + allow: + - GET + keys: + href: >- + https://{yourOktaDomain}.okta.com/api/v1/idps/credentials/keys/45dec5ff-8cdc-48c0-85fe-a4869f1753dc + hints: + allow: + - GET + CreateGenericOidcIdPRequest: + summary: Create generic OpenID Connect IdP + value: + type: OIDC + name: Example OpenID Connect IdP + protocol: + algorithms: + request: + signature: + algorithm: HS256 + scope: REQUEST + endpoints: + acs: + binding: HTTP-POST + type: INSTANCE + authorization: + binding: HTTP-REDIRECT + url: https://idp.example.com/authorize + token: + binding: HTTP-POST + url: https://idp.example.com/token + userInfo: + binding: HTTP-REDIRECT + url: https://idp.example.com/userinfo + jwks: + binding: HTTP-REDIRECT + url: https://idp.example.com/keys + slo: + url: https://idp.example.com/slo + scopes: + - openid + - profile + - email + settings: + participateSlo: true + type: OIDC + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + pkce_required: 'true' + issuer: + url: https://idp.example.com + policy: + accountLink: + action: AUTO + filter: null + provisioning: + action: AUTO + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + groups: + action: NONE + mapAMRClaims: false + maxClockSkew: 120000 + subject: + userNameTemplate: + template: idpuser.email + matchType: USERNAME + CreateSamlIdPRequest: + summary: Create SAML 2.0 IdP + value: + type: SAML2 + name: Example SAML IdP + protocol: + type: SAML2 + endpoints: + sso: + url: https://idp.example.com + binding: HTTP-POST + destination: https://idp.example.com + slo: + url: https://idp.example.com/slo + binding: HTTP-POST + acs: + binding: HTTP-POST + type: INSTANCE + settings: + participateSlo: true + algorithms: + request: + signature: + algorithm: SHA-256 + scope: REQUEST + response: + signature: + algorithm: SHA-256 + scope: ANY + credentials: + trust: + issuer: https://idp.example.com + audience: http://www.okta.com/123 + kid: your-key-id + additionalKids: + - additional-key-id + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: saml.subjectNameId + format: + - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + filter: (\S+@example\.com) + matchType: USERNAME + CreateAppleIdPRequest: + summary: Create Apple IdP + value: + type: APPLE + name: Apple IdP + protocol: + type: OIDC + scopes: + - openid + - email + - name + credentials: + client: + client_id: your-client-id + signing: + privateKey: MIGTAgEAMBM........Cb9PnybCnzDv+3cWSGWqpAIsQQZ + kid: test key ID + teamId: test team ID + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + action: AUTO + subject: + userNameTemplate: + template: idpuser.email + matchType: USERNAME + CreateFacebookIdPRequest: + summary: Create Facebook IdP + value: + type: FACEBOOK + name: Facebook + protocol: + type: OAUTH2 + scopes: + - public_profile + - email + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + CreateGoogleIdPRequest: + summary: Create Google IdP + value: + type: GOOGLE + name: Google + protocol: + type: OAUTH2 + scopes: + - profile + - email + - openid + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + CreateMicrosoftIdPRequest: + summary: Create Microsoft IdP + value: + type: MICROSOFT + name: Microsoft + protocol: + type: OIDC + scopes: + - openid + - email + - profile + - https://graph.microsoft.com/User.Read + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + CreateSmartCardIdPRequest: + summary: Create SmartCard IdP + value: + type: X509 + status: ACTIVE + name: Smart Card IDP Name + properties: + additionalAmr: + - sc + - hwk + - pin + - mfa + protocol: + type: MTLS + credentials: + trust: + revocation: CRL + revocationCacheLifetime: 2880 + issuer: your-issuer + kid: your-kid + policy: + provisioning: + action: DISABLED + mapAMRClaims: false + maxClockSkew: 120000 + subject: + matchType: EMAIL + matchAttribute: '' + userNameTemplate: + template: idpuser.subjectAltNameEmail + CreatePersonaIDVRequest: + summary: Create Persona as IdP + value: + type: IDV_PERSONA + name: Persona IDV + protocol: + type: ID_PROOFING + credentials: + bearer: + apiKey: your-api-key + policy: + provisioning: + action: DISABLED + profileMaster: false + groups: null + subject: + userNameTemplate: + template: source.userName + filter: null + matchType: USERNAME + matchAttribute: null + maxClockSkew: 0 + properties: + inquiryTemplateId: itmpl_HSctx8fNvXoHtrQfz2hxUVH8RBjG + CreateCLEARIDVRequest: + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: [] + summary: Create CLEAR Verified as IdP + value: + type: IDV_CLEAR + name: CLEAR Verified IDV + protocol: + type: ID_PROOFING + scopes: + - profile + - identity_assurance + - openid + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: DISABLED + profileMaster: false + groups: null + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: source.userName + filter: null + matchType: USERNAME + matchAttribute: null + maxClockSkew: 0 + CreateIncodeIDVRequest: + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: [] + summary: Create Incode as IdP + value: + type: IDV_INCODE + name: Incode IDV + protocol: + type: ID_PROOFING + scopes: + - profile + - identity_assurance + - openid + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: DISABLED + profileMaster: false + groups: null + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: source.userName + filter: null + matchType: USERNAME + matchAttribute: null + maxClockSkew: 0 + GenericOidcIdpResponse: + summary: Generic OpenID Connect IdP + value: + id: 0oaulob4BFVa4zQvt0g3 + type: OIDC + name: Example OpenID Connect IdP + status: ACTIVE + created: '2019-02-07T20:07:47.000Z' + lastUpdated: '2019-02-07T20:07:47.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://idp.example.com/authorize + binding: HTTP-REDIRECT + token: + url: https://idp.example.com/token + binding: HTTP-POST + userInfo: + url: https://idp.example.com/userinfo + binding: HTTP-REDIRECT + jwks: + url: https://idp.example.com/keys + binding: HTTP-REDIRECT + slo: + url: https://idp.example.com/slo + binding: HTTP-REDIRECT + algorithms: + request: + signature: + algorithm: HS256 + scope: REQUEST + scopes: + - openid + settings: + participateSlo: true + issuer: + url: https://idp.example.com + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + pkce_required: 'true' + policy: + provisioning: + action: AUTO + profileMaster: false + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.email + filter: null + matchType: USERNAME + matchAttribute: null + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: >- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oaulob4BFVa4zQvt0g3&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state}&nonce={nonce} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + SamlIdPResponse: + summary: SAML 2.0 IdP + value: + id: 0oa62bc8wppPw0UGr0h7 + type: SAML2 + name: Example SAML IdP + status: ACTIVE + created: '2016-03-24T23:14:54.000Z' + lastUpdated: '2016-03-24T23:14:54.000Z' + protocol: + type: SAML2 + endpoints: + sso: + url: https://idp.example.com + binding: HTTP-POST + destination: https://idp.example.com + slo: + url: https://idp.example.com/slo + binding: HTTP-POST + acs: + binding: HTTP-POST + type: INSTANCE + algorithms: + request: + signature: + algorithm: SHA-256 + scope: REQUEST + response: + signature: + algorithm: SHA-256 + scope: ANY + settings: + nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + participateSlo: true + credentials: + trust: + issuer: https://idp.example.com + audience: http://www.okta.com/123 + kid: your-key-id + additionalKids: + - additional-key-id + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: saml.subjectNameId + filter: (\S+@example\.com) + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + metadata: + href: >- + https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/metadata.xml + type: application/xml + hints: + allow: + - GET + acs: + href: https://{yourOktaDomain}/sso/saml2/0oa62bc8wppPw0UGr0h7 + type: application/xml + hints: + allow: + - POST + users: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/users + hints: + allow: + - GET + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/lifecycle/deactivate + hints: + allow: + - POST + AppleIdPResponse: + summary: Apple IdP + value: + id: 0oa18hsHsG3boVejU0g4 + type: APPLE + issuerMode: ORG_URL + name: Apple IdP + status: ACTIVE + created: '2020-06-05T20:57:51.000Z' + lastUpdated: '2020-06-05T20:57:51.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://appleid.apple.com/auth/authorize + binding: HTTP-REDIRECT + token: + url: https://appleid.apple.com/auth/token + binding: HTTP-POST + scopes: + - openid + - email + - name + credentials: + client: + client_id: your-client-id + signing: + teamId: test team ID + privateKey: MIGTAgEAMBM........Cb9PnybCnzDv+3cWSGWqpAIsQQZ + kid: test key ID + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.email + filter: null + matchType: USERNAME + matchAttribute: null + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: >- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa18hsHsG3boVejU0g4&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri=${redirectUri}&state={state}&nonce={nonce} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + FacebookIdPResponse: + summary: Facebook IdP + value: + id: 0oa62b57p7c8PaGpU0h7 + type: FACEBOOK + name: Facebook + status: ACTIVE + created: '2016-03-24T23:18:27.000Z' + lastUpdated: '2016-03-24T23:18:27.000Z' + protocol: + type: OAUTH2 + endpoints: + authorization: + url: https://www.facebook.com/dialog/oauth + binding: HTTP-REDIRECT + token: + url: https://graph.facebook.com/v2.5/oauth/access_token + binding: HTTP-POST + scopes: + - public_profile + - email + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: >- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62b57p7c8PaGpU0h7& + client_id={clientId}&response_type={responseType}&response_mode={responseMode}& + scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + GoogleIdPResponse: + summary: Google IdP + value: + id: 0oa62bfdiumsUndnZ0h7 + type: GOOGLE + name: Google + status: ACTIVE + created: '2016-03-24T23:21:49.000Z' + lastUpdated: '2016-03-24T23:21:49.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://accounts.google.com/o/oauth2/auth + binding: HTTP-REDIRECT + token: + url: https://www.googleapis.com/oauth2/v3/token + binding: HTTP-POST + scopes: + - profile + - email + - openid + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: >- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7& + client_id={clientId}&response_type={responseType}&response_mode={responseMode}& + scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + MicrosoftIdPResponse: + summary: Microsoft IdP + value: + id: 0oajmvdFawBih4gey0g3 + type: MICROSOFT + name: Microsoft + status: ACTIVE + created: '2016-03-29T16:47:36.000Z' + lastUpdated: '2016-03-29T16:47:36.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://login.microsoftonline.com/common/oauth2/v2.0/authorize + binding: HTTP-REDIRECT + token: + url: https://login.microsoftonline.com/common/oauth2/v2.0/token + binding: HTTP-POST + scopes: + - openid + - email + - profile + - https://graph.microsoft.com/User.Read + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: >- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oajmvdFawBih4gey0g3& + client_id={clientId}&response_type={responseType}&response_mode={responseMode}& + scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + SmartCardIdPResponse: + summary: SmartCard IdP + value: + id: 0oa6jxasyhwM2ZHJh0g4 + type: X509 + name: Smart Card IDP Name + status: ACTIVE + created: '2020-01-07T00:19:27.000Z' + lastUpdated: '2020-01-07T00:19:27.000Z' + properties: + additionalAmr: + - sc + - hwk + - pin + - mfa + protocol: + type: MTLS + endpoints: + sso: + url: https://{yourOktaDomain}.okta.com/login/cert + credentials: + trust: + issuer: CN=Test Smart Card, OU=Test OU, O=Test O, C=US + audience: null + kid: 45dec5ff-8cdc-48c0-85fe-a4869f1753dc + revocation: CRL + revocationCacheLifetime: 2880 + policy: + provisioning: + action: DISABLED + profileMaster: false + groups: null + subject: + userNameTemplate: + template: idpuser.subjectAltNameEmail + filter: null + matchType: EMAIL + matchAttribute: null + mapAMRClaims: false + maxClockSkew: 120000 + _links: + deactivate: + href: >- + https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/lifecycle/deactivate + hints: + allow: + - POST + users: + href: >- + https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/users + hints: + allow: + - GET + keys: + href: >- + https://{yourOktaDomain}.okta.com/api/v1/idps/credentials/keys/45dec5ff-8cdc-48c0-85fe-a4869f1753dc + hints: + allow: + - GET + PersonaIDVResponse: + summary: Persona as IdP + value: + id: 0oa62bfdjnK55Z5x80h7 + name: Persona IDV + status: ACTIVE + created: '2023-10-01T12:00:00.000Z' + lastUpdated: '2023-10-01T12:00:00.000Z' + protocol: + type: ID_PROOFING + endpoints: + authorization: + url: https://withpersona.com/verify + binding: HTTP-REDIRECT + credentials: + bearer: + apiKey: your-api-key + policy: + provisioning: + action: DISABLED + profileMaster: false + groups: null + subject: + userNameTemplate: + template: source.userName + filter: null + matchType: USERNAME + matchAttribute: null + maxClockSkew: 0 + properties: + inquiryTemplateId: itmpl_HSctx8fNvXoHtrQfz2hxUVH8RBjG + type: IDV_PERSONA + _links: + self: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bfdjnK55Z5x80h7 + hints: + allow: + - GET + - DELETE + activate: + href: >- + https://{yourOktaDomain}/api/v1/idps/0oa62bfdjnK55Z5x80h7/lifecycle/activate + hints: + allow: + - POST + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/idps/0oa62bfdjnK55Z5x80h7/lifecycle/deactivate + hints: + allow: + - POST + CLEARIDVResponse: + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: [] + summary: CLEAR Verified as IdP + value: + id: 0oab50jh0UPiB6xde0w6 + name: CLEAR Verified IDV + status: ACTIVE + created: '2025-01-14T19:59:41.000Z' + lastUpdated: '2025-01-14T19:59:41.000Z' + protocol: + type: ID_PROOFING + endpoints: + authorization: + url: https://verified.clearme.com/oauth/idv_authorize + binding: HTTP-REDIRECT + token: + url: https://verified.clearme.com/hydra/oauth2/token + binding: HTTP-POST + par: + url: https://verified.clearme.com/oauth/par + binding: HTTP-POST + scopes: + - openid + - profile + - identity_assurance + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: DISABLED + profileMaster: false + groups: null + subject: + userNameTemplate: + template: source.userName + filter: null + matchType: USERNAME + matchAttribute: null + maxClockSkew: 0 + type: IDV_CLEAR + _links: + users: + href: https://{yourOktaDomain}/api/v1/idps/0oab50jh0UPiB6xde0w6/users + hints: + allow: + - GET + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/idps/0oab50jh0UPiB6xde0w6/lifecycle/deactivate + hints: + allow: + - POST + IncodeIDVResponse: + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: [] + summary: Incode as IdP + value: + id: 0oaf35tu47hnH9mlZ0w6 + name: Incode IdP + status: ACTIVE + created: '2025-01-15T20:54:04.000Z' + lastUpdated: '2025-01-15T20:54:05.000Z' + protocol: + type: ID_PROOFING + endpoints: + authorization: + url: https://auth.incode.com/oauth2/authorize + binding: HTTP-REDIRECT + token: + url: https://auth.incode.com/oauth2/token + binding: HTTP-POST + par: + url: https://auth.incode.com/oauth2/par + binding: HTTP-POST + scopes: + - openid + - profile + - identity_assurance + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: DISABLED + profileMaster: false + groups: null + subject: + userNameTemplate: + template: source.userName + filter: null + matchType: USERNAME + matchAttribute: null + maxClockSkew: 0 + type: IDV_INCODE + _links: + users: + href: https://{yourOktaDomain}/api/v1/idps/0oaf35tu47hnH9mlZ0w6/users + hints: + allow: + - GET + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/idps/0oaf35tu47hnH9mlZ0w6/lifecycle/deactivate + hints: + allow: + - POST + MultipleIdPKeyCredentialsResponse: + summary: IdP key credentials + value: + - kid: your-key-id + created: '2016-01-03T18:15:47.000Z' + lastUpdated: '2016-01-03T18:15:47.000Z' + e: '65537' + 'n': >- + 101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747 + kty: RSA + use: sig + x5c: + - >- + MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 + x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE + - kty: EC + created: '2020-04-24T20:51:20.000Z' + lastUpdated: '2020-04-24T20:51:20.000Z' + expiresAt: '2040-03-01T20:22:29.000Z' + alg: EC + x5c: + - >- + MIICqDCCAgqgAwIBAgIJAOkmCa/S8dHiMAoGCCqGSM49BAMCMG0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRAwDgYDVQQKDAdKYW5reUNvMR8wHQYDVQQDDBZUZXN0IElkZW50aXR5IFByb3ZpZGVyMB4XDTIwMDMwNjIwMjIyOVoXDTQwMDMwMTIwMjIyOVowbTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEDAOBgNVBAoMB0phbmt5Q28xHzAdBgNVBAMMFlRlc3QgSWRlbnRpdHkgUHJvdmlkZXIwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABABW/lGHl17mKDtCD4D7gcMYYOWgyWTGno8MTefDOABA8PddessTsbfrguF49Gli6lCzrZaAKhhvgINc3R6t/dYleAE3lY6LAocOoLe9xDkeggXNcSuP5fDc1x5R9GHTXl44vLoJOLSLsMbOXVMXIXoqbPDzTSYUy24aFdv4W4LZxW6ak6NQME4wHQYDVR0OBBYEFChTXNWvs4z1qjRVemPDD/hqlDQ4MB8GA1UdIwQYMBaAFChTXNWvs4z1qjRVemPDD/hqlDQ4MAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDgYsAMIGHAkIBuDhHMNLbBIsorbKtjxJzHJ2ItCSD2wAwqYv/6JBtA2ulKN5gRTSqdNCnqFsZ1/nYY7FFVXHEuQ2N3pPq7Ri8h84CQSgCq1UQyd0lFtb7+57JbiGb6LVaRqRm7vwx8zLRA+tVjIM1DlQ2Gbxkj3nlkzmM93j9wchiqGdQidyKnF6EBnfd + x: >- + Vv5Rh5de5ig7Qg-A-4HDGGDloMlkxp6PDE3nwzgAQPD3XXrLE7G364LhePRpYupQs62WgCoYb4CDXN0erf3WJXg + 'y': >- + ATeVjosChw6gt73EOR6CBc1xK4_l8NzXHlH0YdNeXji8ugk4tIuwxs5dUxcheips8PNNJhTLbhoV2_hbgtnFbpqT + crv: P-521 + kid: your-kid + use: sig + x5t#S256: TUx-AIwypm2pZURHNqafk7ZDxqQP_ypzIyUwDDnPOlw + IdPKeyCredentialResponse: + summary: IdP key credential + value: + kid: your-key-id + created: '2016-01-03T18:15:47.000Z' + lastUpdated: '2016-01-03T18:15:47.000Z' + e: '65537' + 'n': >- + 101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747 + kty: RSA + use: sig + x5c: + - >- + MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 + x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE + IdPKeyCredentialRequest: + summary: IdP key credential + value: + e: '65537' + 'n': >- + 101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747 + x5c: + - >- + MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 + x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE + ReplaceIdPRequestResponse: + summary: Replace an IdP + value: + id: 0oa62bc8wppPw0UGr0h7 + type: SAML2 + name: Example SAML IdP + status: INACTIVE + created: null + lastUpdated: '2016-03-29T21:23:45.000Z' + protocol: + type: SAML2 + endpoints: + sso: + url: https://idp.example.com/saml2/sso + binding: HTTP-REDIRECT + destination: https://idp.example.com/saml2/sso + slo: + url: https://idp.example.com/slo + binding: HTTP-POST + acs: + binding: HTTP-POST + type: INSTANCE + algorithms: + request: + signature: + algorithm: SHA-256 + scope: REQUEST + response: + signature: + algorithm: SHA-256 + scope: ANY + settings: + nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + participateSlo: true + credentials: + trust: + issuer: https://idp.example.com + audience: https://www.okta.com/saml2/service-provider/spCQJRNaaxs7ANqKBO7M + kid: your-key-id + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.subjectNameId + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 120000 + _links: + metadata: + href: >- + https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/metadata.xml + type: application/xml + hints: + allow: + - GET + acs: + href: https://{yourOktaDomain}/sso/saml2/0oa62bc8wppPw0UGr0h7 + type: application/xml + hints: + allow: + - POST + users: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/users + hints: + allow: + - GET + activate: + href: >- + https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/lifecycle/activate + hints: + allow: + - POST + MultipleIdPCsrsResponse: + summary: IdP CSRs + value: + - id: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + created: '2017-03-28T01:11:10.000Z' + csr: >- + MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= + kty: RSA + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + hints: + allow: + - GET + - DELETE + publish: + href: >- + https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish + hints: + allow: + - POST + - id: '-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg' + created: '2017-03-28T01:21:10.000Z' + csr: >- + MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= + kty: RSA + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg + hints: + allow: + - GET + - DELETE + publish: + href: >- + https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg/lifecycle/publish + hints: + allow: + - POST + CsrJsonResponse: + summary: CSR object in JSON format + value: + id: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + created: '2017-03-28T01:11:10.000Z' + csr: >- + MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= + kty: RSA + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 + hints: + allow: + - GET + - DELETE + publish: + href: >- + https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish + hints: + allow: + - POST + CsrPkcs10Response: + summary: CSR in DER format + value: >- + MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9 + MultipleIdPSigningKeyCredentialsResponse: + summary: IdP signing key credentials + value: + - created: '2015-12-10T18:56:23.000Z' + expiresAt: '2017-12-10T18:56:22.000Z' + x5c: + - >- + MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw== + kid: akm5hvbbevE341ovl0h7 + kty: RSA + use: sig + x5t#S256: 5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps + - created: '2015-12-10T18:55:35.000Z' + expiresAt: '2045-01-23T02:15:23.000Z' + x5c: + - >- + MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw== + kid: akm5hvbn1vojA9Fsa0h7 + kty: RSA + use: sig + x5t#S256: 7CCyXWwKzH4P6PoBP91B1S_iIZVzuGffVnUXu-BTYQQ + ActiveIdPSigningKeyCredentialResponse: + summary: IdP active signing key credential + value: + - kty: RSA + created: '2025-04-14T16:29:59.000Z' + lastUpdated: '2025-04-14T16:29:59.000Z' + expiresAt: '2035-04-14T16:29:59.000Z' + kid: your-key-id + use: sig + x5c: + - >- + MIIDmDCCAoCgAwIBAgIGAZY1ItxEMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxDTALBgNVBAMMBHJhaW4xHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjUwNDE0MTYyODU5WhcNMzUwNDE0MTYyOTU5WjCBjDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMQ0wCwYDVQQDDARyYWluMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwdmW7pNqxzmlrsWbHq6rQJDiMu4T344AKEzQ1jGffyCLCU+HKk5WqIVtQ4EJ5FU3Rk6kNeoTdkQbxn7t2QFj37ScHZkxXDbNEhFbZpvGh7+rYBG7TCnk8jO9ct/bpT+PCLCgC9L/67H2eCXXN+/gFVZAx7KEibb4NgUET2p34b5scGI2LwEefS+z8UBGlNkg9+SmI9PvjMXplFKazb6qlb27fp0PSfC4S5g8kOCqEGC9oNOCBHO5jyzlzcFq04AIaAX9N1X13UULrj+262O1+RCnQNTadbdrO6FXwfQ6lsLmvWCFBVzLTqxYxCGNY85lhAH1zjoEvXnInKYgnvmcuwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCXAU2SAJeWoQKz32ShqIwt2ESJS+IoIc+daB/e8mEPUoOgYscjdoUaWBsqXG7RizxrYNub0PXMb90f6Xdk5R4QjB/WqkR/+iupLfIxS1CbTNIzxudY2sfkSC0w8NOq77v4nE786NWDOlOaOOTn/aGLc57rBqwz6spQzNkabtAPw7umm7MpJBJ1K7yNAlwkoRTCM7rsxCvzjGf4OFe+1MaV0MlEr76wkIs6SqGodzPFFnbl2GzKf7NlL0FAdjWsJP9560b8MybAhHpXiQx8AsNW2Ggjvo2ejQKB3Yw/BaHLfcjgij/lcumfQD/P8Pox4trjSuQoRkKXxfdQvlnS9pB7 + x5t#S256: pX0kpGWPotMaEqqtIoOH9L-sFBa-htNFu0MZiJz1Hi4 + e: AQAB + 'n': >- + wdmW7pNqxzmlrsWbHq6rQJDiMu4T344AKEzQ1jGffyCLCU-HKk5WqIVtQ4EJ5FU3Rk6kNeoTdkQbxn7t2QFj37ScHZkxXDbNEhFbZpvGh7-rYBG7TCnk8jO9ct_bpT-PCLCgC9L_67H2eCXXN-_gFVZAx7KEibb4NgUET2p34b5scGI2LwEefS-z8UBGlNkg9+SmI9PvjMXplFKazb6qlb27fp0PSfC4S5g8kOCqEGC9oNOCBHO5jyzlzcFq04AIaAX9N1X13UULrj-262O1-RCnQNTadbdrO6FXwfQ6lsLmvWCFBVzLTqxYxCGNY85lhAH1zjoEvXnInKYgnvmcuw + IdPSigningKeyCredentialResponse: + summary: IdP signing key credential + value: + created: '2015-12-10T18:56:23.000Z' + expiresAt: '2017-12-10T18:56:22.000Z' + kid: akm5hvbbevE341ovl0h7 + kty: RSA + use: sig + x5c: + - >- + MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 + x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE + ActivateIdPResponse: + summary: Activate an IdP + value: + id: 0oa62bfdiumsUndnZ0h7 + type: GOOGLE + name: Google + status: ACTIVE + created: '2016-03-24T23:21:49.000Z' + lastUpdated: '2016-03-25T19:14:23.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://accounts.google.com/o/oauth2/auth + binding: HTTP-REDIRECT + token: + url: https://www.googleapis.com/oauth2/v3/token + binding: HTTP-POST + scopes: + - profile + - email + - openid + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.email + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: >- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7& + client_id={clientId}&response_type={responseType}&response_mode={responseMode}& + scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + DeactivateIdPResponse: + summary: Deactivate an IdP + value: + id: 0oa62bfdiumsUndnZ0h7 + type: GOOGLE + name: Google + status: INACTIVE + created: '2016-03-24T23:21:49.000Z' + lastUpdated: '2016-03-25T19:16:53.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://accounts.google.com/o/oauth2/auth + binding: HTTP-REDIRECT + token: + url: https://www.googleapis.com/oauth2/v3/token + binding: HTTP-POST + scopes: + - profile + - email + - openid + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: >- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7& + client_id={clientId}&response_type={responseType}&response_mode={responseMode}& + scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + ListIdPUsersResponse: + summary: List of linked IdP users + value: + - id: 00u5cl9lo7nMjHjPr0h7 + externalId: '109912936038778' + created: '2015-11-03T19:10:11.000Z' + lastUpdated: '2015-11-03T19:11:49.000Z' + profile: + firstName: Carol + middleName: Lee + lastName: Johnson + email: carol_johnson@tfbnw.net + displayName: Carol Johnson + profile: https://www.facebook.com/app_scoped_user_id/109912936038778/ + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/idps/0oa4lb6lbtmH355Hx0h7/users/00u5cl9lo7nMjHjPr0h7 + hints: + allow: + - GET + - DELETE + idp: + href: https://{yourOktaDomain}/api/v1/idps/0oa4lb6lbtmH355Hx0h7 + user: + href: https://{yourOktaDomain}/api/v1/users/00u5cl9lo7nMjHjPr0h7 + IdPAppUserResponse: + summary: IdP user + value: + id: 00u5t60iloOHN9pBi0h7 + externalId: externalId + created: '2017-12-19T17:30:16.000Z' + lastUpdated: '2017-12-19T17:30:16.000Z' + profile: + profileUrl: null + firstName: null + lastName: null + honorificSuffix: null + displayName: null + honorificPrefix: null + middleName: null + email: null + _links: + idp: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bfdiumsUndnZ0h7 + self: + href: >- + https://{yourOktaDomain}/api/v1/idps/0oa62bfdiumsUndnZ0h7/users/00u5t60iloOHN9pBi0h7 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7 + LinkIdPAppUserResponse: + summary: Linked IdP user + value: + id: 00ub0oNGTSWTBKOLGLNR + externalId: '121749775026145' + created: '2017-03-30T02:19:51.000Z' + lastUpdated: '2017-03-30T02:19:51.000Z' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/idps/0oa62b57p7c8PaGpU0h7/users/00ub0oNGTSWTBKOLGLNR + hints: + allow: + - GET + - DELETE + idp: + href: https://{yourOktaDomain}/api/v1/idps/0oa62b57p7c8PaGpU0h7 + user: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + SocialAuthTokensResponse: + summary: Social authentication tokens + value: + - id: + token: JBTWGV22G4ZGKV3N + tokenType: urn:ietf:params:oauth:token-type:access_token + tokenAuthScheme: Bearer + expiresAt: '2014-08-06T16:56:31.000Z' + scopes: + - openid + - foo + - id: + token: JBTWGV22G4ZJBRXJ + tokenType: urn:ietf:params:oauth:token-type:id_token + tokenAuthScheme: null + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + identity_providers: + id: okta.idps.identity_providers + name: identity_providers + title: Identity Providers + methods: + list_identity_providers: + operation: + $ref: '#/paths/~1api~1v1~1idps/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_identity_provider: + operation: + $ref: '#/paths/~1api~1v1~1idps/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_identity_provider: + operation: + $ref: '#/paths/~1api~1v1~1idps~1{idpId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_identity_provider: + operation: + $ref: '#/paths/~1api~1v1~1idps~1{idpId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_identity_provider: + operation: + $ref: '#/paths/~1api~1v1~1idps~1{idpId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + activate_identity_provider: + operation: + $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1lifecycle~1activate/post' + response: + mediaType: application/json + openAPIDocKey: '200' + deactivate_identity_provider: + operation: + $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1lifecycle~1deactivate/post' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/identity_providers/methods/list_identity_providers + - $ref: >- + #/components/x-stackQL-resources/identity_providers/methods/get_identity_provider + insert: + - $ref: >- + #/components/x-stackQL-resources/identity_providers/methods/create_identity_provider + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/identity_providers/methods/delete_identity_provider + replace: + - $ref: >- + #/components/x-stackQL-resources/identity_providers/methods/replace_identity_provider + keys: + id: okta.idps.keys + name: keys + title: Keys + methods: + list_identity_provider_keys: + operation: + $ref: '#/paths/~1api~1v1~1idps~1credentials~1keys/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_identity_provider_key: + operation: + $ref: '#/paths/~1api~1v1~1idps~1credentials~1keys/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_identity_provider_key: + operation: + $ref: '#/paths/~1api~1v1~1idps~1credentials~1keys~1{kid}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_identity_provider_key: + operation: + $ref: '#/paths/~1api~1v1~1idps~1credentials~1keys~1{kid}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_identity_provider_key: + operation: + $ref: '#/paths/~1api~1v1~1idps~1credentials~1keys~1{kid}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/keys/methods/list_identity_provider_keys + - $ref: >- + #/components/x-stackQL-resources/keys/methods/get_identity_provider_key + insert: + - $ref: >- + #/components/x-stackQL-resources/keys/methods/create_identity_provider_key + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/keys/methods/delete_identity_provider_key + replace: + - $ref: >- + #/components/x-stackQL-resources/keys/methods/replace_identity_provider_key + csrs: + id: okta.idps.csrs + name: csrs + title: Csrs + methods: + list_csrs_for_identity_provider: + operation: + $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1credentials~1csrs/get' + response: + mediaType: application/json + openAPIDocKey: '200' + generate_csr_for_identity_provider: + operation: + $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1credentials~1csrs/post' + response: + mediaType: application/json + openAPIDocKey: '201' + get_csr_for_identity_provider: + operation: + $ref: >- + #/paths/~1api~1v1~1idps~1{idpId}~1credentials~1csrs~1{idpCsrId}/get + response: + mediaType: application/json + openAPIDocKey: '200' + revoke_csr_for_identity_provider: + operation: + $ref: >- + #/paths/~1api~1v1~1idps~1{idpId}~1credentials~1csrs~1{idpCsrId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + publish_csr_for_identity_provider: + operation: + $ref: >- + #/paths/~1api~1v1~1idps~1{idpId}~1credentials~1csrs~1{idpCsrId}~1lifecycle~1publish/post + response: + mediaType: application/json + openAPIDocKey: '201' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/csrs/methods/list_csrs_for_identity_provider + - $ref: >- + #/components/x-stackQL-resources/csrs/methods/get_csr_for_identity_provider + insert: + - $ref: >- + #/components/x-stackQL-resources/csrs/methods/generate_csr_for_identity_provider + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/csrs/methods/revoke_csr_for_identity_provider + replace: [] + signing_keys: + id: okta.idps.signing_keys + name: signing_keys + title: Signing Keys + methods: + list_identity_provider_signing_keys: + operation: + $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1credentials~1keys/get' + response: + mediaType: application/json + openAPIDocKey: '200' + generate_identity_provider_signing_key: + operation: + $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1credentials~1keys~1generate/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_identity_provider_signing_key: + operation: + $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1credentials~1keys~1{kid}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + clone_identity_provider_key: + operation: + $ref: >- + #/paths/~1api~1v1~1idps~1{idpId}~1credentials~1keys~1{kid}~1clone/post + response: + mediaType: application/json + openAPIDocKey: '201' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/signing_keys/methods/list_identity_provider_signing_keys + - $ref: >- + #/components/x-stackQL-resources/signing_keys/methods/get_identity_provider_signing_key + insert: + - $ref: >- + #/components/x-stackQL-resources/signing_keys/methods/generate_identity_provider_signing_key + update: [] + delete: [] + replace: [] + active_idp_signing_keys: + id: okta.idps.active_idp_signing_keys + name: active_idp_signing_keys + title: Active Idp Signing Keys + methods: + list_active_identity_provider_signing_key: + operation: + $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1credentials~1keys~1active/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/active_idp_signing_keys/methods/list_active_identity_provider_signing_key + insert: [] + update: [] + delete: [] + replace: [] + idp_users: + id: okta.idps.idp_users + name: idp_users + title: Idp Users + methods: + list_identity_provider_application_users: + operation: + $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1users/get' + response: + mediaType: application/json + openAPIDocKey: '200' + get_identity_provider_application_user: + operation: + $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1users~1{userId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + link_user_to_identity_provider: + operation: + $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1users~1{userId}/post' + response: + mediaType: application/json + openAPIDocKey: '200' + unlink_user_from_identity_provider: + operation: + $ref: '#/paths/~1api~1v1~1idps~1{idpId}~1users~1{userId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/idp_users/methods/list_identity_provider_application_users + - $ref: >- + #/components/x-stackQL-resources/idp_users/methods/get_identity_provider_application_user + insert: [] + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/idp_users/methods/unlink_user_from_identity_provider + replace: [] + social_auth_tokens: + id: okta.idps.social_auth_tokens + name: social_auth_tokens + title: Social Auth Tokens + methods: + list_social_auth_tokens: + operation: + $ref: >- + #/paths/~1api~1v1~1idps~1{idpId}~1users~1{userId}~1credentials~1tokens/get + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/social_auth_tokens/methods/list_social_auth_tokens + insert: [] + update: [] + delete: [] + replace: [] +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/inlinehooks.yaml b/providers/src/okta/v00.00.00000/services/inlinehooks.yaml new file mode 100644 index 00000000..5e33dd5a --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/inlinehooks.yaml @@ -0,0 +1,3518 @@ +openapi: 3.0.3 +info: + title: inlinehooks API + description: okta inlinehooks API + version: 5.1.0 +paths: + /api/v1/inlineHooks: + get: + summary: List all inline hooks + description: >- + Lists all inline hooks or all inline hooks of a specific type. + + + When listing a specific inline hook, you need to specify its type. The + following types are currently supported: + | Type Value | Name | + |------------------------------------|----------------------------------------------------------------| + | `com.okta.import.transform` | [User import inline hook](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createUserImportInlineHook) | + | `com.okta.oauth2.tokens.transform` | [Token inline hook](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createTokenInlineHook) | + | `com.okta.saml.tokens.transform` | [SAML assertion inline hook](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createSAMLAssertionInlineHook) | + | `com.okta.telephony.provider` | [Telephony inline hook](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createTelephonyInlineHook) | + | `com.okta.user.credential.password.import` | [Password import inline hook](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createPasswordImportInlineHook)| + | `com.okta.user.pre-registration` | [Registration inline hook](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/create-registration-hook) | + operationId: listInlineHooks + parameters: + - $ref: '#/components/parameters/inlineHookType' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/InlineHook' + examples: + InlineHooktMgmtListAllexample: + $ref: '#/components/examples/InlineHooktMgmtListAllexample' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.inlineHooks.read + tags: + - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create an inline hook + description: >- + Creates an inline hook + + + This endpoint creates an inline hook for your org in an `ACTIVE` status. + You need to pass an inline hooks object in the JSON payload of your + request. + + That object represents the set of required information about the inline + hook that you're registering, including: + + + * The URI of your external service endpoint + + * The type of inline hook you're registering + + * The type of authentication you're registering + + + There are two authentication options that you can configure for your + inline hook: HTTP headers and OAuth 2.0 tokens. + + + HTTP headers let you specify a secret API key that you want Okta to pass + to your external service endpoint (so that your external service can + check for its presence as a security measure). + + + >**Note:** The API key that you set here is unrelated to the Okta API + token you must supply when making calls to Okta APIs. + + + You can also optionally specify extra headers that you want Okta to pass + to your external service with each call. + + + To configure HTTP header authentication, see parameters for the `config` + object. + + + OAuth 2.0 tokens provide enhanced security between Okta and your + external service. You can configure these tokens for the following + types—client secret and private key. + + + >**Note:** Your external service's endpoint needs to be a valid HTTPS + endpoint. The URI you specify should always begin with `https://`. + + + The total number of inline hooks that you can create in an Okta org is + limited to 50, which is a combined total for any combination of inline + hook types. + operationId: createInlineHook + x-codegen-request-body-name: inlineHookCreate + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/InlineHookCreate' + examples: + CreateInlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtCreateHTTPRequest' + CreateInlineHookOAuthClientSecret: + $ref: >- + #/components/examples/InlineHookMgmtCreateOAuthClientSecretRequest + CreateInlineHookOAuthPrivateKey: + $ref: >- + #/components/examples/InlineHookMgmtCreateOAuthPrivateKeyRequest + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/InlineHookCreateResponse' + examples: + CreateInlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtCreateHTTPResponse' + CreateInlineHookOAuthClientSecret: + $ref: >- + #/components/examples/InlineHookMgmtCreateOAuthClientSecretResponse + CreateInlineHookOAuthPrivateKey: + $ref: >- + #/components/examples/InlineHookMgmtCreateOAuthPrivateKeyResponse + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage + tags: + - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/inlineHooks/{inlineHookId}: + get: + summary: Retrieve an inline hook + description: Retrieves an inline hook by `inlineHookId` + operationId: getInlineHook + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/InlineHook' + examples: + InlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtHTTPexample' + InlineHookOAuthClientSecret: + $ref: '#/components/examples/InlineHookMgmtOAuthCSPexample' + InlineHookOAuthPrivateKey: + $ref: '#/components/examples/InlineHookMgmtOauthPKJexample' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.inlineHooks.read + tags: + - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Update an inline hook + description: Updates an inline hook by `inlineHookId` + operationId: updateInlineHook + x-codegen-request-body-name: inlineHook + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/InlineHookReplace' + examples: + UpdateInlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtPutHTTPRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/InlineHook' + examples: + UpdateInlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtPutResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage + tags: + - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace an inline hook + description: >- + Replaces an inline hook by `inlineHookId`. The submitted inline hook + properties replace the existing properties after passing validation. + + + >**Note:** Some properties are immutable and can't be updated. + operationId: replaceInlineHook + x-codegen-request-body-name: inlineHook + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/InlineHookReplace' + examples: + UpdateInlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtPutHTTPRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/InlineHook' + examples: + UpdateInlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtPutResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage + tags: + - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete an inline hook + description: >- + Deletes an inline hook by `inlineHookId`. After it's deleted, the inline + hook is unrecoverable. As a safety precaution, only inline hooks with a + status of `INACTIVE` are eligible for deletion. + operationId: deleteInlineHook + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage + tags: + - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathInlineHookId' + /api/v1/inlineHooks/{inlineHookId}/execute: + post: + summary: Execute an inline hook + description: >- + Executes the inline hook that matches the provided `inlineHookId` by + using the request body as the input. This inline hook sends the + provided + + data through the `channel` object and returns a response if it matches + the correct data contract. Otherwise it returns an error. You need to + + construct a JSON payload that matches the payloads that Okta would send + to your external service for this inline hook type. + + + A timeout of three seconds is enforced on all outbound requests, with + one retry in the event of a timeout or an error response from the remote + system. + + If a successful response isn't received after the request, a 400 error + is returned with more information about what failed. + + + >**Note:** This execution endpoint isn't tied to any other functionality + in Okta, and you should only use it for testing purposes. + operationId: executeInlineHook + x-codegen-request-body-name: payloadData + requestBody: + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/PasswordImportRequestExecute' + - $ref: '#/components/schemas/TelephonyRequestExecute' + - $ref: '#/components/schemas/RegistrationInlineHookRequest' + - $ref: '#/components/schemas/TokenRequest' + - $ref: '#/components/schemas/SAMLPayloadExecute' + - $ref: '#/components/schemas/UserImportRequestExecute' + examples: + PasswordImportPayloadExample: + $ref: '#/components/examples/PasswordImportPayloadExample' + TelephonyPayloadExample: + $ref: '#/components/examples/TelephonyPayloadExample' + ProfileEnrollmentRequest: + $ref: '#/components/examples/ProfileEnrollmentRequest' + TokenPayLoadExample: + $ref: '#/components/examples/TokenPayLoadExample' + SAMLPayloadExample: + $ref: '#/components/examples/SAMLPayLoadExample' + UserImportPayloadExample: + $ref: '#/components/examples/UserImportPayloadExample' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/PasswordImportResponse' + - $ref: '#/components/schemas/TelephonyResponse' + - $ref: '#/components/schemas/RegistrationInlineHookResponse' + - $ref: '#/components/schemas/TokenHookResponse' + - $ref: '#/components/schemas/SAMLHookResponse' + - $ref: '#/components/schemas/UserImportResponse' + examples: + PasswordImportPayloadExample: + $ref: '#/components/examples/PasswordImportVerifiedResponse' + TelephonyPayloadExample: + $ref: '#/components/examples/TelephonySuccessResponse' + ProfileEnrollmentRequest: + $ref: '#/components/examples/ProfileEnrollmentResponse' + TokenPayLoadExample: + $ref: '#/components/examples/TokenHookResponse' + SAMLPayloadExample: + $ref: '#/components/examples/SAMLHookResponseExample' + UserImportPayloadExample: + $ref: '#/components/examples/UserImportChangeAppUserProfileExample' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage + tags: + - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathInlineHookId' + /api/v1/inlineHooks/{inlineHookId}/lifecycle/activate: + post: + summary: Activate an inline hook + description: Activates the inline hook by `inlineHookId` + operationId: activateInlineHook + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/InlineHook' + examples: + ActivateAnInlineHook: + $ref: '#/components/examples/InlineHookMgmtOAuthCSPexample' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage + tags: + - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathInlineHookId' + /api/v1/inlineHooks/{inlineHookId}/lifecycle/deactivate: + post: + summary: Deactivate an inline hook + description: Deactivates the inline hook by `inlineHookId` + operationId: deactivateInlineHook + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/InlineHook' + examples: + DeactivateAnInlineHook: + $ref: '#/components/examples/InlineHookMgmtHTTPexampleDeactivate' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage + tags: + - InlineHook + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathInlineHookId' +components: + schemas: + InlineHook: + description: An inline hook object that specifies the details of the inline hook + type: object + properties: + channel: + $ref: '#/components/schemas/InlineHookChannel' + created: + type: string + format: date-time + readOnly: true + description: Date of the inline hook creation + id: + type: string + readOnly: true + description: The unique identifier for the inline hook + lastUpdated: + type: string + format: date-time + readOnly: true + description: Date of the last inline hook update + name: + type: string + description: The display name of the inline hook + maximum: 255 + minimum: 1 + status: + $ref: '#/components/schemas/InlineHookStatus' + type: + $ref: '#/components/schemas/InlineHookType' + version: + type: string + description: >- + Version of the inline hook type. The currently supported version is + `1.0.0`. + readOnly: true + _links: + $ref: '#/components/schemas/InlineHookLinks' + InlineHookCreate: + description: An inline hook object that specifies the details of the inline hook + type: object + properties: + channel: + $ref: '#/components/schemas/InlineHookChannelCreate' + name: + type: string + description: The display name of the inline hook + maximum: 255 + minimum: 1 + type: + $ref: '#/components/schemas/InlineHookType' + version: + type: string + description: >- + Version of the inline hook type. The currently supported version is + `1.0.0`. + InlineHookCreateResponse: + description: An inline hook object that specifies the details of the inline hook + type: object + properties: + channel: + $ref: '#/components/schemas/InlineHookChannel' + created: + type: string + format: date-time + readOnly: true + description: Date of the inline hook creation + id: + type: string + readOnly: true + description: The unique identifier for the inline hook + lastUpdated: + type: string + format: date-time + readOnly: true + description: Date of the last inline hook update + name: + type: string + description: The display name of the inline hook + maximum: 255 + minimum: 1 + status: + $ref: '#/components/schemas/InlineHookStatus' + type: + $ref: '#/components/schemas/InlineHookType' + version: + type: string + description: >- + Version of the inline hook type. The currently supported version is + `1.0.0`. + readOnly: true + _links: + $ref: '#/components/schemas/InlineHookLinksCreate' + InlineHookReplace: + description: An inline hook object that specifies the details of the inline hook + type: object + properties: + channel: + $ref: '#/components/schemas/InlineHookChannelCreate' + name: + type: string + description: The display name of the inline hook + maximum: 255 + minimum: 1 + version: + type: string + description: >- + Version of the inline hook type. The currently supported version is + `1.0.0`. + PasswordImportRequestExecute: + description: Password import inline hook request + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/PasswordImportRequest' + TelephonyRequestExecute: + description: Telephony inline hook request body + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/TelephonyRequest' + RegistrationInlineHookRequest: + description: Registration inline hook request + type: object + properties: + eventType: + type: string + description: >- + The type of inline hook. The registration inline hook type is + `com.okta.user.pre-registration`. + requestType: + $ref: '#/components/schemas/RegistrationInlineHookRequestType' + source: + type: string + description: The ID of the registration inline hook + discriminator: + propertyName: requestType + mapping: + self.service.registration: '#/components/schemas/RegistrationInlineHookSSRData' + progressive.profile: '#/components/schemas/RegistrationInlineHookPPData' + TokenRequest: + description: Token inline hook request + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/TokenPayLoad' + SAMLPayloadExecute: + description: SAML assertion inline hook request + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/SAMLPayLoad' + UserImportRequestExecute: + description: User import inline hook request + allOf: + - $ref: '#/components/schemas/InlineHookBasePayload' + - $ref: '#/components/schemas/UserImportRequest' + PasswordImportResponse: + description: Password import inline hook response + type: object + properties: + commands: + description: >- + The `commands` object specifies whether Okta accepts the end user's + sign-in credentials as valid or not. For the password import inline + hook, you typically only return one `commands` object with one array + element in it. + type: array + items: + type: object + properties: + type: + description: >- + The location where you specify the command. For the password + import inline hook, there's only one command, + `com.okta.action.update`. + value: + description: >- + The parameter value of the command. + + * To indicate that the supplied credentials are valid, supply + a type property set to `com.okta.action.update` together with + a value property set to `{"credential": "VERIFIED"}`. + + * To indicate that the supplied credentials are invalid, + supply a type property set to `com.okta.action.update` + together with a value property set to `{"credential": + "UNVERIFIED"}`. + + Alternatively, you can send an empty response (`204`). By + default, the `data.action.credential` is always set to + `UNVERIFIED`. + type: object + properties: + credential: + type: string + enum: + - UNVERIFIED + - VERIFIED + TelephonyResponse: + description: Telephony inline hook response + type: object + properties: + commands: + description: >- + The `commands` object specifies whether Okta accepts the end user's + sign-in credentials as valid or not. For the telephony inline hook, + you typically only return one `commands` object with one array + element in it. + type: array + items: + type: object + properties: + type: + description: >- + The location where you specify the command. For the telephony + inline hook, there's only one command, + `com.okta.telephony.action`. + type: string + value: + description: >- + The status of the telephony operation along with optional + additional information about the provider, transaction ID and + any other transaction metadata. + type: array + items: + type: object + properties: + status: + type: string + description: Status of telephony callout + enum: + - SUCCESSFUL + - PENDING + - FAILED + x-enumDescriptions: + SUCCESSFUL: >- + External web service was able to deliver the OTP to + the Requester. + PENDING: >- + External web service wasn't able to confirm delivery + of the OTP to the Requester. + FAILED: >- + External web service was unable to deliver the OTP to + the Requester. + provider: + type: string + description: Telephony provider for sms/voice + transactionId: + type: string + description: Transaction ID for sms/voice + transactionMetadata: + type: string + description: Any relevant metadata for the telephony transaction + RegistrationInlineHookResponse: + description: Registration inline hook response + type: object + properties: + commands: + type: array + TokenHookResponse: + description: >- + For the token inline hook, the `commands` and `error` objects that you + can return in the JSON payload of your response are defined in the + following sections. + + > **Note:** The size of your response payload must be less than 256 KB. + type: object + properties: + commands: + description: >- + You can use the `commands` object to provide commands to Okta. It's + where you can tell Okta to add more claims to the token. + + The `commands` object is an array, allowing you to send multiple + commands. In each array element, there needs to be a `type` property + and `value` property. The `type` property is where you specify which + of the supported commands you want to execute, and `value` is where + you supply an operand for that command. + + In the case of the token hook type, the `value` property is itself a + nested object in which you specify a particular operation, a path to + act on, and a value. + type: array + items: + type: object + properties: + type: + description: >- + One of the supported commands: + `com.okta.identity.patch`: Modify an ID token + `com.okta.access.patch`: Modify an access token + > **Note:** The `commands` array should only contain commands + that can be applied to the requested tokens. For example, if + only an ID token is requested, the `commands` array shouldn't + contain commands of the type `com.okta.access.patch`. + type: string + value: + description: >- + The `value` object is where you specify the operation to + perform. It's an array, which allows you to request more than + one operation. + type: array + items: + type: object + properties: + op: + description: >- + The name of one of the supported ops: `add`: Add a + claim. `replace`: Modify an existing claim and update + the token lifetime. `remove`: Remove an existing claim. + + #### `op: add` notes + + +
+ + Add a claim + + Add a claim + + **Existing JSON** + + ``` + { + "employeeId": "00u12345678" + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.assertion.patch", + "value": [ + { + "op": "add", + "path": "/claims/extPatientId", + "value": "1234" + } + ] + }, + { + "type": "com.okta.assertion.patch", + "value": [ + { + "op": "add", + "path": "/claims/external_guid", + "value": "F0384685-F87D-474B-848D-2058AC5655A7" + } + ] + } + ] + } + ``` + + **Updated JSON** + + ``` + { + "employeeId": "00u12345678", + "extPatientId": 1234, + "external_guid": "F0384685-F87D-474B-848D-2058AC5655A7" + } + ``` + + > **Note:** If you use the `add` operation and include an existing claim in your response with a different value, that value is replaced. Use the `replace` operation instead. If you attempt to remove a system-specific claim or use an invalid operation, the entire PATCH fails and errors are logged in the token hooks events. See `op: replace` notes. +
+ + +
+ + Add new members to existing JSON + objects + + If you have a JSON object in a claim called `employee_profile`, and you want to add the `department_id` member to the claim, the existing JSON is updated by specifying the claim in the path, followed by the name of the object member. + + **Existing JSON** + + ``` + { + "employee_profile": { + "employee_id": "1234", + "name": "Anna" + } + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "add", + "path": "/claims/employee_profile/department_id", + "value": "4947" + } + ] + } + ] + } + ``` + + **Updated JSON** + + ``` + { + "employee_profile": { + "employee_id": "1234", + "name": "Anna", + "department_id": "4947" + } + } + ``` + + > **Note:** If you attempt to add a member within a JSON object that doesn't exist or using an invalid operation, the entire PATCH fails and errors are logged in the token hooks events. +
+ + +
+ + Add new elements to existing arrays + + Append an element to an array by specifying the name of the array, followed by the index where you want to insert the element in the path. Alternatively, you can specify the array name followed by a hyphen (-) in the path to append an element at the end of the array. For example, you have an array that contains the user's preferred airports, and you want to add a new airport to the array. The existing target JSON object is updated by specifying the claim in the path, followed by the index of where to insert the claim. + + **Existing JSON** + + ``` + { + "preferred_airports":[ + "sjc", + "sfo", + "oak" + ] + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "add", + "path": "/claims/preferred_airports/3", + "value": "lax" + } + ] + } + ] + } + ``` + + **Updated JSON** + + ``` + { + "preferred_airports":[ + "sjc", + "sfo", + "oak", + "lax" + ] + } + ``` + + > **Note:** If you attempt to add an element within an array that doesn't exist or specify an invalid index, the entire PATCH fails and errors are logged in the token hooks events. +
+ + + #### `op: replace` notes + + +
+ + Modify an existing claim + + You can modify (`replace`) existing custom claims or OIDC standard profile claims, such as `birthdate` and `locale`. You can't, however, modify any system-specific claims, such as `iss` or `ver`. Also, you can't modify a claim that isn't currently part of the token in the request payload. Attempting to modify a system-specific claim or using an invalid operation results in the entire PATCH failing and errors logged in the token hooks events. + + See [Access Tokens Scopes and Claims](/openapi/okta-oauth/guides/overview/#access-token-scopes-and-claims) for the list of access token-reserved claims that you can't modify. + + > **Note:** Although the `aud` and `sub` claims are listed as reserved claims, you can modify those claims in access tokens. You can't modify these claims in ID tokens. + + See [ID Token Claims](/openapi/okta-oauth/guides/overview/#id-token-claims) for a list of ID token-reserved claims that you can't modify. + + **Existing target JSON object** + + ``` + { + "employeeId": "00u12345678", + "extPatientId": 1234, + "external_guid": "F0384685-F87D-474B-848D-2058AC5655A7" + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "replace", + "path": "/claims/extPatientId", + "value": "12345" + }, + { + "op": "replace", + "path": "/claims/external_guid", + "value": "D1495796-G98E-585C-959E-1269CD6766B8" + } + ] + } + ] + } + ``` + + **Updated JSON*** + + ``` + { + "employeeId": "00u12345678", + "extPatientId": 12345, + "external_guid": "D1495796-G98E-585C-959E-1269CD6766B8" + } + ``` + +
+ + +
+ + Modify members within existing JSON objects and + arrays + + Use the `replace` operation to modify members within JSON objects and elements within arrays. For example, you have a JSON object in a claim called `employee_profile`, and you want to update the email address of the employee. The existing target JSON object is updated by specifying the claim in the path, followed by the name of the object member that you want to modify. + + **Existing target JSON object** + + ``` + { + "employee_profile": { + "employee_id":"1234", + "name":"Anna", + "email":"anna.v@company.com" + } + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "replace", + "path": "/claims/employee_profile/email", + "value": "anna@company.com" + } + ] + } + ] + } + ``` + + **Updated JSON** + + ``` + { + "employee_profile": { + "employee_id":"1234", + "name":"Anna", + "email":"anna@company.com" + } + } + ``` + + > **Note:** If you attempt to modify a member within a JSON object that doesn't exist or use an invalid operation, the entire PATCH fails and errors are logged in the token hooks events. + + Similarly, you can replace elements in an array by specifying the array name and the valid index of the element that you want to replace in the path. +
+ + +
+ + Modify token lifetimes + You can modify how long the access and ID tokens are valid by specifying the `lifetime` in seconds. The `lifetime` value must be a minimum of five minutes (300 seconds) and a maximum of 24 hours (86,400 seconds). + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "replace", + "path": "/token/lifetime/expiration", + "value": 36000 + } + ] + }, + { + "type": "com.okta.access.patch", + "value": [ + { + "op": "replace", + "path": "/token/lifetime/expiration", + "value": 36000 + } + ] + } + ] + } + ``` + +
+ + + #### `op: remove` notes + + +
+ + Remove a claim + + You can remove existing custom claims or OIDC standard profile claims, such as `birthdate` or `locale`. You can't, however, remove any system-specific claims, such as `iss` or `ver`. You also can't remove a claim that isn't currently part of the token in the request payload. If you attempt to remove a system-specific claim or use an invalid operation, the entire PATCH fails and errors are logged in the token hooks events. + + See [Access Tokens Scopes and Claims](/openapi/okta-oauth/guides/overview/#access-token-scopes-and-claims) for the list of access token-reserved claims that you can't modify. + + See [ID Token Claims](/openapi/okta-oauth/guides/overview/#id-token-claims) for a list of ID token-reserved claims that you can't modify. + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "remove", + "path": "/claims/birthdate", + "value": null + } + ] + }, + { + "type": "com.okta.access.patch", + "value": [ + { + "op": "remove", + "path": "/claims/external_guid" + } + ] + } + ] + } + ``` + + > **Note:** The `value` property for the `remove` operation isn't required. If you provide it in the response, it should be set to `null`. Providing any other value fails the entire PATCH response. + +
+ + +
+ + Remove members from existing arrays + + Use the `remove` operation to remove members from existing arrays. For example, you have an array that contains the user's preferred airports, and you want to remove an airport from the array. The existing target JSON object is updated by specifying the array name followed by the index of the element that you want to remove. You don't need to specify a value for the remove operation, but you can specify `null` as the value if you want. + + **Existing target JSON object** + + ``` + { + "preferred_airports": [ + "sjc", + "lax", + "sfo", + "oak" + ] + } + ``` + + **Operation** + + ``` + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "remove", + "path": "/claims/preferred_airports/1" + } + ] + } + ] + } + ``` + + **Updated JSON** + + ``` + { + "preferred_airports": [ + "sjc", + "sfo", + "oak" + ] + } + ``` + +
+ + +
+ + Remove members from existing JSON + objects + + Use the `remove` operation to remove members from existing JSON objects. Do this by specifying the JSON object in the path, followed by the claim member that you would like to remove. For example, you have an `employee_profile` claim, and you want to remove `email` from it. + + **Existing target JSON object** + + + ``` + + { + "employee_profile": { + "employee_id":"1234", + "name":"Anna", + "email":"anna.v@company.com" + } + } + + ``` + + + **Operation** + + + ``` + + { + "commands": [ + { + "type": "com.okta.identity.patch", + "value": [ + { + "op": "remove", + "path": "/claims/employee_profile/email" + } + ] + } + ] + } + + ``` + + + **Updated JSON** + + ``` + + { + "employee_profile": { + "employee_id":"1234", + "name":"Anna", + } + } + + ``` + + +
+ type: string + path: + description: >- + Location within the token to apply the operation, + specified as a slash-delimited path. When you add, + replace, or remove a claim, this path always begins with + `/claims/` and is followed by the name of the new claim + that you're adding. When you replace a token lifetime, + the path should always be `/token/lifetime/expiration`. + type: string + value: + description: Value to set the claim to. + oneOf: + - type: string + - type: integer + - type: object + error: + description: >- + When an error object is returned, it causes Okta to return an OAuth + 2.0 error to the requester of the token. In the error response, the + value of `error` is `server_error`, and the value of + `error_description` is the string that you supplied in the + `errorSummary` property of the `error` object that you returned. + type: object + properties: + errorSummary: + description: >- + Human-readable summary of the error. If the error object doesn't + include the `errorSummary` property defined, the following + common default message is returned to the end user: `The + callback service returned an error`. + type: string + SAMLHookResponse: + type: object + properties: + commands: + description: >- + The `commands` object is where you tell Okta to add additional + claims to the assertion or to modify the existing assertion + statements. + + + `commands` is an array, allowing you to send multiple commands. In + each array element, include a `type` property and a `value` + property. The `type` property is where you specify which of the + supported commands you want to execute, and `value` is where you + supply an operand for that command. + + In the case of the SAML assertion inline hook, the `value` property + is itself a nested object, in which you specify a particular + operation, a path to act on, and a value. + type: array + items: + type: object + properties: + type: + type: string + description: One of the supported commands `com.okta.assertion.patch` + value: + type: array + items: + type: object + properties: + op: + type: string + description: |- + The name of one of the supported ops: + `add`: Add a new claim to the assertion + `replace`: Modify any element of the assertion + > **Note:** If a response to the SAML assertion inline hook request isn't received from your external service within three seconds, a timeout occurs. In this scenario, the Okta process flow continues with the original SAML assertion returned. + path: + type: string + description: Location, within the assertion, to apply the operation + value: + oneOf: + - type: string + - type: integer + - type: object + description: >- + The value of the claim that you add or replace, and can + also include other attributes. If adding to a claim, add + another `value` attribute residing within an array + called `attributeValues`. + + + See the following examples: + + + #### Simple value (integer or string) + + + `"value": 300` or `"value": "replacementString"` + + + #### Attribute value (object) + + + ` "value": { + "authContextClassRef": "replacementValue" + }` + + #### AttributeValues array value (object) + + + ` "value": { + "attributes": { + "NameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" + }, + "attributeValues": [ + {"attributes": { + "xsi:type": "xs:string" + }, + "value": "4321"} + ] + }` + error: + description: >- + An object to return an error. Returning an error causes Okta to + record a failure event in the Okta System Log. + + The string supplied in the `errorSummary` property is recorded in + the System Log event. + + > **Note:** If the error object doesn't include the defined + `errorSummary` property, the following common default message + + is returned to the end user: `The callback service returned an + error`. + + + > **Note:** If a response to a SAML inline hook request isn't + received from your external service within three seconds, a timeout + occurs. In this scenario, the Okta SAML inline hook process + continues, and the user is created. + type: object + properties: + errorSummary: + description: A human-readable summary of the error + type: string + UserImportResponse: + type: object + properties: + commands: + description: >- + The `commands` object is where you can provide commands to Okta. It + is an array that allows you to send multiple commands. + + Each array element needs to consist of a type-value pair. + type: array + items: + type: object + properties: + type: + description: >- + The command types supported for the import inline hook. + + When using the `com.okta.action.update` command to specify + that the user should be treated as a match, you need to also + provide a `com.okta.user.update` command that sets the ID of + the Okta user. + type: string + enum: + - com.okta.appUser.profile.update + - com.okta.user.profile.update + - com.okta.action.update + - com.okta.user.update + x-enumDescriptions: + com.okta.appUser.profile.update: Change values of attributes in the user's app user profile + com.okta.user.profile.update: Change values of attributes in the user's Okta user profile + com.okta.action.update: >- + Specify whether to create a new Okta user for the user being + imported or treat them as a match of an existing Okta user + com.okta.user.update: >- + Specify the existing Okta user that the imported user should + be treated as a match of. + value: + description: >- + The `value` object is the parameter to pass to the command. In + the case of the `com.okta.appUser.profile.update` and + `com.okta.user.profile.update` commands, + + the parameter should be a list of one or more profile + attributes and the values you wish to set them to. In the case + of the `com.okta.action.update` command, + + the parameter should be a `result` property set to either + `CREATE_USER` or `LINK_USER`. + type: object + additionalProperties: + type: string + error: + description: >- + An object to return an error. Returning an error causes Okta to + record a failure event in the Okta System Log. + + The string supplied in the `errorSummary` property is recorded in + the System Log event. + + + >**Note:** If a response to an import inline hook request is not + received from your external service within three seconds, a timeout + occurs. In this scenario, the Okta import process continues and the + user is created. + type: object + properties: + errorSummary: + description: A human-readable summary of the error + type: string + InlineHookChannel: + type: object + properties: + type: + $ref: '#/components/schemas/InlineHookChannelType' + version: + type: string + description: >- + Version of the inline hook type. The currently supported version is + `1.0.0`. + discriminator: + propertyName: type + mapping: + HTTP: '#/components/schemas/InlineHookChannelHttp' + OAUTH: '#/components/schemas/InlineHookChannelOAuth' + InlineHookStatus: + type: string + enum: + - ACTIVE + - INACTIVE + InlineHookType: + description: One of the inline hook types + type: string + enum: + - com.okta.import.transform + - com.okta.oauth2.tokens.transform + - com.okta.saml.tokens.transform + - com.okta.telephony.provider + - com.okta.user.credential.password.import + - com.okta.user.pre-registration + InlineHookLinks: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + activate: + description: URL to activate the inline hook + allOf: + - $ref: '#/components/schemas/HrefObject' + deactivate: + description: URL to deactivate the inline hook + allOf: + - $ref: '#/components/schemas/HrefObject' + delete: + description: URL to delete the inline hook + allOf: + - $ref: '#/components/schemas/HrefObject' + execute: + description: URL to test the inline hook + allOf: + - $ref: '#/components/schemas/HrefObject' + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + InlineHookChannelCreate: + type: object + properties: + type: + $ref: '#/components/schemas/InlineHookChannelType' + version: + type: string + description: >- + Version of the inline hook type. The currently supported version is + `1.0.0`. + discriminator: + propertyName: type + mapping: + HTTP: '#/components/schemas/InlineHookChannelHttpCreate' + OAUTH: '#/components/schemas/InlineHookChannelOAuthCreate' + InlineHookLinksCreate: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + deactivate: + description: URL to deactivate the inline hook + allOf: + - $ref: '#/components/schemas/HrefObject' + execute: + description: URL to test the inline hook + allOf: + - $ref: '#/components/schemas/HrefObject' + InlineHookBasePayload: + type: object + properties: + cloudEventVersion: + description: The inline hook cloud version + example: 0.1 + type: string + contentType: + description: The inline hook request header content + example: application/JSON + type: string + eventId: + type: string + description: The individual inline hook request ID + example: 3o9jBzq1SmOGmmsDsqyyeQ + eventTime: + type: string + description: The time the inline hook request was sent + example: '2020-01-17T21:23:56.000Z' + eventTypeVersion: + description: The inline hook version + example: 1 + type: string + PasswordImportRequest: + type: object + properties: + data: + $ref: '#/components/schemas/PasswordImportRequestData' + eventType: + type: string + description: >- + The type of inline hook. The password import inline hook type is + `com.okta.user.credential.password.import`. + source: + description: The ID and URL of the password import inline hook + type: string + TelephonyRequest: + type: object + properties: + data: + $ref: '#/components/schemas/TelephonyRequestData' + eventType: + type: string + description: >- + The type of inline hook. The telephony inline hook type is + `com.okta.telephony.provider`. + requestType: + type: string + description: >- + The type of inline hook request. For example, + `com.okta.user.telephony.pre-enrollment`. + source: + description: The ID and URL of the telephony inline hook + type: string + RegistrationInlineHookRequestType: + description: >- + The type of registration hook. Use either `self.service.registration` or + `progressive.profile`. + type: string + enum: + - progressive.profile + - self.service.registration + TokenPayLoad: + type: object + properties: + data: + type: object + properties: + context: + allOf: + - $ref: '#/components/schemas/BaseContext' + - type: object + properties: + protocol: + description: Details of the authentication protocol + type: object + properties: + type: + description: The type of authentication protocol used + type: string + example: OAUTH2.0 + request: + $ref: '#/components/schemas/TokenProtocolRequest' + OriginalGrant: + description: >- + Information about the original token request used to + get the refresh token being used, when in a refresh + token request + type: object + properties: + request: + $ref: '#/components/schemas/TokenProtocolRequest' + refresh_token: + $ref: '#/components/schemas/RefreshToken' + issuer: + description: The authorization server's issuer identifier + type: object + properties: + uri: + description: The authorization server's issuer identifier + type: string + format: uri + client: + description: The client making the token request + type: object + properties: + id: + description: The unique identifier of the client + type: string + name: + description: The name of the client + type: string + type: + description: The type of client + type: string + example: PUBLIC + policy: + description: The authorization server policy used to mint the token + type: object + properties: + id: + description: The unique identifier for the policy + type: string + example: 00p4ktaq2ryOYtsHC0g7 + rule: + description: >- + The authorization server policy rule used to mint + the token + type: object + properties: + id: + description: The unique identifier for the policy rule + type: string + example: 0pr4ktb7elD3ZvrMy0g7 + identity: + allOf: + - description: >- + Provides information on the properties of the ID token that + Okta has generated, including the existing claims that it + contains + - $ref: '#/components/schemas/BaseToken' + access: + allOf: + - description: >- + Provides information on the properties of the access token + that Okta has generated, including the existing claims that + it contains + - $ref: '#/components/schemas/BaseToken' + - type: object + properties: + scopes: + description: >- + The scopes contained in the token. For descriptions of + the scopes that you can include, see the Okta [OpenID + Connect and OAuth 2.0 API + reference](/openapi/okta-oauth/guides/overview/#scopes). + type: object + refresh_token: + $ref: '#/components/schemas/RefreshToken' + eventType: + type: string + description: >- + The type of inline hook. The token inline hook type is + `com.okta.oauth2.tokens.transform`. + source: + description: The URL of the token inline hook + type: string + SAMLPayLoad: + type: object + properties: + data: + type: object + properties: + context: + allOf: + - $ref: '#/components/schemas/BaseContext' + - type: object + properties: + protocol: + description: Details of the assertion protocol being used + type: object + properties: + type: + description: >- + The type of authentication protocol being used for + the assertion + type: string + example: SAML2.0 + issuer: + type: object + properties: + id: + description: >- + The unique identifier of the issuer that + provided the SAML assertion + type: string + example: 0oath92zlO60urQOP0g3 + name: + description: >- + The name of the issuer that provided the SAML + assertion + type: string + example: SAML 2.0 App + uri: + description: >- + The base URI of the SAML endpoint that's used to + assert the authorization + type: string + example: http://www.okta.com/exkth8lMzFm0HZOTU0g3 + assertion: + description: Details of the SAML assertion that was generated + type: object + properties: + subject: + description: >- + Provides a JSON representation of the `` + element of the SAML assertion + type: object + properties: + nameId: + description: The unique identifier of the user + type: string + example: user@example.com + nameFormat: + description: Indicates how to interpret the attribute name + type: string + example: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + confirmation: + type: object + properties: + method: + description: >- + Used to indicate how the authorization server + confirmed the SAML assertion + type: string + example: urn:oasis:names:tc:SAML:2.0:cm:bearer + data: + type: object + properties: + recipient: + description: >- + The token endpoint URL of the authorization + server + type: string + example: http://www.example.com:7070/saml/sso + authentication: + description: >- + Provides a JSON representation of the + `` element of the SAML assertion + type: object + properties: + sessionIndex: + description: The unique identifier describing the assertion statement + type: string + example: id1553800523546.312669168 + authnContext: + description: >- + Details of the authentication methods used for the SAML + assertion + type: object + properties: + authnContextClassRef: + description: >- + Describes the identity provider's supported + authentication context classes + type: string + example: >- + urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + conditions: + description: >- + Provides a JSON representation of the `` + element of the SAML assertion + type: object + properties: + audienceRestriction: + description: >- + Describes which service providers the assertion is valid + for + type: array + items: + type: string + example: + - urn:example:sp + claims: + description: >- + Provides a JSON representation of the + `` element contained in the + generated SAML assertion. Contains any optional SAML + attribute statements that you have defined for the app using + the Admin Console's **SAML Settings**. + type: object + additionalProperties: + type: object + properties: + attributes: + type: object + properties: + NameFormat: + type: string + description: Indicates how to interpret the attribute name + attributeValues: + type: array + items: + type: object + properties: + attributes: + type: object + properties: + xsi:type: + type: string + description: Used to derive the type of the attribute + value: + type: string + description: The actual value of the attribute + lifetime: + description: >- + Specifies the expiration time, in seconds, of the SAML + assertion + type: object + properties: + expiration: + description: The expiration time in seconds + type: integer + example: 300 + eventType: + type: string + description: >- + The type of inline hook. The SAML assertion inline hook type is + `com.okta.saml.tokens.transform`. + source: + description: The ID and URL of the SAML assertion inline hook + type: string + UserImportRequest: + type: object + properties: + data: + $ref: '#/components/schemas/UserImportRequestData' + eventType: + type: string + description: >- + The type of inline hook. The user import inline hook type is + `com.okta.import.transform`. + source: + description: The ID of the user import inline hook + type: string + InlineHookChannelType: + type: string + enum: + - HTTP + - OAUTH + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + ErrorCause: + type: object + properties: + errorSummary: + type: string + PasswordImportRequestData: + type: object + properties: + action: + type: object + description: >- + This object specifies the default action Okta is set to take. Okta + takes this action if your external service sends an empty HTTP 204 + response. You can override the default action by returning a + commands object in your response specifying the action to take. + properties: + credential: + description: >- + The status of the user credential, either `UNVERIFIED` or + `VERIFIED` + default: UNVERIFIED + type: string + context: + type: object + properties: + request: + $ref: '#/components/schemas/InlineHookRequestObject' + credential: + type: object + properties: + username: + description: >- + The `username` that the user supplied when attempting to + sign in to Okta. + type: string + password: + description: >- + The `password` that the user supplied when attempting to + sign in to Okta. + type: string + TelephonyRequestData: + type: object + properties: + context: + type: object + properties: + request: + $ref: '#/components/schemas/InlineHookRequestObject' + messageProfile: + type: object + description: >- + Message profile specifies information about the telephony + (sms/voice) message to be sent to the Okta user + properties: + msgTemplate: + description: Default or Okta org configured sms or voice message template + type: string + phoneNumber: + description: The Okta's user's phone number + type: string + otpExpires: + description: The time when OTP expires + type: string + deliveryChannel: + description: The channel for OTP delivery - SMS or voice + type: string + otpCode: + description: The OTP code requested by the Okta user + type: string + locale: + description: The locale associated with the Okta user + type: string + userProfile: + type: object + description: User profile specifies information about the Okta user + properties: + firstName: + description: The user's first name + type: string + lastName: + description: The user's last name + type: string + login: + description: The user's Okta login + type: string + userId: + description: The user's Okta user ID + type: string + BaseContext: + description: >- + This object contains a number of sub-objects, each of which provide some + type of contextual information. + type: object + properties: + request: + $ref: '#/components/schemas/InlineHookRequestObject' + session: + description: Details of the user session + type: object + properties: + id: + description: The unique identifier for the user's session + type: string + example: 102LN9Bnuc4S_ewfc9BYwageA + userId: + description: The unique identifier for the user + type: string + example: 00uq8tMo3zV0OfJON0g3 + login: + description: >- + The username used to identify the user. This is often the user's + email address. + type: string + example: user@example.com + createdAt: + description: Timestamp of when the session was created + type: string + format: date-time + example: '2019-03-28T16:45:55.000Z' + expiresAt: + description: Timestamp of when the session expires + type: string + format: date-time + example: '2019-03-28T21:15:23.000Z' + status: + description: Represents the current status of the user's session + type: string + example: ACTIVE + lastPasswordVerification: + description: Timestamp of when the user was last authenticated + type: string + format: date-time + example: '2019-03-28T16:45:55.000Z' + amr: + description: The authentication method reference + type: array + items: + type: string + example: + - PASSWORD + idp: + $ref: '#/components/schemas/SessionIdentityProvider' + mfaActive: + description: Describes whether multifactor authentication was enabled + type: boolean + example: false + user: + description: >- + Identifies the Okta user that the token was generated to + authenticate and provides details of their Okta user profile + type: object + properties: + id: + description: The unique identifier for the user + type: string + example: 00uq8tMo3zV0OfJON0g3 + passwordChanged: + description: The timestamp when the user's password was last updated + type: string + format: date-time + example: '2018-09-11T23:19:12.000Z' + profile: + type: object + properties: + login: + description: >- + The username used to identify the user. This is often the + user's email address. + type: string + example: user@example.com + firstName: + description: The first name of the user + type: string + example: John + lastName: + description: The last name of the user + type: string + example: Smith + locale: + description: >- + The user's default location for purposes of localizing items + such as currency, date time format, numerical + representations, and so on. + + A locale value is a concatenation of the [ISO + 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639_language_codes) + two-letter language code, an underscore, and the [ISO + 3166-1](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) + two-letter country code. For example, `en_US` specifies the + language English and country US. This value is `en_US` by + default. + type: string + example: en_US + timeZone: + description: The user's timezone + type: string + example: America/Los_Angeles + _links: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for + the current status of the user. These links are used to discover + what groups the user is a part of and what factors they have + enrolled. + type: object + properties: + groups: + description: URL to retrieve the individual user's group memberships + allOf: + - $ref: '#/components/schemas/HrefObject' + factors: + description: URL to retrieve individual user's factor enrollments + allOf: + - $ref: '#/components/schemas/HrefObject' + TokenProtocolRequest: + description: Details of the token request + type: object + properties: + client_id: + description: The ID of the client associated with the token + type: string + grant_type: + $ref: '#/components/schemas/GrantType' + redirect_uri: + description: Specifies the callback location where the authorization was sent + type: string + format: uri + response_mode: + description: The authorization response mode + type: string + enum: + - form_post + - fragment + - okta_post_message + - query + response_type: + description: The authorization response type + type: string + enum: + - code + - id_token + - token + - none + scope: + description: The scopes requested + type: string + state: + type: string + RefreshToken: + description: The refresh token + type: object + properties: + jti: + description: The refresh token ID + type: string + BaseToken: + type: object + properties: + claims: + description: >- + Claims included in the token. Consists of name-value pairs for each + included claim. For descriptions of the claims that you can include, + see the Okta [OpenID Connect and OAuth 2.0 API + reference](/openapi/okta-oauth/guides/overview/#claims). + type: object + token: + description: The token + type: object + properties: + lifetime: + description: Lifetime of the token + type: object + properties: + expiration: + description: Time in seconds until the token expires + type: integer + UserImportRequestData: + type: object + properties: + action: + type: object + description: The object that specifies the default action Okta is set to take + properties: + result: + description: >- + The current default action that results when Okta imports a + user. The two possible values are `CREATE_USER` and `LINK_USER`. + You + + can change the action that is taken by means of the commands + object you return. + type: string + enum: + - CREATE_USER + - LINK_USER + x-enumDescriptions: + CREATE_USER: A new Okta user profile is created for the user + LINK_USER: >- + The user is treated as a match for the existing Okta user + identified by the value of `data.user.id` + appUser: + type: object + description: The app user profile being imported + properties: + profile: + type: object + description: >- + Provides the name-value pairs of the attributes contained in the + app user profile of the user who is being imported. You can + change + + the values of attributes in the user's app profile by means of + the `commands` object you return. If you change attributes in + the app + + profile, they then flow through to the Okta user profile, based + on matching and mapping rules. + additionalProperties: + type: string + context: + type: object + properties: + conflicts: + description: An array of user profile attributes that are in conflict + type: array + items: + additionalProperties: true + type: string + application: + type: object + description: Details of the app from which the user is being imported + properties: + name: + type: string + description: The app name + id: + type: string + description: The app ID + label: + type: string + description: The user-defined display name for the app + status: + type: string + description: The status of the app + enum: + - ACTIVE + - INACTIVE + job: + type: object + description: The details of the running import job + properties: + id: + type: string + description: The ID number of the import job + type: + type: string + description: The type of import job + matches: + type: array + description: >- + The list of Okta users currently matched to the app user based + on import matching. There can be more than one match. + items: + additionalProperties: true + type: string + policy: + type: array + description: The list of any policies that apply to the import matching + items: + additionalProperties: true + type: string + user: + type: object + description: >- + Provides information on the Okta user profile currently set to be + used for the user who is being imported, based on the matching + + rules and attribute mappings that were applied. + properties: + profile: + description: >- + The `data.user.profile` contains the name-value pairs of the + attributes in the user profile. If the user has been matched to + an existing + + Okta user, a `data.user.id` object is included, containing the + unique identifier of the Okta user profile. + + + You can change the values of the attributes by means of the + `commands` object you return. + type: object + additionalProperties: + type: string + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + InlineHookRequestObject: + description: The API request that triggered the inline hook + type: object + properties: + id: + type: string + description: The unique identifier that Okta assigned to the API request + ipAddress: + type: string + description: The IP address of the client that made the API request + method: + type: string + description: The HTTP request method of the API request + url: + type: object + description: The URL of the API endpoint + properties: + value: + type: string + description: The URL value of the API endpoint + SessionIdentityProvider: + type: object + properties: + id: + type: string + readOnly: true + description: >- + Identity Provider ID. If the `type` is `OKTA`, then the `id` is the + org ID. + type: + $ref: '#/components/schemas/SessionIdentityProviderType' + GrantType: + description: >- + Determines the mechanism Okta uses to authorize the creation of the + tokens. + type: string + enum: + - authorization_code + - client_credentials + - implicit + - interaction_code + - password + - refresh_token + - urn:ietf:params:oauth:grant-type:device_code + - urn:ietf:params:oauth:grant-type:jwt-bearer + - urn:ietf:params:oauth:grant-type:saml2-bearer + - urn:ietf:params:oauth:grant-type:token-exchange + - urn:openid:params:grant-type:ciba + - urn:okta:params:oauth:grant-type:otp + - urn:okta:params:oauth:grant-type:oob + - http://auth0.com/oauth/grant-type/mfa-otp + - http://auth0.com/oauth/grant-type/mfa-oob + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + SessionIdentityProviderType: + type: string + enum: + - ACTIVE_DIRECTORY + - FEDERATION + - LDAP + - OKTA + - SOCIAL + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + inlineHookType: + name: type + description: One of the supported inline hook types + in: query + schema: + type: string + enum: + - com.okta.import.transform + - com.okta.oauth2.tokens.transform + - com.okta.saml.tokens.transform + - com.okta.user.credential.password.import + - com.okta.user.pre-registration + - com.okta.telephony.provider + pathInlineHookId: + name: inlineHookId + description: '`id` of the inline hook' + in: path + required: true + schema: + type: string + example: Y7Rzrd4g4xj6WdKzrBHH + examples: + InlineHooktMgmtListAllexample: + summary: List all inline hooks response + value: + - id: calb7gacafgwgE7hc5e4 + status: ACTIVE + name: Token hook with HTTP authentication + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: [] + method: POST + authScheme: + type: header + key: authorization + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + activate: + href: >- + https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate + hints: + allow: + - POST + self: + href: >- + https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + delete: + href: >- + https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + hints: + allow: + - DELETE + - id: calj4fythrqj5Bxol5e5 + status: ACTIVE + name: Registration hook with OAuth 2.0 Client Secret Post + type: com.okta.user.pre-registration + version: 1.0.0 + channel: + type: OAUTH + version: 1.0.0 + config: + uri: https://example.com/registrationHook + headers: [] + method: POST + authScheme: null + clientId: 0oaj43vkrq7wKxZSI5e6 + tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token" + authType: client_secret_post + scope: null + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + self: + href: >- + https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5 + execute: + href: >- + https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/execute + hints: + allow: + - POST + deactivate: + href: >- + https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/lifecycle/activate + hints: + allow: + - POST + - id: calj4fythrqj5Bxol4ai6 + status: ACTIVE + name: Token Hook with OAuth 2.0 Private Key JWT + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: OAUTH + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: [] + method: POST + authScheme: null + clientId: 0oaj43vkrq7wKxZSI5d7 + tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token" + authType: private_key_jwt + scope: null + hookKeyId: HKYj4ft1a3fjmwZg05d6 + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + self: + href: >- + https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6 + execute: + href: >- + https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/execute + hints: + allow: + - POST + deactivate: + href: >- + https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/lifecycle/activate + hints: + allow: + - POST + InlineHookMgmtCreateHTTPRequest: + summary: Create an inline hook with HTTP authentication + value: + name: Token hook with HTTP authentication + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: + - key: x-any-key + value: my-header-value + method: POST + authScheme: + type: HEADER + key: Authorization + value: my-shared-secret + InlineHookMgmtCreateOAuthClientSecretRequest: + summary: Create an inline hook with OAuth 2.0 Client Secret + value: + name: Registration hook with OAuth 2.0 Client Secret Post + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: OAUTH + version: 1.0.0 + config: + authType: client_secret_post + clientId: 0oaj43vkrq7wKxZSI5e6 + clientSecret: b-iATvTu7sIocvhWx95S9kF.....vfZhM6q6khSaojLBejF21cUn5bPm9abi + uri: https://example.com/tokenHook + headers: [] + method: POST + tokenUrl: https://example.okta.com/oauth2/default/v1/token + InlineHookMgmtCreateOAuthPrivateKeyRequest: + summary: Create an inline hook with OAuth 2.0 Private Key + value: + name: Token hook with OAuth 2.0 Private Key authentication + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: OAUTH + version: 1.0.0 + config: + authType: private_key_jwt + clientId: 0oaj43vkrq7wKxZSI5e6 + hookKeyId: HKYj4ft1a3fjmwZg05e6 + uri: https://example.com/tokenHook + headers: + - key: x-any-key + value: my-header-value + method: POST + tokenUrl: https://example.okta.com/oauth2/default/v1/token + InlineHookMgmtCreateHTTPResponse: + summary: Inline hook with HTTP authentication response + value: + id: calb7gacafgwgE7hc5e4 + status: ACTIVE + name: Token hook with HTTP authentication + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: [] + method: POST + authScheme: + type: header + key: authorization + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + activate: + href: >- + https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + delete: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + hints: + allow: + - DELETE + InlineHookMgmtCreateOAuthClientSecretResponse: + summary: Inline hook with OAuth 2.0 Client Secret response + value: + id: calj4fythrqj5Bxol5e5 + status: ACTIVE + name: Registration hook with OAuth 2.0 Client Secret Post + type: com.okta.user.pre-registration + version: 1.0.0 + channel: + type: OAUTH + version: 1.0.0 + config: + uri: https://example.com/registrationHook + headers: [] + method: POST + authScheme: null + clientId: 0oaj43vkrq7wKxZSI5e6 + tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token" + authType: client_secret_post + scope: null + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5 + execute: + href: >- + https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/execute + hints: + allow: + - POST + deactivate: + href: >- + https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/lifecycle/activate + hints: + allow: + - POST + InlineHookMgmtCreateOAuthPrivateKeyResponse: + summary: Inline hook with OAuth 2.0 Private Key response + value: + id: calj4fythrqj5Bxol4ai6 + status: ACTIVE + name: Token Hook with OAuth 2.0 Private Key JWT + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: OAUTH + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: [] + method: POST + authScheme: null + clientId: 0oaj43vkrq7wKxZSI5d7 + tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token" + authType: private_key_jwt + scope: null + hookKeyId: HKYj4ft1a3fjmwZg05d6 + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + self: + href: >- + https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6 + execute: + href: >- + https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/execute + hints: + allow: + - POST + deactivate: + href: >- + https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/lifecycle/activate + hints: + allow: + - POST + InlineHookMgmtHTTPexample: + summary: An inline hook with HTTP authentication + value: + id: calb7gacafgwgE7hc5e4 + status: ACTIVE + name: Token hook with HTTP authentication + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: [] + method: POST + authScheme: + type: header + key: authorization + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + activate: + href: >- + https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + delete: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + hints: + allow: + - DELETE + InlineHookMgmtOAuthCSPexample: + summary: An inline hook example with OAuth 2.0 Client Secret Post + value: + id: calj4fythrqj5Bxol5e5 + status: ACTIVE + name: Registration hook with OAuth 2.0 Client Secret Post + type: com.okta.user.pre-registration + version: 1.0.0 + channel: + type: OAUTH + version: 1.0.0 + config: + uri: https://example.com/registrationHook + headers: [] + method: POST + authScheme: null + clientId: 0oaj43vkrq7wKxZSI5e6 + tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token" + authType: client_secret_post + scope: null + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5 + execute: + href: >- + https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/execute + hints: + allow: + - POST + deactivate: + href: >- + https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/lifecycle/activate + hints: + allow: + - POST + InlineHookMgmtOauthPKJexample: + summary: An inline hook example with OAuth 2.0 Private Key JWT + value: + id: calj4fythrqj5Bxol4ai6 + status: ACTIVE + name: Token Hook with OAuth 2.0 Private Key JWT + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: OAUTH + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: [] + method: POST + authScheme: null + clientId: 0oaj43vkrq7wKxZSI5d7 + tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token" + authType: private_key_jwt + scope: null + hookKeyId: HKYj4ft1a3fjmwZg05d6 + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + self: + href: >- + https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6 + execute: + href: >- + https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/execute + hints: + allow: + - POST + deactivate: + href: >- + https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/lifecycle/activate + hints: + allow: + - POST + InlineHookMgmtPutHTTPRequest: + summary: Update an inline hook name + value: + name: New name token hook with HTTP authentication + version: 1.0.0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: + - key: x-any-key + value: my-header-value + method: POST + authScheme: + type: HEADER + key: Authorization + value: my-shared-secret + InlineHookMgmtPutResponse: + value: + id: calb7gacafgwgE7hc5e4 + status: ACTIVE + name: New name token hook with HTTP authentication + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: [] + method: POST + authScheme: + type: header + key: authorization + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + activate: + href: >- + https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + delete: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + hints: + allow: + - DELETE + description: Inline hook response with a new name + PasswordImportPayloadExample: + summary: An example password import inline hook request body + value: + eventId: 3o9jBzq1SmOGmmsDsqyyeQ + eventTime: '2020-01-17T21:23:56.000Z' + eventType: com.okta.user.credential.password.import + eventTypeVersion: '1.0' + contentType: application/json + cloudEventVersion: '0.1' + source: https://${yourOktaDomain}/api/v1/inlineHooks/cbl2ad6phv9fsPLcF0g7 + data: + context: + request: + id: XiIl6wn7005Rr@fjYqeC7CCDBxw + method: POST + url: + value: /idp/idx/challenge/answer + ipAddress: 66.124.153.138 + credential: + username: isaac.brock@example.com + password: Okta + action: + credential: UNVERIFIED + TelephonyPayloadExample: + summary: An example telephony inline hook request body + value: + eventId: uS5871kJThSsU8qlA1LTcg + eventTime: '2020-01-17T21:23:56.000Z' + eventType: com.okta.telephony.provider + eventTypeVersion: '1.0' + contentType: application/json + cloudEventVersion: '0.1' + source: https://${yourOktaDomain}/api/v1/inlineHooks/cbl2ad6phv9fsPLcF0g7 + data: + context: + request: + id: reqRgSk8IBBRhuo0YdlEDTmUw + method: POST + url: + value: >- + /api/internal/v1/inlineHooks/com.okta.telephony.provider/generatePreview + ipAddress: 127.0.0.1 + userProfile: + firstName: test + lastName: user + login: test.user@okta.com + userId: 00uyxxSknGtK8022w0g3 + messageProfile: + msgTemplate: (HOOK)Your code is 11111 + phoneNumber: 9876543210 + otpExpires: '2022-01-28T21:48:34.321Z' + deliveryChannel: SMS + otpCode: 11111 + locale: EN-US + ProfileEnrollmentRequest: + summary: >- + An example registration hook profile enrollment (SSR) inline hook + request body + value: + eventId: 04Dmt8BcT_aEgM + eventTime: '2022-04-25T17:35:27.000Z' + eventType: com.okta.user.pre-registration + eventTypeVersion: 1 + contentType: application/json + cloudEventVersion: 0.1 + source: regt4qeBKU29vSoPz0g3 + requestType: self.service.registration + data: + context: + request: + method: POST + ipAddress: 127.0.0.1 + id: 123testId456 + url: + value: /idp/idx/enroll/new + userProfile: + firstName: Rosario + lastName: Jones + login: rosario.jones@example.com + email: rosario.jones@example.com + action: ALLOW + TokenPayLoadExample: + summary: An example token inline hook request body + description: An example token inline hook request body + value: + source: https://{yourOktaDomain}/oauth2/default/v1/authorize + eventId: 3OWo4oo-QQ-rBWfRyTmQYw + eventTime: '2019-01-15T23:20:47.000Z' + eventTypeVersion: '1.0' + cloudEventVersion: '0.1' + contentType: application/json + eventType: com.okta.oauth2.tokens.transform + data: + context: + request: + id: reqv66CbCaCStGEFc8AdfS0ng + method: GET + url: + value: >- + https://{yourOktaDomain}/oauth2/default/v1/authorize?scope=openid+profile+email&response_type=token+id_token&redirect_uri=https%3A%2F%2Fhttpbin.org%2Fget&state=state&nonce=asf&client_id=customClientIdNative + ipAddress: 127.0.0.1 + protocol: + type: OAUTH2.0 + request: + scope: openid profile email + state: state + redirect_uri: https://httpbin.org/get + response_mode: fragment + response_type: token id_token + client_id: customClientIdNative + issuer: + uri: https://{yourOktaDomain}/oauth2/default + client: + id: customClientIdNative + name: Native client + type: PUBLIC + session: + id: 102Qoe7t5PcRnSxr8j3I8I6pA + userId: 00uq8tMo3zV0OfJON0g3 + login: administrator1@clouditude.net + createdAt: '2019-01-15T23:17:09.000Z' + expiresAt: '2019-01-16T01:20:46.000Z' + status: ACTIVE + lastPasswordVerification: '2019-01-15T23:17:09.000Z' + amr: + - PASSWORD + idp: + id: 00oq6kcVwvrDY2YsS0g3 + type: OKTA + mfaActive: false + user: + id: 00uq8tMo3zV0OfJON0g3 + passwordChanged: '2018-09-11T23:19:12.000Z' + profile: + login: administrator1@clouditude.net + firstName: Add-Min + lastName: O'Cloudy Tud + locale: en + timeZone: America/Los_Angeles + _links: + groups: + href: https://{yourOktaDomain}/00uq8tMo3zV0OfJON0g3/groups + factors: + href: >- + https://{yourOktaDomain}/api/v1/users/00uq8tMo3zV0OfJON0g3/factors + policy: + id: 00pq8lGaLlI8APuqY0g3 + rule: + id: 0prq8mLKuKAmavOvq0g3 + identity: + claims: + sub: 00uq8tMo3zV0OfJON0g3 + name: Add-Min O'Cloudy Tud + email: administrator1@clouditude.net + ver: 1 + iss: https://{yourOktaDomain}/oauth2/default + aud: customClientIdNative + jti: ID.YxF2whJfB3Eu4ktG_7aClqtCgjDq6ab_hgpiV7-ZZn0 + amr: + - pwd + idp: 00oq6kcVwvrDY2YsS0g3 + nonce: asf + preferred_username: administrator1@clouditude.net + auth_time: 1547594229 + token: + lifetime: + expiration: 3600 + access: + claims: + ver: 1 + jti: AT.W-rrB-z-kkZQmHW0e6VS3Or...QfEN_YvoWJa46A7HAA + iss: https://{yourOktaDomain}/oauth2/default + aud: api://default + cid: customClientIdNative + uid: 00uq8tMo3zV0OfJON0g3 + sub: administrator1@clouditude.net + firstName: Add-Min + preferred_username: administrator1@clouditude.net + token: + lifetime: + expiration: 3600 + scopes: + openid: + id: scpq7bW1cp6dcvrz80g3 + action: GRANT + profile: + id: scpq7cWJ81CIP5Qkr0g3 + action: GRANT + email: + id: scpq7dxsoz6LQlRj00g3 + action: GRANT + refresh_token: + jti: oarob4a0tckCkGcyo1d6 + SAMLPayLoadExample: + summary: An example SAML assertion inline hook request body + value: + source: >- + https://${yourOktaDomain}/app/saml20app_1/exkth8lMzFm0HZOTU0g3/sso/saml + eventId: XMFoHCM1S4Wi_SGWzL8T9A + eventTime: '2019-03-28T19:15:23.000Z' + data: + context: + request: + id: reqqXypjzYJRSu2j1G1imUovA + method: GET + url: + value: >- + https://${yourOktaDomain}/app/saml20app_1/exkth8lMzFm0HZOTU0g3/sso/saml + ipAddress: 127.0.0.1 + protocol: + type: SAML2.0 + issuer: + id: 0oath92zlO60urQOP0g3 + name: SAML 2.0 App + uri: http://www.okta.com/exkth8lMzFm0HZOTU0g3 + session: + id: 102LN9Bnuc4S_ewfc9BYwageA + userId: 00uq8tMo3zV0OfJON0g3 + login: user@example.com + createdAt: '2019-03-28T16:45:55.000Z' + expiresAt: '2019-03-28T21:15:23.000Z' + status: ACTIVE + lastPasswordVerification: '2019-03-28T16:45:55.000Z' + amr: + - PASSWORD + idp: + id: 00oq6kcVwvrDY2YsS0g3 + type: OKTA + mfaActive: false + user: + id: 00uq8tMo3zV0OfJON0g3 + passwordChanged: '2018-09-11T23:19:12.000Z' + profile: + login: user@example.com + firstName: Admin + lastName: Last + locale: en + timeZone: America/Los_Angeles + _links: + groups: + href: https://${yourOktaDomain}/00uq8tMo3zV0OfJON0g3/groups + factors: + href: >- + https://${yourOktaDomain}/api/v1/users/00uq8tMo3zV0OfJON0g3/factors + assertion: + subject: + nameId: user@example.com + nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + confirmation: + method: urn:oasis:names:tc:SAML:2.0:cm:bearer + data: + recipient: http://www.example.com:7070/saml/sso + authentication: + sessionIndex: id1553800523546.312669168 + authnContext: + authnContextClassRef: >- + urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + conditions: + audienceRestriction: + - urn:example:sp + claims: + extPatientId: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + attributeValues: + - attributes: + xsi:type: xs:integer + value: '4321' + array: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + attributeValues: + - attributes: + xsi:type: xs:string + value: Array 1 + - attributes: + xsi:type: xs:string + value: Array2 + - attributes: + xsi:type: xs:string + value: Array3 + middle: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + attributeValues: + - attributes: + xsi:type: xs:string + value: admin + firstAndLast: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + attributeValues: + - attributes: + xsi:type: xs:string + value: 7d6a50c8-4d7e-4058-9c5b-2cc98cecd294 + lifetime: + expiration: 300 + eventTypeVersion: '1.0' + cloudEventVersion: '0.1' + eventType: com.okta.saml.tokens.transform + contentType: application/json + UserImportPayloadExample: + summary: An example user import request body + value: + source: cal7eyxOsnb20oWbZ0g4 + eventId: JUGOUiYZTaKPmH6db0nDag + eventTime: '2019-02-27T20:59:04.000Z' + eventTypeVersion: '1.0' + cloudEventVersion: '0.1' + eventType: com.okta.import.transform + contentType: application/json + data: + context: + conflicts: + - login + application: + name: test_app + id: 0oa7ey7aLRuBvcYUD0g4 + label: Test App + status: ACTIVE + job: + id: ij17ez2AWtMZRfCZ60g4 + type: import:users + matches: [] + policy: + - EMAIL + - FIRST_AND_LAST_NAME + action: + result: CREATE_USER + appUser: + profile: + firstName: Sally2 + lastName: Admin2 + mobilePhone: null + accountType: PRO + secondEmail: null + failProvisioning: null + failDeprovisioning: null + externalId: user221 + groups: + - everyone@examplee.net + - tech@example.net + userName: administrator2 + email: sally.admin@example.net + user: + profile: + lastName: Admin2 + zipCode: null + city: null + secondEmail: null + postAddress: null + login: sally.admin@example.net + firstName: Sally2 + primaryPhone: null + mobilePhone: null + streetAddress: null + countryCode: null + typeId: null + state: null + email: sally.admin@example.net + PasswordImportVerifiedResponse: + summary: An example password hook response for a verified user password + value: + commands: + - type: com.okta.action.update + value: + credential: VERIFIED + TelephonySuccessResponse: + summary: >- + An example telephony hook response for an external web service returning + success + value: + commands: + - type: com.okta.telephony.action + - value: + status: SUCCESS + provider: VONAGE + transactionId: SM49a8ece2822d44e4adaccd7ed268f954 + transactionMetadata: Duration=300ms + ProfileEnrollmentResponse: + summary: >- + An example registration hook profile enrollment (SSR) inline hook + response + value: + commands: + - type: com.action.update + value: + registration: ALLOW + TokenHookResponse: + summary: An example token inline hook response that adds a claim + value: + commands: + - type: com.okta.identity.patch + value: + - op: add + path: /claims/extPatientId + value: '1234' + - type: com.okta.access.patch + value: + - op: add + path: /claims/external_guid + value: F0384685-F87D-474B-848D-2058AC5655A7 + SAMLHookResponseExample: + summary: An example SAML assertion inline hook response + value: + commands: + - type: com.okta.assertion.patch + value: + - op: replace + path: /claims/array/attributeValues/1/value + value: replacementValue + - op: replace + path: /authentication/authnContext + value: + authnContextClassRef: replacementValue + - op: add + path: /claims/extPatientId + value: + attributes: + NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic + attributeValues: + - attributes: + xsi:type: xs:string + value: '4321' + - op: add + path: /authentication/sessionLifetime + value: 300 + - type: com.okta.assertion.patch + value: + - op: replace + path: /authentication/sessionIndex + value: exampleSession + UserImportChangeAppUserProfileExample: + summary: >- + An example user import inline hook response that updates an app user's + profile + value: + commands: + - type: com.okta.appUser.profile.update + value: + firstName: Stan + InlineHookMgmtHTTPexampleDeactivate: + value: + id: calb7gacafgwgE7hc5e4 + status: INACTIVE + name: Token hook with HTTP authentication + type: com.okta.oauth2.tokens.transform + version: 1.0.0 + channel: + type: HTTP + version: 1.0.0 + config: + uri: https://example.com/tokenHook + headers: [] + method: POST + authScheme: + type: header + key: authorization + created: '2024-08-22T21:01:09.000Z' + lastUpdated: '2024-09-05T16:06:09.000Z' + _links: + activate: + href: >- + https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate + hints: + allow: + - POST + self: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + delete: + href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 + hints: + allow: + - DELETE + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + inline_hooks: + id: okta.inlinehooks.inline_hooks + name: inline_hooks + title: Inline Hooks + methods: + list_inline_hooks: + operation: + $ref: '#/paths/~1api~1v1~1inlineHooks/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_inline_hook: + operation: + $ref: '#/paths/~1api~1v1~1inlineHooks/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_inline_hook: + operation: + $ref: '#/paths/~1api~1v1~1inlineHooks~1{inlineHookId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + update_inline_hook: + operation: + $ref: '#/paths/~1api~1v1~1inlineHooks~1{inlineHookId}/post' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_inline_hook: + operation: + $ref: '#/paths/~1api~1v1~1inlineHooks~1{inlineHookId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_inline_hook: + operation: + $ref: '#/paths/~1api~1v1~1inlineHooks~1{inlineHookId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + execute_inline_hook: + operation: + $ref: '#/paths/~1api~1v1~1inlineHooks~1{inlineHookId}~1execute/post' + response: + mediaType: application/json + openAPIDocKey: '200' + activate_inline_hook: + operation: + $ref: >- + #/paths/~1api~1v1~1inlineHooks~1{inlineHookId}~1lifecycle~1activate/post + response: + mediaType: application/json + openAPIDocKey: '200' + deactivate_inline_hook: + operation: + $ref: >- + #/paths/~1api~1v1~1inlineHooks~1{inlineHookId}~1lifecycle~1deactivate/post + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/inline_hooks/methods/list_inline_hooks + - $ref: >- + #/components/x-stackQL-resources/inline_hooks/methods/get_inline_hook + insert: + - $ref: >- + #/components/x-stackQL-resources/inline_hooks/methods/create_inline_hook + update: + - $ref: >- + #/components/x-stackQL-resources/inline_hooks/methods/update_inline_hook + delete: + - $ref: >- + #/components/x-stackQL-resources/inline_hooks/methods/delete_inline_hook + replace: + - $ref: >- + #/components/x-stackQL-resources/inline_hooks/methods/replace_inline_hook +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/integrations.yaml b/providers/src/okta/v00.00.00000/services/integrations.yaml new file mode 100644 index 00000000..b0c446ee --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/integrations.yaml @@ -0,0 +1,1110 @@ +openapi: 3.0.3 +info: + title: integrations API + description: okta integrations API + version: 5.1.0 +paths: + /integrations/api/v1/api-services: + get: + summary: List all API service integration instances + description: Lists all API Service Integration instances with a pagination option + operationId: listApiServiceIntegrationInstances + parameters: + - $ref: '#/components/parameters/queryAfter' + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/APIServiceIntegrationInstance' + examples: + APIServiceIntegrationResponseExample: + $ref: '#/components/examples/APIServiceIntegrationListResponse' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.read + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create an API service integration instance + description: Creates and authorizes an API Service Integration instance + operationId: createApiServiceIntegrationInstance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/postAPIServiceIntegrationInstanceRequest' + examples: + postAPIServiceIntegrationRequestExample: + $ref: '#/components/examples/postAPIServiceIntegrationRequest' + postAPIServiceWithPropertiesIntegrationRequestExample: + $ref: >- + #/components/examples/postAPIServiceWithPropertiesIntegrationRequest + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/postAPIServiceIntegrationInstance' + examples: + APIServiceIntegrationResponseExample: + $ref: '#/components/examples/postAPIServiceIntegrationResponse' + APIServiceWithPropertiesIntegrationResponseExample: + $ref: >- + #/components/examples/postAPIServiceWithPropertiesIntegrationResponse + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.manage + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /integrations/api/v1/api-services/{apiServiceId}: + get: + summary: Retrieve an API service integration instance + description: Retrieves an API Service Integration instance by `id` + operationId: getApiServiceIntegrationInstance + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/APIServiceIntegrationInstance' + examples: + APIServiceIntegrationResponseExample: + $ref: '#/components/examples/APIServiceIntegrationResponse' + APIServiceWithPropertiesIntegrationResponseExample: + $ref: >- + #/components/examples/APIServiceWithPropertiesIntegrationResponse + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.read + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete an API service integration instance + description: >- + Deletes an API Service Integration instance by `id`. This operation also + revokes access to scopes that were previously granted to this API + Service Integration instance. + operationId: deleteApiServiceIntegrationInstance + responses: + '204': + description: No Content + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.manage + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathApiServiceId' + /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets: + get: + summary: List all API service integration instance secrets + description: >- + Lists all client secrets for an API Service Integration instance by + `apiServiceId` + operationId: listApiServiceIntegrationInstanceSecrets + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/APIServiceIntegrationInstanceSecret' + examples: + APIServiceIntegrationResponseExample: + $ref: >- + #/components/examples/APIServiceIntegrationInstanceSecretListResponse + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.read + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create an API service integration instance secret + description: >- + Creates an API Service Integration instance Secret object with a new + active client secret. You can create up to two Secret objects. An error + is returned if you attempt to create more than two Secret objects. + operationId: createApiServiceIntegrationInstanceSecret + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/APIServiceIntegrationInstanceSecret' + examples: + newAPIServiceIntegrationInstanceSecretResponse: + $ref: >- + #/components/examples/newAPIServiceIntegrationInstanceSecretResponse + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.manage + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathApiServiceId' + /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets/{secretId}: + delete: + summary: Delete an API service integration instance secret + description: >- + Deletes an API Service Integration instance Secret by `secretId`. You + can only delete an inactive Secret. + operationId: deleteApiServiceIntegrationInstanceSecret + responses: + '204': + description: No Content + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.manage + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathApiServiceId' + - $ref: '#/components/parameters/pathSecretId' + /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets/{secretId}/lifecycle/activate: + post: + summary: Activate an API service integration instance secret + description: Activates an API Service Integration instance Secret by `secretId` + operationId: activateApiServiceIntegrationInstanceSecret + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/APIServiceIntegrationInstanceSecret' + examples: + activeAPIServiceIntegrationInstanceSecretResponse: + $ref: >- + #/components/examples/activeAPIServiceIntegrationInstanceSecretResponse + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.manage + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathApiServiceId' + - $ref: '#/components/parameters/pathSecretId' + /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets/{secretId}/lifecycle/deactivate: + post: + summary: Deactivate an API service integration instance secret + description: Deactivates an API Service Integration instance Secret by `secretId` + operationId: deactivateApiServiceIntegrationInstanceSecret + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/APIServiceIntegrationInstanceSecret' + examples: + inactiveAPIServiceIntegrationInstanceSecretResponse: + $ref: >- + #/components/examples/inactiveAPIServiceIntegrationInstanceSecretResponse + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.manage + tags: + - ApiServiceIntegrations + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathApiServiceId' + - $ref: '#/components/parameters/pathSecretId' +components: + schemas: + APIServiceIntegrationInstance: + type: object + properties: + configGuideUrl: + type: string + description: The URL to the API service integration configuration guide + example: https://{docDomain}/my-app-cie/configuration-guide + readOnly: true + createdAt: + type: string + description: Timestamp when the API Service Integration instance was created + example: '2023-02-21T20:08:24.000Z' + readOnly: true + createdBy: + type: string + description: The user ID of the API Service Integration instance creator + example: 00uu3u0ujW1P6AfZC2d5 + readOnly: true + grantedScopes: + type: array + description: >- + The list of Okta management scopes granted to the API Service + Integration instance. See [Okta management OAuth 2.0 + scopes]https://developer.okta.com/docs/api/oauth2/#okta-admin-management. + items: + type: string + example: + - okta.logs.read + id: + type: string + description: The ID of the API Service Integration instance + readOnly: true + example: 0oa72lrepvp4WqEET1d9 + name: + type: string + description: >- + The name of the API service integration that corresponds with the + `type` property. This is the full name of the API service + integration listed in the Okta Integration Network (OIN) catalog. + readOnly: true + example: My App Cloud Identity Engine + properties: + $ref: '#/components/schemas/AppProperties' + type: + type: string + description: >- + The type of the API service integration. This string is an + underscore-concatenated, lowercased API service integration name. + For example, `my_api_log_integration`. + example: my_app_cie + _links: + $ref: '#/components/schemas/APIServiceIntegrationLinks' + readOnly: true + postAPIServiceIntegrationInstanceRequest: + type: object + properties: + grantedScopes: + type: array + description: >- + The list of Okta management scopes granted to the API Service + Integration instance. See [Okta management OAuth 2.0 + scopes]https://developer.okta.com/docs/api/oauth2/#okta-admin-management. + items: + type: string + example: + - okta.logs.read + properties: + $ref: '#/components/schemas/AppProperties' + type: + type: string + description: >- + The type of the API service integration. This string is an + underscore-concatenated, lowercased API service integration name. + For example, `my_api_log_integration`. + example: my_app_cie + required: + - type + - grantedScopes + postAPIServiceIntegrationInstance: + allOf: + - $ref: '#/components/schemas/APIServiceIntegrationInstance' + - type: object + properties: + clientSecret: + type: string + description: >- + The client secret for the API Service Integration instance. This + property is only returned in a POST response. + readOnly: true + APIServiceIntegrationInstanceSecret: + type: object + properties: + client_secret: + type: string + description: >- + The OAuth 2.0 client secret string. The client secret string is + returned in the response of a Secret creation request. In other + responses (such as list, activate, or deactivate requests), the + client secret is returned as an undisclosed hashed value. + example: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B + readOnly: true + created: + type: string + description: >- + Timestamp when the API Service Integration instance Secret was + created + example: '2023-02-21T20:08:24.000Z' + readOnly: true + id: + type: string + description: The ID of the API Service Integration instance Secret + example: ocs2f4zrZbs8nUa7p0g4 + readOnly: true + lastUpdated: + type: string + description: >- + Timestamp when the API Service Integration instance Secret was + updated + example: '2023-02-21T20:08:24.000Z' + readOnly: true + secret_hash: + type: string + description: OAuth 2.0 client secret string hash + example: yk4SVx4sUWVJVbHt6M-UPA + readOnly: true + status: + type: string + enum: + - ACTIVE + - INACTIVE + description: Status of the API Service Integration instance Secret + example: ACTIVE + _links: + $ref: '#/components/schemas/APIServiceIntegrationSecretLinks' + readOnly: true + required: + - id + - status + - client_secret + - created + - lastUpdated + - secret_hash + - _links + AppProperties: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + description: App instance properties + additionalProperties: + type: object + properties: + name: + type: string + description: Name of the property + example: baseUrl + value: + type: string + description: Value of the property + example: https://example.com + type: object + APIServiceIntegrationLinks: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the + current status of an application using the [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + properties: + client: + $ref: '#/components/schemas/HrefObjectClientLink' + logo: + $ref: '#/components/schemas/HrefObjectLogoLink' + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + type: object + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + APIServiceIntegrationSecretLinks: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the + current status of an application using the [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + properties: + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + delete: + $ref: '#/components/schemas/HrefObjectDeleteLink' + readOnly: true + type: object + HrefObjectClientLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the client resource + HrefObjectLogoLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the logo resource + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + ErrorCause: + type: object + properties: + errorSummary: + type: string + HrefObjectActivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to activate the resource + HrefObjectDeactivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to deactivate the resource + HrefObjectDeleteLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to delete the resource + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorInvalidToken401: + description: Unauthorized + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + InvalidTokenProvided: + $ref: '#/components/examples/ErrorInvalidTokenProvided' + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + queryAfter: + name: after + in: query + schema: + type: string + description: >- + The cursor to use for pagination. It is an opaque string that specifies + your current location in the list and is obtained from the `Link` + response header. See + [Pagination](https://developer.okta.com/docs/api/#pagination). + pathApiServiceId: + name: apiServiceId + in: path + schema: + type: string + required: true + description: '`id` of the API Service Integration instance' + example: 000lr2rLjZ6NsGn1P0g3 + pathSecretId: + name: secretId + in: path + schema: + type: string + required: true + description: '`id` of the API Service Integration instance Secret' + example: ocs2f4zrZbs8nUa7p0g4 + examples: + APIServiceIntegrationListResponse: + summary: List response example + value: + - id: 0oa72lrepvp4WqEET1d9 + type: my_app_cie + name: My App Cloud Identity Engine + createdAt: '2023-02-21T20:08:24.000Z' + createdBy: 00uu3u0ujW1P6AfZC2d5 + configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide + grantedScopes: + - okta.logs.read + - okta.groups.read + - okta.users.read + _links: + self: + href: >- + https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + logo: + name: small + href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo + postAPIServiceIntegrationRequest: + summary: POST request example + value: + type: my_app_cie + grantedScopes: + - okta.logs.read + - okta.groups.read + - okta.users.read + postAPIServiceWithPropertiesIntegrationRequest: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: POST request example with app properties + value: + type: my_app_cie + grantedScopes: + - okta.logs.read + - okta.groups.read + - okta.users.read + properties: + baseUrl: https://example.com + orgId: '42' + postAPIServiceIntegrationResponse: + summary: Post response example + value: + id: 0oa72lrepvp4WqEET1d9 + type: my_app_cie + name: My App Cloud Identity Engine + createdAt: '2023-02-21T20:08:24.000Z' + createdBy: 00uu3u0ujW1P6AfZC2d5 + clientSecret: CkF69kXtag0q0P4pXU8OnP5IAzgGlwx6eqGy7Fmg + configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide + grantedScopes: + - okta.logs.read + - okta.groups.read + - okta.users.read + _links: + self: + href: >- + https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + logo: + name: small + href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo + postAPIServiceWithPropertiesIntegrationResponse: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: Post response example with app properties + value: + id: 0oa72lrepvp4WqEET1d9 + type: my_app_cie + name: My App Cloud Identity Engine + createdAt: '2023-02-21T20:08:24.000Z' + createdBy: 00uu3u0ujW1P6AfZC2d5 + clientSecret: CkF69kXtag0q0P4pXU8OnP5IAzgGlwx6eqGy7Fmg + configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide + grantedScopes: + - okta.logs.read + - okta.groups.read + - okta.users.read + properties: + baseUrl: https://example.com + orgId: '42' + _links: + self: + href: >- + https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + logo: + name: small + href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo + APIServiceIntegrationResponse: + summary: Response example + value: + id: 0oa72lrepvp4WqEET1d9 + type: my_app_cie + name: My App Cloud Identity Engine + createdAt: '2023-02-21T20:08:24.000Z' + createdBy: 00uu3u0ujW1P6AfZC2d5 + configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide + grantedScopes: + - okta.logs.read + - okta.groups.read + - okta.users.read + _links: + self: + href: >- + https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + logo: + name: small + href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo + APIServiceWithPropertiesIntegrationResponse: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: Response example with app properties + value: + id: 0oa72lrepvp4WqEET1d9 + type: my_app_cie + name: My App Cloud Identity Engine + createdAt: '2023-02-21T20:08:24.000Z' + createdBy: 00uu3u0ujW1P6AfZC2d5 + configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide + grantedScopes: + - okta.logs.read + - okta.groups.read + - okta.users.read + properties: + baseUrl: https://example.com + orgId: '42' + _links: + self: + href: >- + https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + - DELETE + client: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9 + hints: + allow: + - GET + logo: + name: small + href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo + APIServiceIntegrationInstanceSecretListResponse: + summary: Secrets list response example + value: + - id: ocs2f4zrZbs8nUa7p0g4 + status: INACTIVE + client_secret: '***DhOW' + secret_hash: yk4SVx4sUWVJVbHt6M-UPA + created: '2023-02-21T20:08:24.000Z' + lastUpdated: '2023-02-21T20:08:24.000Z' + _links: + activate: + href: >- + https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate + hints: + allow: + - POST + delete: + href: >- + https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4 + hints: + allow: + - DELETE + - id: ocs2f50kZB0cITmYU0g4 + status: ACTIVE + client_secret: '***MQGQ' + secret_hash: 0WOOvBSzV9clc4Nr7Rbaug + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: >- + https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + newAPIServiceIntegrationInstanceSecretResponse: + summary: New secret response example + value: + id: ocs2f50kZB0cITmYU0g4 + status: ACTIVE + client_secret: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B + secret_hash: FpCwXwSjTRQNtEI11I00-g + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: >- + https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + activeAPIServiceIntegrationInstanceSecretResponse: + summary: Activate secret response example + value: + id: ocs2f50kZB0cITmYU0g4 + status: ACTIVE + client_secret: '***MQGQ' + secret_hash: 0WOOvBSzV9clc4Nr7Rbaug + created: '2023-04-06T21:32:33.000Z' + lastUpdated: '2023-04-06T21:32:33.000Z' + _links: + deactivate: + href: >- + https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate + hints: + allow: + - POST + inactiveAPIServiceIntegrationInstanceSecretResponse: + summary: Deactivate secret response example + value: + id: ocs2f4zrZbs8nUa7p0g4 + status: INACTIVE + client_secret: '***DhOW' + secret_hash: yk4SVx4sUWVJVbHt6M-UPA + created: '2023-02-21T20:08:24.000Z' + lastUpdated: '2023-02-21T20:08:24.000Z' + _links: + activate: + href: >- + https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate + hints: + allow: + - POST + delete: + href: >- + https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4 + hints: + allow: + - DELETE + ErrorInvalidTokenProvided: + summary: Invalid Token Provided + value: + errorCode: E0000011 + errorSummary: Invalid token provided + errorLink: E0000011 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + instances: + id: okta.integrations.instances + name: instances + title: Instances + methods: + list_api_service_integration_instances: + operation: + $ref: '#/paths/~1integrations~1api~1v1~1api-services/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_api_service_integration_instance: + operation: + $ref: '#/paths/~1integrations~1api~1v1~1api-services/post' + response: + mediaType: application/json + openAPIDocKey: '201' + get_api_service_integration_instance: + operation: + $ref: '#/paths/~1integrations~1api~1v1~1api-services~1{apiServiceId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_api_service_integration_instance: + operation: + $ref: >- + #/paths/~1integrations~1api~1v1~1api-services~1{apiServiceId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/instances/methods/list_api_service_integration_instances + - $ref: >- + #/components/x-stackQL-resources/instances/methods/get_api_service_integration_instance + insert: + - $ref: >- + #/components/x-stackQL-resources/instances/methods/create_api_service_integration_instance + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/instances/methods/delete_api_service_integration_instance + replace: [] + instance_secrets: + id: okta.integrations.instance_secrets + name: instance_secrets + title: Instance Secrets + methods: + list_api_service_integration_instance_secrets: + operation: + $ref: >- + #/paths/~1integrations~1api~1v1~1api-services~1{apiServiceId}~1credentials~1secrets/get + response: + mediaType: application/json + openAPIDocKey: '200' + create_api_service_integration_instance_secret: + operation: + $ref: >- + #/paths/~1integrations~1api~1v1~1api-services~1{apiServiceId}~1credentials~1secrets/post + response: + mediaType: application/json + openAPIDocKey: '201' + delete_api_service_integration_instance_secret: + operation: + $ref: >- + #/paths/~1integrations~1api~1v1~1api-services~1{apiServiceId}~1credentials~1secrets~1{secretId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + activate_api_service_integration_instance_secret: + operation: + $ref: >- + #/paths/~1integrations~1api~1v1~1api-services~1{apiServiceId}~1credentials~1secrets~1{secretId}~1lifecycle~1activate/post + response: + mediaType: application/json + openAPIDocKey: '200' + deactivate_api_service_integration_instance_secret: + operation: + $ref: >- + #/paths/~1integrations~1api~1v1~1api-services~1{apiServiceId}~1credentials~1secrets~1{secretId}~1lifecycle~1deactivate/post + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/instance_secrets/methods/list_api_service_integration_instance_secrets + insert: + - $ref: >- + #/components/x-stackQL-resources/instance_secrets/methods/create_api_service_integration_instance_secret + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/instance_secrets/methods/delete_api_service_integration_instance_secret + replace: [] +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/logs.yaml b/providers/src/okta/v00.00.00000/services/logs.yaml new file mode 100644 index 00000000..f7953254 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/logs.yaml @@ -0,0 +1,979 @@ +openapi: 3.0.3 +info: + title: logs API + description: okta logs API + version: 5.1.0 +paths: + /api/v1/logs: + get: + summary: List all System Log events + description: >- + Lists all System Log events + + + See [System Log + query](https://developer.okta.com/docs/reference/system-log-query/) for + further details and examples, and [System Log filters and + search](https://help.okta.com/okta_help.htm?type=oie&id=csh-syslog-filters) + for common use cases. + + + By default, 100 System Log events are returned. If there are more + events, see the [header + link](https://developer.okta.com/docs/api/#link-header) for the `next` + link, + + or increase the number of returned objects using the `limit` parameter. + + + >**Note:** The value of the `clientSecret` property in the System Log is + secured by a hashing function, and isn't the value used during + authentication. + operationId: listLogEvents + parameters: + - name: since + description: >- + Filters the lower time bound of the log events `published` property + for bounded queries or persistence time for polling queries + in: query + schema: + type: string + format: ISO 8601 compliant timestamp + default: 7 days prior to until + - name: until + description: >- + Filters the upper time bound of the log events `published` property + for bounded queries or persistence time for polling queries. + in: query + schema: + type: string + format: ISO 8601 compliant timestamp + default: current time + - name: after + description: >- + Retrieves the next page of results. Okta returns a link in the HTTP + Header (`rel=next`) that includes the after query parameter + in: query + schema: + type: string + format: Opaque token + - name: filter + description: >- + Filter expression that filters the results. All operators except [ ] + are supported. See + [Filter](https://developer.okta.com/docs/api/#filter) and + [Operators](https://developer.okta.com/docs/api/#operators). + in: query + schema: + type: string + format: SCIM Filter expression + - name: q + description: Filters log events results by one or more case insensitive keywords. + in: query + schema: + type: string + format: >- + URL encoded string. Max length is 40 characters per keyword, with + a maximum of 10 keyword filters per query (before encoding) + - name: limit + description: Sets the number of results that are returned in the response + in: query + schema: + type: integer + format: Integer between 0 and 1000 + default: 100 + - name: sortOrder + description: >- + The order of the returned events that are sorted by the `published` + property + in: query + schema: + type: string + enum: + - ASCENDING + - DESCENDING + default: ASCENDING + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/LogEvent' + examples: + ListLogs: + $ref: '#/components/examples/ListLogs' + LogTargetChangeDetails: + $ref: '#/components/examples/LogTargetChangeDetails' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.logs.read + tags: + - SystemLog + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true +components: + schemas: + LogEvent: + type: object + properties: + actor: + $ref: '#/components/schemas/LogActor' + authenticationContext: + $ref: '#/components/schemas/LogAuthenticationContext' + client: + $ref: '#/components/schemas/LogClient' + debugContext: + $ref: '#/components/schemas/LogDebugContext' + displayMessage: + description: The display message for an event + type: string + readOnly: true + eventType: + description: >- + The published event type. Event instances are categorized by action + in the event type attribute. This attribute is key to + + navigating the System Log through expression filters. See [Event + Types + catalog](https://developer.okta.com/docs/reference/api/event-types/#catalog) + for a complete list of System Log event types. + type: string + readOnly: true + legacyEventType: + description: Associated Events API Action `objectType` attribute value + type: string + readOnly: true + outcome: + $ref: '#/components/schemas/LogOutcome' + published: + description: Timestamp when the event is published + type: string + format: date-time + readOnly: true + request: + $ref: '#/components/schemas/LogRequest' + securityContext: + $ref: '#/components/schemas/LogSecurityContext' + severity: + $ref: '#/components/schemas/LogSeverity' + target: + type: array + readOnly: true + description: >- + The entity that an actor performs an action on. Targets can be + anything, such as an app user, a sign-in token, or anything else. + + + > **Note:** When searching the target array, search for a given + `type` rather than the array location. Target types, such as `User` + and `AppInstance`, + + for a given `eventType` are not always in the same array location. + items: + $ref: '#/components/schemas/LogTarget' + transaction: + $ref: '#/components/schemas/LogTransaction' + uuid: + description: Unique identifier for an individual event + type: string + readOnly: true + version: + description: Versioning indicator + type: string + readOnly: true + LogActor: + description: >- + Describes the user, app, client, or other entity (actor) who performs an + action on a target. The actor is dependent on the action that is + performed. All events have actors. + type: object + properties: + alternateId: + description: Alternative ID of the actor + type: string + readOnly: true + detailEntry: + description: Further details about the actor + type: object + additionalProperties: true + readOnly: true + displayName: + description: Display name of the actor + type: string + readOnly: true + id: + description: ID of the actor + type: string + readOnly: true + type: + description: Type of actor + type: string + readOnly: true + LogAuthenticationContext: + description: >- + All authentication relies on validating one or more credentials that + prove the authenticity of the actor's identity. Credentials are + sometimes provided by the actor, as is the case with passwords, and at + other times provided by a third party, and validated by the + authentication provider. + + + The authenticationContext contains metadata about how the actor is + authenticated. For example, an authenticationContext for an event, where + a user authenticates with Integrated Windows Authentication (IWA), looks + like the following: + + ``` + + { + "authenticationProvider": "ACTIVE_DIRECTORY", + "authenticationStep": 0, + "credentialProvider": null, + "credentialType": "IWA", + "externalSessionId": "102N1EKyPFERROGvK9wizMAPQ", + "interface": null, + "issuer": null + } + + ``` + + In this case, the user enters an IWA credential to authenticate against + an Active Directory instance. All of the user's future-generated events + in this sign-in session are going to share the same `externalSessionId`. + + + Among other operations, this response object can be used to scan for + suspicious sign-in activity or perform analytics on user authentication + habits (for example, how often authentication scheme X is used versus + authentication scheme Y). + type: object + properties: + authenticationProvider: + $ref: '#/components/schemas/LogAuthenticationProvider' + authenticationStep: + description: >- + The zero-based step number in the authentication pipeline. Currently + unused and always set to `0`. + type: integer + readOnly: true + credentialProvider: + $ref: '#/components/schemas/LogCredentialProvider' + credentialType: + $ref: '#/components/schemas/LogCredentialType' + externalSessionId: + description: >- + A proxy for the actor's [session + ID](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html) + type: string + readOnly: true + interface: + description: >- + The third-party user interface that the actor authenticates through, + if any. + type: string + readOnly: true + issuer: + $ref: '#/components/schemas/LogIssuer' + LogClient: + description: >- + When an event is triggered by an HTTP request, the `client` object + describes the [client](https://datatracker.ietf.org/doc/html/rfc2616) + that issues the HTTP request. For instance, the web browser is the + client when a user accesses Okta. When this request is received and + processed, a sign-in event is fired. When the event isn't sourced to an + HTTP request, such as an automatic update, the `client` object field is + blank. + type: object + properties: + device: + description: Type of device that the client operates from (for example, computer) + type: string + readOnly: true + geographicalContext: + $ref: '#/components/schemas/LogGeographicalContext' + id: + description: >- + For OAuth requests, this is the ID of the OAuth + [client](https://datatracker.ietf.org/doc/html/rfc6749#section-1.1) + making the request. For SSWS token requests, this is the ID of the + agent making the request. + type: string + readOnly: true + ipAddress: + description: IP address that the client is making its request from + type: string + readOnly: true + userAgent: + $ref: '#/components/schemas/LogUserAgent' + zone: + description: >- + The `name` of the + [Zone](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/NetworkZone/#tag/NetworkZone/operation/getNetworkZone) + that the client's location is mapped to + type: string + readOnly: true + LogDebugContext: + description: >- + For some kinds of events (for example, OLM provisioning, sign-in + request, second factor SMS, and so on), the fields that are provided in + other response objects aren't sufficient to adequately describe the + operations that the event has performed. In such cases, the + `debugContext` object provides a way to store additional information. + + + For example, an event where a second factor SMS token is sent to a user + may have a `debugContext` that looks like the following: + + ``` + + { + "debugData": { + "requestUri": "/api/v1/users/00u3gjksoiRGRAZHLSYV/factors/smsf8luacpZJAva10x45/verify", + "smsProvider": "TELESIGN", + "transactionId": "268632458E3C100F5F5F594C6DC689D4" + } + } + + ``` + + By inspecting the debugData field, you can find the URI that is used to + trigger the second factor SMS + (`/api/v1/users/00u3gjksoiRGRAZHLSYV/factors/smsf8luacpZJAva10x45/verify`), + the SMS provider (`TELESIGN`), and the ID used by Telesign to identify + this transaction (`268632458E3C100F5F5F594C6DC689D4`). + + + If for some reason the information that is needed to implement a feature + isn't provided in other response objects, you should scan the + `debugContext.debugData` field for potentially useful fields. + + > **Important:** The information contained in `debugContext.debugData` + is intended to add context when troubleshooting customer platform + issues. Both key names and values may change from release to release and + aren't guaranteed to be stable. Therefore, they shouldn't be viewed as a + data contract but as a debugging aid instead. + type: object + properties: + debugData: + type: object + description: >- + A dynamic field that contains miscellaneous information that is + dependent on the event type. + additionalProperties: true + readOnly: true + LogOutcome: + type: object + properties: + reason: + description: Reason for the result, for example, `INVALID_CREDENTIALS` + type: string + readOnly: true + minLength: 1 + maxLength: 255 + result: + description: Result of the action + type: string + readOnly: true + enum: + - SUCCESS + - FAILURE + - SKIPPED + - ALLOW + - DENY + - CHALLENGE + - UNKNOWN + - RATE_LIMIT + - DEFERRED + - SCHEDULED + - ABANDONED + - UNANSWERED + LogRequest: + description: >- + The `Request` object describes details that are related to the HTTP + request that triggers this event, if available. When the event isn't + sourced to an HTTP request, such as an automatic update on the Okta + servers, the `Request` object still exists, but the `ipChain` field is + empty. + type: object + properties: + ipChain: + description: >- + If the incoming request passes through any proxies, the IP addresses + of those proxies are stored here in the format of clientIp, proxy1, + proxy2, and so on. This field is useful when working with trusted + proxies. + type: array + readOnly: true + items: + $ref: '#/components/schemas/LogIpAddress' + LogSecurityContext: + description: >- + The `securityContext` object provides security information that is + directly related to the evaluation of the event's IP reputation. IP + reputation is a trustworthiness rating that evaluates how likely a + sender is to be malicious and is based on the sender's IP address. As + the name implies, the `securityContext` object is useful for security + applications-flagging and inspecting suspicious events. + type: object + properties: + asNumber: + description: >- + The [Autonomous + system](https://docs.telemetry.mozilla.org/datasets/other/asn_aggregates/reference) + number that's associated with the autonomous system the event + request was sourced to + type: integer + readOnly: true + asOrg: + description: >- + The organization that is associated with the autonomous system that + the event request is sourced to + type: string + readOnly: true + domain: + description: >- + The domain name that's associated with the IP address of the inbound + event request + type: string + readOnly: true + isp: + description: >- + The Internet service provider that's used to send the event's + request + type: string + readOnly: true + isProxy: + description: Specifies whether an event's request is from a known proxy + type: boolean + readOnly: true + LogSeverity: + description: Indicates how severe the event is + type: string + enum: + - DEBUG + - ERROR + - INFO + - WARN + LogTarget: + type: object + properties: + alternateId: + type: string + description: The alternate ID of the target + readOnly: true + changeDetails: + type: object + example: + LogTargetChangeDetails: + $ref: '#/components/examples/LogTargetChangeDetails' + description: >- + Details on the target's changes. Not all event types support the + `changeDetails` property, and not all + + `target` objects contain the `changeDetails` property. + + + > **Note:** You can't run queries on `changeDetails` or the object's + `to` or `from` properties. + properties: + from: + type: object + description: The original properties of the target + additionalProperties: true + to: + type: object + description: The updated properties of the target + additionalProperties: true + detailEntry: + type: object + description: Further details on the target + additionalProperties: true + readOnly: true + displayName: + type: string + description: The display name of the target + readOnly: true + id: + type: string + description: The ID of the target + readOnly: true + type: + type: string + description: The type of target + readOnly: true + LogTransaction: + description: >- + A `transaction` object comprises contextual information associated with + its respective event. + + This information is useful for understanding sequences of correlated + events. + + For example, a `transaction` object such as the following: + + ``` + + { + "id": "Wn4f-0RQ8D8lTSLkAmkKdQAADqo", + "type": "WEB", + "detail": null + } + + ``` + + indicates that a `WEB` request with `id` `Wn4f-0RQ8D8lTSLkAmkKdQAADqo` + has created this event. + + + A `transaction` object with a `requestApiTokenId` in the `detail` + object, for example : + + ``` + + { + "id": "YjSlblAAqnKY7CdyCkXNBgAAAIU", + "type": "WEB", + "detail": { + "requestApiTokenId": "00T94e3cn9kSEO3c51s5" + } + } + + ``` + + indicates that this event was the result of an action performed through + an API using the token identified by 00T94e3cn9kSEO3c51s5. The token ID + is visible in the Admin Console, **Security** > **API**. See [API token + management](https://help.okta.com/okta_help.htm?id=Security_API). For + more information on API tokens, see [Create an API + token](https://developer.okta.com/docs/guides/create-an-api-token/). + type: object + properties: + detail: + description: Details for this transaction. + type: object + additionalProperties: true + readOnly: true + id: + description: Unique identifier for this transaction. + type: string + readOnly: true + type: + description: >- + Describes the kind of transaction. `WEB` indicates a web request. + `JOB` indicates an asynchronous task. + type: string + readOnly: true + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + LogAuthenticationProvider: + description: >- + The system that proves the identity of an actor using the credentials + provided to it + type: string + enum: + - ACTIVE_DIRECTORY + - FACTOR_PROVIDER + - FEDERATION + - LDAP + - OKTA_AUTHENTICATION_PROVIDER + - SOCIAL + LogCredentialProvider: + description: >- + A credential provider is a software service that manages identities and + their associated credentials. When authentication occurs through + credentials provided by a credential provider, the credential provider + is recorded here. + type: string + enum: + - DUO + - GOOGLE + - OKTA_AUTHENTICATION_PROVIDER + - OKTA_CREDENTIAL_PROVIDER + - RSA + - SYMANTEC + - YUBIKEY + LogCredentialType: + description: The underlying technology/scheme used in the credential + type: string + enum: + - ASSERTION + - CERTIFICATE + - DEVICE_UDID + - EMAIL + - IWA + - JWT + - OAuth 2.0 + - OKTA_CLIENT_SESSION + - OTP + - PASSWORD + - PRE_SHARED_SYMMETRIC_KEY + - SMS + LogIssuer: + description: >- + Describes the issuer of the authorization server when the authentication + is performed through OAuth. This is the location where well-known + resources regarding the details of the authorization servers are + published. + type: object + properties: + id: + description: >- + Varies depending on the type of authentication. If authentication is + SAML 2.0, `id` is the issuer in the SAML assertion. For social + login, `id` is the issuer of the token. + type: string + readOnly: true + type: + description: >- + Information on the `issuer` and source of the SAML assertion or + token + type: string + readOnly: true + LogGeographicalContext: + description: >- + Geographical context describes a set of geographic coordinates. In + addition to containing latitude and longitude data, the + `GeographicalContext` object also contains address data of postal + code-level granularity. Within the `Client` object, the geographical + context refers to the physical location of the client when it sends the + request that triggers this event. All `Transaction` events with `type` + equal to `WEB` have a geographical context set. `Transaction` events + with `type` equal to `JOB` don't have a geographical context set. The + geographical context data can be missing if the geographical data for a + request can't be resolved. + type: object + properties: + city: + description: >- + The city that encompasses the area that contains the geolocation + coordinates, if available (for example, Seattle, San Francisco) + type: string + readOnly: true + country: + description: >- + Full name of the country that encompasses the area that contains the + geolocation coordinates (for example, France, Uganda) + type: string + readOnly: true + geolocation: + $ref: '#/components/schemas/LogGeolocation' + postalCode: + description: Postal code of the area that encompasses the geolocation coordinates + type: string + readOnly: true + state: + description: >- + Full name of the state or province that encompasses the area that + contains the geolocation coordinates (for example, Montana, Ontario) + type: string + readOnly: true + LogUserAgent: + description: > + "A user agent is software (a software agent) that is acting on behalf of + a user." ([Definition of User + Agent](https://developer.mozilla.org/en-US/docs/Glossary/User_agent)) + + + In the Okta event data object, the `UserAgent` object provides + specifications about the client software that makes event-triggering + HTTP requests. User agent identification is often useful for identifying + interoperability problems between servers and clients, and also for + browser and operating system usage analytics. + type: object + properties: + browser: + description: >- + If the client is a web browser, this field identifies the type of + web browser (for example, CHROME, FIREFOX) + type: string + readOnly: true + os: + description: >- + The operating system that the client runs on (for example, Windows + 10) + type: string + readOnly: true + rawUserAgent: + description: >- + A raw string representation of the user agent that is formatted + according to [section 5.5.3 of HTTP/1.1 Semantics and + Content](https://datatracker.ietf.org/doc/html/rfc7231#section-5.5.3). + Both the `browser` and the `OS` fields can be derived from this + field. + type: string + readOnly: true + LogIpAddress: + type: object + properties: + geographicalContext: + $ref: '#/components/schemas/LogGeographicalContext' + ip: + description: IP address + type: string + readOnly: true + source: + description: Details regarding the source + type: string + readOnly: true + version: + description: IP address version + type: string + readOnly: true + ErrorCause: + type: object + properties: + errorSummary: + type: string + LogGeolocation: + description: >- + The latitude and longitude of the geolocation where an action was + performed. The object is formatted according to the [ISO + 6709](https://www.iso.org/obp/ui/fr/#iso:std:iso:6709:ed-3:v1:en) + standard. + type: object + properties: + lat: + description: >- + Latitude which uses two digits for the [integer + part](https://www.iso.org/obp/ui/fr/#iso:std:iso:6709:ed-3:v1:en#Latitude) + type: number + format: double + readOnly: true + lon: + description: >- + Longitude which uses three digits for the [integer + part](https://www.iso.org/obp/ui/fr/#iso:std:iso:6709:ed-3:v1:en#Longitude) + type: number + format: double + readOnly: true + responses: + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + examples: + ListLogs: + summary: List all System Log events + value: + - actor: + id: 00uttidj01jqL21aM1d6 + type: User + alternateId: john.doe@example.com + displayName: John Doe + detailEntry: null + client: + userAgent: + rawUserAgent: >- + Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) + AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 + Safari/537.36 + os: Mac OS X + browser: CHROME + zone: null + device: Computer + id: null + ipAddress: 10.0.0.1 + geographicalContext: + city: New York + state: New York + country: United States + postalCode: 10013 + geolocation: + lat: 40.3157 + lon: -74.01 + device: + id: guofdhyjex1feOgbN1d9 + name: Mac15,6 + os_platform: OSX + os_version: 14.6.0 + managed: false + registered: true + device_integrator: null + disk_encryption_type: ALL_INTERNAL_VOLUMES + screen_lock_type: BIOMETRIC + jailbreak: null + secure_hardware_present: true + authenticationContext: + authenticationProvider: null + credentialProvider: null + credentialType: null + issuer: null + interface: null + authenticationStep: 0 + rootSessionId: idxBager62CSveUkTxvgRtonA + externalSessionId: idxBager62CSveUkTxvgRtonA + displayMessage: User login to Okta + eventType: user.session.start + outcome: + result: SUCCESS + reason: null + published: '2024-08-13T15:58:20.353Z' + securityContext: + asNumber: 394089 + asOrg: ASN 0000 + isp: google + domain: null + isProxy: false + severity: INFO + debugContext: + debugData: + requestId: ab609228fe84ce59cdcbfa690bcce016 + requestUri: /idp/idx/authenticators/poll + url: /idp/idx/authenticators/poll + legacyEventType: core.user_auth.login_success + transaction: + type: WEB + id: ab609228fe84ce59cdcbfa690bgce016 + detail: null + uuid: dc9fd3c0-598c-11ef-8478-2b7584bf8d5a + version: 0 + request: + ipChain: + - ip: 10.0.0.1 + geographicalContext: + city: New York + state: New York + country: United States + postalCode: 10013 + geolocation: + lat: 40.3157 + lon: -74.01 + version: V4 + source: null + target: + - id: pfdfdhyjf0HMbkP2e1d7 + type: AuthenticatorEnrollment + alternateId: unknown + displayName: Okta Verify + detailEntry: null + - id: 0oatxlef9sQvvqInq5d6 + type: AppInstance + alternateId: Okta Admin Console + displayName: Okta Admin Console + detailEntry: null + LogTargetChangeDetails: + summary: Example of the `changeDetails` property on the target + value: + from: + vpnLocationOptions: DISABLED + vpnSettingsZones: + include: null + exclude: null + to: + message: You must a use VPN to connect to this application + vpnLocationOptions: ZONE + vpnSettingsZones: + include: + - ALL_ZONES + exclude: null + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + x-stackQL-resources: + system_log_events: + id: okta.logs.system_log_events + name: system_log_events + title: System Log Events + methods: + list_log_events: + operation: + $ref: '#/paths/~1api~1v1~1logs/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/system_log_events/methods/list_log_events + insert: [] + update: [] + delete: [] + replace: [] +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/logstreams.yaml b/providers/src/okta/v00.00.00000/services/logstreams.yaml new file mode 100644 index 00000000..72b6a16b --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/logstreams.yaml @@ -0,0 +1,750 @@ +openapi: 3.0.3 +info: + title: logstreams API + description: okta logstreams API + version: 5.1.0 +paths: + /api/v1/logStreams: + get: + summary: List all log streams + description: >- + Lists all log stream objects in your org. You can request a paginated + list or a subset of log streams that match a supported filter + expression. + operationId: listLogStreams + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + - name: filter + in: query + description: >- + An expression that [filters]https://developer.okta.com/docs/api#filter the returned objects. You can + only use the `eq` operator on either the `status` or `type` + properties in the filter expression. + schema: + type: string + example: type eq "aws_eventbridge" + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/LogStream' + examples: + ExampleGetAllResponse: + $ref: '#/components/examples/LogStreamGetAllResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.logStreams.read + tags: + - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + post: + summary: Create a log stream + description: Creates a new log stream object + operationId: createLogStream + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/LogStream' + examples: + LogStreamPostRequestExample: + $ref: '#/components/examples/LogStreamPostRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/LogStream' + examples: + LogStreamPostResponseExample: + $ref: '#/components/examples/LogStreamPostResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.logStreams.manage + tags: + - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/logStreams/{logStreamId}: + get: + summary: Retrieve a log stream + description: Retrieves a log stream object by ID + operationId: getLogStream + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/LogStream' + examples: + LogStreamGetRequestExample: + $ref: '#/components/examples/LogStreamPostResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.logStreams.read + tags: + - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + put: + summary: Replace a log stream + description: >- + Replaces the log stream object properties for a given ID. + + + This operation is typically used to update the configuration of a log + stream. + + Depending on the type of log stream you want to update, certain + properties can't be modified after the log stream is initially created. + + Use the [Retrieve the log stream schema for the schema + type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/getLogStreamSchema) + request to determine which properties you can update for the specific + log stream type. + + Log stream properties with the `"writeOnce" : true` attribute can't be + updated after creation. + + You must still specify these `writeOnce` properties in the request body + with the original values in the PUT request. + + + > **Note:** You don't have to specify properties that have both the + `"writeOnce": true` and the `"writeOnly": true` attributes in the PUT + request body. These property values are ignored even if you add them in + the PUT request body. + operationId: replaceLogStream + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/LogStreamPutSchema' + examples: + LogStreamPutRequestExample: + $ref: '#/components/examples/LogStreamPutRequest' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/LogStream' + examples: + LogStreamPostResponseExample: + $ref: '#/components/examples/LogStreamPutResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.logStreams.manage + tags: + - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + delete: + summary: Delete a log stream + description: Deletes a log stream object from your org by ID + operationId: deleteLogStream + responses: + '204': + description: No Content + '403': + description: Forbidden + headers: {} + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.logStreams.manage + tags: + - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathLogStreamId' + /api/v1/logStreams/{logStreamId}/lifecycle/activate: + post: + summary: Activate a log stream + description: Activates a log stream by `logStreamId` + operationId: activateLogStream + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/LogStream' + examples: + LogStreamActivateResponseExample: + $ref: '#/components/examples/LogStreamActivateResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.logStreams.manage + tags: + - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathLogStreamId' + /api/v1/logStreams/{logStreamId}/lifecycle/deactivate: + post: + summary: Deactivate a log stream + description: Deactivates a log stream by `logStreamId` + operationId: deactivateLogStream + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/LogStream' + examples: + LogStreamDeactivateResponseExample: + $ref: '#/components/examples/LogStreamDeactivateResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.logStreams.manage + tags: + - LogStream + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathLogStreamId' +components: + schemas: + LogStream: + type: object + properties: + created: + type: string + format: date-time + description: Timestamp when the log stream object was created + readOnly: true + example: '2022-10-21T16:59:59.000Z' + id: + type: string + description: Unique identifier for the log stream + readOnly: true + example: 0oa1orzg0CHSgPcjZ0g4 + lastUpdated: + type: string + format: date-time + description: Timestamp when the log stream object was last updated + readOnly: true + example: '2022-10-21T17:15:10.000Z' + name: + $ref: '#/components/schemas/LogStreamName' + status: + type: string + description: Lifecycle status of the log stream object + enum: + - ACTIVE + - INACTIVE + readOnly: true + type: + $ref: '#/components/schemas/LogStreamType' + _links: + $ref: '#/components/schemas/LogStreamLinksSelfAndLifecycle' + required: + - created + - id + - lastUpdated + - name + - status + - type + - _links + discriminator: + propertyName: type + mapping: + aws_eventbridge: '#/components/schemas/LogStreamAws' + splunk_cloud_logstreaming: '#/components/schemas/LogStreamSplunk' + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + LogStreamPutSchema: + type: object + properties: + name: + $ref: '#/components/schemas/LogStreamName' + type: + $ref: '#/components/schemas/LogStreamType' + required: + - name + - type + discriminator: + propertyName: type + mapping: + aws_eventbridge: '#/components/schemas/LogStreamAwsPutSchema' + splunk_cloud_logstreaming: '#/components/schemas/LogStreamSplunkPutSchema' + LogStreamName: + description: Unique name for the log stream object + example: My AWS EventBridge log stream + type: string + LogStreamType: + description: >- + Specifies the streaming provider used + + + Supported providers: + * `aws_eventbridge` ([AWS EventBridge](https://aws.amazon.com/eventbridge)) + * `splunk_cloud_logstreaming` ([Splunk Cloud](https://www.splunk.com/en_us/software/splunk-cloud-platform.html)) + + Select the provider type to see provider-specific configurations in the + `settings` property: + type: string + enum: + - aws_eventbridge + - splunk_cloud_logstreaming + LogStreamLinksSelfAndLifecycle: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the + current status of an application using the [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + activate: + $ref: '#/components/schemas/LogStreamActivateLink' + deactivate: + $ref: '#/components/schemas/LogStreamDeactivateLink' + self: + $ref: '#/components/schemas/LogStreamSelfLink' + required: + - self + readOnly: true + ErrorCause: + type: object + properties: + errorSummary: + type: string + LogStreamActivateLink: + allOf: + - $ref: '#/components/schemas/LogStreamLinkObject' + - description: Link to activate the resource + LogStreamDeactivateLink: + allOf: + - $ref: '#/components/schemas/LogStreamLinkObject' + - description: Link to deactivate the resource + LogStreamSelfLink: + allOf: + - $ref: '#/components/schemas/LogStreamLinkObject' + - description: Link to the resource (self) + LogStreamLinkObject: + title: Log stream link object + type: object + properties: + href: + type: string + description: The URI of the resource + method: + type: string + description: HTTP method allowed for the resource + enum: + - GET + - POST + required: + - href + readOnly: true + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + queryAfter: + name: after + in: query + schema: + type: string + description: >- + The cursor to use for pagination. It is an opaque string that specifies + your current location in the list and is obtained from the `Link` + response header. See + [Pagination](https://developer.okta.com/docs/api/#pagination). + queryLimit: + name: limit + in: query + schema: + type: integer + minimum: 1 + maximum: 200 + default: 20 + description: A limit on the number of objects to return + pathLogStreamId: + name: logStreamId + in: path + schema: + type: string + example: 0oa1orzg0CHSgPcjZ0g4 + required: true + description: Unique identifier for the log stream + examples: + LogStreamGetAllResponse: + summary: Lists all log streams + value: + - id: 0oa1orqUGCIoCGNxf0g4 + type: aws_eventbridge + name: Example AWS EventBridge + lastUpdated: '2023-03-24T21:02:43.000Z' + created: '2023-03-24T21:02:43.000Z' + status: ACTIVE + settings: + accountId: '123456789012' + eventSourceName: your-event-source-name + region: us-east-2 + _links: + self: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 + method: GET + deactivate: + href: >- + http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate + method: POST + LogStreamPostRequest: + summary: Create an AWS EventBridge log stream + value: + type: aws_eventbridge + name: Example AWS EventBridge + settings: + eventSourceName: your-event-source-name + accountId: '123456789012' + region: us-east-2 + LogStreamPostResponse: + summary: AWS EventBridge log stream response + value: + id: 0oa1orqUGCIoCGNxf0g4 + type: aws_eventbridge + name: Example AWS EventBridge + lastUpdated: '2023-03-24T21:02:43.000Z' + created: '2023-03-24T21:02:43.000Z' + status: ACTIVE + settings: + accountId: '123456789012' + eventSourceName: your-event-source-name + region: us-east-2 + _links: + self: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 + method: GET + deactivate: + href: >- + http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate + method: POST + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + LogStreamPutRequest: + summary: Replace AWS EventBridge name + value: + type: aws_eventbridge + name: Updated AWS EventBridge + settings: + eventSourceName: your-event-source-name + accountId: '123456789012' + region: us-east-2 + LogStreamPutResponse: + summary: Replace AWS EventBridge name response + value: + id: 0oa1orqUGCIoCGNxf0g4 + type: aws_eventbridge + name: Updated AWS EventBridge + lastUpdated: '2023-03-24T21:12:43.000Z' + created: '2023-03-24T21:02:43.000Z' + status: ACTIVE + settings: + accountId: '123456789012' + eventSourceName: your-event-source-name + region: us-east-2 + _links: + self: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 + method: GET + deactivate: + href: >- + http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate + method: POST + LogStreamActivateResponse: + summary: Activate log stream response + value: + id: 0oa1orqUGCIoCGNxf0g4 + type: aws_eventbridge + name: Example AWS EventBridge + lastUpdated: '2023-03-24T21:22:43.000Z' + created: '2023-03-24T21:02:43.000Z' + status: ACTIVE + settings: + accountId: '123456789012' + eventSourceName: your-event-source-name + region: us-east-2 + _links: + self: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 + method: GET + deactivate: + href: >- + http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate + method: POST + LogStreamDeactivateResponse: + summary: Deactivate log stream response + value: + id: 0oa7agphh5FT7H521d7 + type: splunk_cloud_logstreaming + name: Splunk Cloud Example + lastUpdated: '2023-03-24T21:23:00.000Z' + created: '2023-03-24T21:15:13.000Z' + status: INACTIVE + settings: + edition: aws + host: okexample.splunkcloud.com + _links: + self: + href: http://{yourOktaDomain}/api/v1/logStreams/0oa7agphh5FT7H521d7 + method: GET + activate: + href: >- + http://{yourOktaDomain}/api/v1/logStreams/0oa7agphh5FT7H521d7/lifecycle/activate + method: POST + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + log_streams: + id: okta.logstreams.log_streams + name: log_streams + title: Log Streams + methods: + list_log_streams: + operation: + $ref: '#/paths/~1api~1v1~1logStreams/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_log_stream: + operation: + $ref: '#/paths/~1api~1v1~1logStreams/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_log_stream: + operation: + $ref: '#/paths/~1api~1v1~1logStreams~1{logStreamId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_log_stream: + operation: + $ref: '#/paths/~1api~1v1~1logStreams~1{logStreamId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_log_stream: + operation: + $ref: '#/paths/~1api~1v1~1logStreams~1{logStreamId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + activate_log_stream: + operation: + $ref: >- + #/paths/~1api~1v1~1logStreams~1{logStreamId}~1lifecycle~1activate/post + response: + mediaType: application/json + openAPIDocKey: '200' + deactivate_log_stream: + operation: + $ref: >- + #/paths/~1api~1v1~1logStreams~1{logStreamId}~1lifecycle~1deactivate/post + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/log_streams/methods/list_log_streams + - $ref: >- + #/components/x-stackQL-resources/log_streams/methods/get_log_stream + insert: + - $ref: >- + #/components/x-stackQL-resources/log_streams/methods/create_log_stream + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/log_streams/methods/delete_log_stream + replace: + - $ref: >- + #/components/x-stackQL-resources/log_streams/methods/replace_log_stream +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/mappings.yaml b/providers/src/okta/v00.00.00000/services/mappings.yaml new file mode 100644 index 00000000..5262f216 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/mappings.yaml @@ -0,0 +1,753 @@ +openapi: 3.0.3 +info: + title: mappings API + description: okta mappings API + version: 5.1.0 +paths: + /api/v1/mappings: + get: + summary: List all profile mappings + description: >- + Lists all profile mappings in your org with + [pagination](https://developer.okta.com/docs/api/#pagination). You can + return a subset of profile mappings that match a supported `sourceId` + and/or `targetId`. + + + The results are [paginated]https://developer.okta.com/docs/api#pagination according to the `limit` + parameter. If there are multiple pages of results, the Link header + contains a `next` link that you should treat as an opaque value (follow + it, don't parse it). See [Link + Header](https://developer.okta.com/docs/api/#link-header). + + + The response is a collection of profile mappings that include a subset + of the profile mapping object's parameters. The profile mapping object + describes + + the properties mapping between an Okta user and an app user profile + using [JSON Schema Draft + 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04). + operationId: listProfileMappings + parameters: + - name: after + in: query + description: >- + Mapping `id` that specifies the pagination cursor for the next page + of mappings + schema: + type: string + - name: limit + in: query + description: Specifies the number of results per page + schema: + type: integer + format: int32 + default: 20 + maximum: 200 + - name: sourceId + in: query + description: >- + The user type or app instance ID that acts as the source of + expressions in a mapping. If this parameter is included, all + returned mappings have this as their `source.id`. + schema: + type: string + - name: targetId + in: query + description: >- + The user type or app instance ID that acts as the target of + expressions in a mapping. If this parameter is included, all + returned mappings have this as their `target.id`. + schema: + type: string + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/ListProfileMappings' + examples: + MappingList: + summary: List all profile mappings response + $ref: '#/components/examples/ListMappingsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.profileMappings.read + tags: + - ProfileMapping + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/mappings/{mappingId}: + get: + summary: Retrieve a profile mapping + description: Retrieves a single profile mapping referenced by its ID + operationId: getProfileMapping + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ProfileMapping' + examples: + MappingRetrieve: + summary: Retrieve a single profile mapping + $ref: '#/components/examples/RetrieveMappingsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.profileMappings.read + tags: + - ProfileMapping + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + post: + summary: Update a profile mapping + description: >- + Updates an existing profile mapping by adding, updating, or removing one + or many property mappings + operationId: updateProfileMapping + x-codegen-request-body-name: profileMapping + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ProfileMappingRequest' + examples: + Addpropertymapping: + $ref: '#/components/examples/AddMappingBody' + Updatepropertymapping: + $ref: '#/components/examples/UpdateMappingBody' + Removepropertymapping: + $ref: '#/components/examples/RemoveMappingBody' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ProfileMapping' + examples: + Addpropertymapping: + summary: >- + Update an existing profile mapping by adding one or more + properties + $ref: '#/components/examples/AddMappingResponse' + Updatepropertymapping: + summary: >- + Update an existing profile mapping by updating one or more + properties + $ref: '#/components/examples/UpdateMappingResponse' + Removepropertymapping: + summary: >- + Update an existing profile mapping by removing one or more + properties + $ref: '#/components/examples/RemoveMappingResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.profileMappings.manage + tags: + - ProfileMapping + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathMappingId' +components: + schemas: + ListProfileMappings: + description: >- + A collection of the profile mappings that include a subset of the + profile mapping object's properties. The profile mapping object + describes a mapping between an Okta user's and an app user's properties + using [JSON Schema Draft + 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04). + + + > **Note:** Same type source/target mappings aren't supported by this + API. Profile mappings must either be Okta->App or App->Okta. + + properties: + id: + type: string + description: Unique identifier for profile mapping + readOnly: true + source: + $ref: '#/components/schemas/ProfileMappingSource' + target: + $ref: '#/components/schemas/ProfileMappingTarget' + _links: + $ref: '#/components/schemas/LinksSelf' + ProfileMapping: + description: >- + The profile mapping object describes a mapping between an Okta user's + and an app user's properties using [JSON Schema Draft + 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04). + + + > **Note:** Same type source/target mappings aren't supported by this + API. Profile mappings must be between Okta and an app. + + properties: + id: + type: string + description: Unique identifier for a profile mapping + readOnly: true + properties: + + $ref: '#/components/schemas/ProfileMappingProperty' + readOnly: false + source: + $ref: '#/components/schemas/ProfileMappingSource' + target: + $ref: '#/components/schemas/ProfileMappingTarget' + _links: + $ref: '#/components/schemas/LinksSelf' + + ProfileMappingRequest: + description: The updated request body properties + + properties: + properties: + + $ref: '#/components/schemas/ProfileMappingProperty' + + required: + - properties + - expression + - pushStatus + ProfileMappingSource: + description: >- + The parameter is the source of a profile mapping and is a valid [JSON + Schema Draft + 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04) + document with the following properties. The data type can be an app + instance or an Okta object. + + + > **Note:** If the source is Okta and the UserTypes feature isn't + enabled, then the source `_links` only has a link to the schema. + + properties: + id: + type: string + description: Unique identifier for the application instance or userType + readOnly: true + name: + type: string + description: >- + Variable name of the application instance or name of the referenced + UserType + readOnly: true + type: + type: string + description: Type of user referenced in the mapping + readOnly: true + _links: + $ref: '#/components/schemas/SourceLinks' + ProfileMappingTarget: + description: >- + The parameter is the target of a profile mapping and is a valid [JSON + Schema Draft + 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04) + document with the following properties. The data type can be an app + instance or an Okta object. + + > **Note:** If the target is Okta and the UserTypes feature isn't enabled, then the target `_links` only has a link to the schema. + + properties: + id: + type: string + description: Unique identifier for the application instance or UserType + readOnly: true + name: + type: string + description: >- + Variable name of the application instance or name of the referenced + userType + readOnly: true + type: + type: string + description: Type of user referenced in the mapping + readOnly: true + _links: + $ref: '#/components/schemas/SourceLinks' + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + Error: + title: Error + + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + ProfileMappingProperty: + description: >- + A target property, in string form, that maps to a valid [JSON Schema + Draft](https://tools.ietf.org/html/draft-zyp-json-schema-04) document. + + properties: + expression: + description: >- + Combination or single source properties that are mapped to the + target property. See [Okta Expression + Language](https://developer.okta.com/docs/reference/okta-expression-language/). + type: string + pushStatus: + $ref: '#/components/schemas/ProfileMappingPropertyPushStatus' + SourceLinks: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - + properties: + schema: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: The associated schema + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + ErrorCause: + + properties: + errorSummary: + type: string + ProfileMappingPropertyPushStatus: + description: >- + Indicates whether to update target properties for user create and update + or just for user create. + + + - Having a pushStatus of `PUSH` causes properties in the target to be + updated on create and update. + + - Having a pushStatus of `DONT_PUSH` causes properties in the target to + be updated only on create. + type: string + enum: + - DONT_PUSH + - PUSH + HrefObject: + title: Link Object + additionalProperties: true + + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + HrefHints: + description: Describes allowed HTTP verbs for the `href` + + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + parameters: + pathMappingId: + name: mappingId + description: '`id` of the Mapping' + in: path + required: true + schema: + type: string + example: cB6u7X8mptebWkffatKA + examples: + ListMappingsResponse: + summary: List all profile mappings response + value: + - id: prm1k47ghydIQOTBW0g4 + source: + id: otysbePhQ3yqt4cVv0g3 + name: user + type: user + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 + schema: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 + target: + id: 0oa1qmn4LZQQEH0wZ0g4 + name: okta_org2org + type: appuser + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 + schema: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default + _links: + self: + href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 + RetrieveMappingsResponse: + summary: Retrieve a single profile mapping + value: + id: prm1k47ghydIQOTBW0g4 + source: + id: otysbePhQ3yqt4cVv0g3 + name: user + type: user + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 + schema: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 + target: + id: 0oa1qmn4LZQQEH0wZ0g4 + name: okta_org2org + type: appuser + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 + schema: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default + properties: + firstName: + expression: user.firstName + pushStatus: PUSH + lastName: + expression: user.lastName + pushStatus: PUSH + _links: + self: + href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 + + AddMappingBody: + summary: Update an existing profile mapping by adding one or more properties + value: + properties: + fullName: + expression: user.firstName + user.lastName + pushStatus: PUSH + nickName: + expression: user.nickName + pushStatus: PUSH + + UpdateMappingBody: + summary: Update an existing profile mapping by updating one or more properties + value: + properties: + nickName: + expression: user.honorificPrefix + user.displayName + pushStatus: DONT_PUSH + + RemoveMappingBody: + summary: Update an existing profile mapping by removing one or more properties + value: + properties: + nickName: + expression: null + pushStatus: null + + AddMappingResponse: + summary: Update an existing profile mapping by adding one or more properties + value: + id: prm1k47ghydIQOTBW0g4 + source: + id: otysbePhQ3yqt4cVv0g3 + name: user + type: user + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 + schema: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 + target: + id: 0oa1qmn4LZQQEH0wZ0g4 + name: okta_org2org + type: appuser + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 + schema: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default + properties: + fullName: + expression: user.firstName + user.lastName + pushStatus: PUSH + nickName: + expression: user.nickName + pushStatus: PUSH + _links: + self: + href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 + + UpdateMappingResponse: + summary: Update an existing profile mapping by updating one or more properties + value: + id: prm1k47ghydIQOTBW0g4 + source: + id: otysbePhQ3yqt4cVv0g3 + name: user + type: user + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 + schema: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 + target: + id: 0oa1qmn4LZQQEH0wZ0g4 + name: okta_org2org + type: appuser + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 + schema: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default + properties: + fullName: + expression: user.firstName + user.lastName + pushStatus: PUSH + nickName: + expression: user.honorificPrefix + user.displayName + pushStatus: DONT_PUSH + _links: + self: + href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 + + RemoveMappingResponse: + summary: Update an existing profile mapping by removing one or more properties + value: + id: prm1k47ghydIQOTBW0g4 + source: + id: otysbePhQ3yqt4cVv0g3 + name: user + type: user + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 + schema: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 + target: + id: 0oa1qmn4LZQQEH0wZ0g4 + name: okta_org2org + type: appuser + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 + schema: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default + properties: + fullName: + expression: user.firstName + user.lastName + pushStatus: PUSH + _links: + self: + href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 + + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + x-stackQL-resources: + profile_mappings: + id: okta.mappings.profile_mappings + name: profile_mappings + title: Profile Mappings + methods: + list_profile_mappings: + operation: + $ref: '#/paths/~1api~1v1~1mappings/get' + response: + mediaType: application/json + openAPIDocKey: '200' + get_profile_mapping: + operation: + $ref: '#/paths/~1api~1v1~1mappings~1{mappingId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + update_profile_mapping: + operation: + $ref: '#/paths/~1api~1v1~1mappings~1{mappingId}/post' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/profile_mappings/methods/list_profile_mappings + - $ref: >- + #/components/x-stackQL-resources/profile_mappings/methods/get_profile_mapping + insert: [] + update: + - $ref: >- + #/components/x-stackQL-resources/profile_mappings/methods/update_profile_mapping + delete: [] + replace: [] +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/meta.yaml b/providers/src/okta/v00.00.00000/services/meta.yaml new file mode 100644 index 00000000..635bac88 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/meta.yaml @@ -0,0 +1,3537 @@ +openapi: 3.0.3 +info: + title: meta API + description: okta meta API + version: 5.1.0 +paths: + /api/v1/meta/schemas/apps/{appId}/default: + get: + x-okta-iam-permissions: + - okta.apps.read + - okta.apps.manage + x-okta-iam-admin-roles: + - API_ACCESS_MANAGEMENT_ADMIN + - READ_ONLY_ADMIN + - MOBILE_ADMIN + - ORG_ADMIN + - APP_ADMIN + summary: Retrieve the default app user schema for an app + description: >- + Retrieves the default schema for an app user. + + + The [User + Types](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) + feature does not extend to apps. All users assigned to a given app use + the same app user schema. Therefore, unlike the user schema operations, + the app user schema operations all specify `default` and don't accept a + schema ID. + operationId: getApplicationUserSchema + responses: + '200': + description: successful operation + content: + application/json: + schema: + $ref: '#/components/schemas/UserSchema' + examples: + Response with a subset of properties for brevity: + $ref: '#/components/examples/DefaultAppUserSchemaResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.schemas.read + tags: + - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + x-okta-iam-permissions: + - okta.apps.manage + x-okta-iam-admin-roles: + - API_ACCESS_MANAGEMENT_ADMIN + - APP_ADMIN + summary: Update the app user profile schema for an app + description: >- + Updates the app user schema. This updates, adds, or removes one or more + custom profile properties or the nullability of a base property in the + app user schema for an app. Changing a base property's nullability (for + example, the value of its `required` field) is allowed only if it is + nullable in the default predefined schema for the app. + + + > **Note:** You must set properties explicitly to `null` to remove them + from the schema; otherwise, `POST` is interpreted as a partial update. + + + The [User + Types](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) + feature does not extend to apps. All users assigned to a given app use + the same app user schema. Therefore, unlike the user schema operations, + the app user schema operations all specify `default` and don't accept a + schema ID. + operationId: updateApplicationUserProfile + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UserSchema' + examples: + Add a custom property to the app user schema: + $ref: '#/components/examples/AppUserSchemaAddRequest' + required: false + responses: + '200': + description: successful operation + content: + application/json: + schema: + $ref: '#/components/schemas/UserSchema' + examples: + Response with a subset of properties for brevity: + $ref: '#/components/examples/AppUserSchemaResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.schemas.manage + tags: + - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathAppId' + /api/v1/meta/schemas/group/default: + get: + x-okta-iam-permissions: + - okta.apps.manage + x-okta-iam-admin-roles: + - API_ACCESS_MANAGEMENT_ADMIN + - APP_ADMIN + - ORG_ADMIN + summary: Retrieve the default group schema + description: >- + Retrieves the group schema + + + The [User + Types](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) + feature does not extend to groups. All groups use the same group schema. + Unlike user schema operations, group schema operations all specify + `default` and don't accept a schema ID. + operationId: getGroupSchema + parameters: [] + responses: + '200': + description: successful operation + content: + application/json: + schema: + $ref: '#/components/schemas/GroupSchema' + examples: + Response with a subset of properties for brevity: + $ref: '#/components/examples/GroupSchemaResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.schemas.read + tags: + - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + x-okta-iam-permissions: + - okta.apps.manage + x-okta-iam-admin-roles: + - API_ACCESS_MANAGEMENT_ADMIN + - APP_ADMIN + - ORG_ADMIN + summary: Update the group profile schema + description: >- + Updates the group profile schema. This updates, adds, or removes one or + more custom profile properties in a group schema. Currently Okta does + not support changing base group profile properties. + + + > **Note:** You must set properties explicitly to `null` to remove them + from the schema; otherwise, `POST` is interpreted as a partial update. + + + The [User + Types](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) + feature does not extend to groups. All groups use the same group schema. + Unlike user schema operations, group schema operations all specify + `default` and don't accept a schema ID. + operationId: updateGroupSchema + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/GroupSchema' + examples: + Add a custom property to the group schema: + $ref: '#/components/examples/GroupSchemaAddRequest' + responses: + '200': + description: successful operation + content: + application/json: + schema: + $ref: '#/components/schemas/GroupSchema' + example: + Response with a subset of properties for brevity: + $ref: '#/components/examples/GroupSchemaResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.schemas.manage + tags: + - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/meta/schemas/logStream: + get: + x-okta-iam-admin-roles: + - SUPER_ADMIN + summary: List the log stream schemas + description: Lists the schema for all log stream types visible for this org + operationId: listLogStreamSchemas + responses: + '200': + description: successful operation + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/LogStreamSchema' + examples: + All log stream schemas for your org: + $ref: '#/components/examples/LogStreamSchemaList' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.logStreams.read + tags: + - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + /api/v1/meta/schemas/logStream/{logStreamType}: + get: + x-okta-iam-admin-roles: + - SUPER_ADMIN + summary: Retrieve the log stream schema for the schema type + description: >- + Retrieves the schema for a log stream type. The `logStreamType` element + in the URL specifies the log stream type, which is either + `aws_eventbridge` or `splunk_cloud_logstreaming`. Use the + `aws_eventbridge` literal to retrieve the AWS EventBridge type schema, + and use the `splunk_cloud_logstreaming` literal retrieve the Splunk + Cloud type schema. + operationId: getLogStreamSchema + responses: + '200': + description: successful operation + content: + application/json: + schema: + $ref: '#/components/schemas/LogStreamSchema' + examples: + Schema for type `aws_eventbridge`: + $ref: '#/components/examples/LogStreamSchemaAws' + Schema for type `splunk_cloud_logstreaming`: + $ref: '#/components/examples/LogStreamSchemaSplunk' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.logStreams.read + tags: + - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathLogStreamType' + /api/v1/meta/schemas/user/linkedObjects: + get: + x-okta-iam-permissions: + - okta.apps.manage + x-okta-iam-admin-roles: + - API_ACCESS_MANAGEMENT_ADMIN + - APP_ADMIN + - ORG_ADMIN + summary: List all linked object definitions + description: Lists all Linked Object definitions + operationId: listLinkedObjectDefinitions + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/LinkedObject' + examples: + ListLinkedObjectsEx: + $ref: '#/components/examples/ListLinkedObjects' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.linkedObjects.read + tags: + - LinkedObject + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + x-okta-iam-permissions: + - okta.apps.manage + x-okta-iam-admin-roles: + - API_ACCESS_MANAGEMENT_ADMIN + - APP_ADMIN + - ORG_ADMIN + summary: Create a linked object definition + description: Creates a Linked Object definition + operationId: createLinkedObjectDefinition + x-codegen-request-body-name: linkedObject + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/LinkedObject' + examples: + CreateLinkedObjectRequestEx: + $ref: '#/components/examples/CreateLinkedObjectRequest' + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/LinkedObject' + examples: + CreateLinkedObjectResponseEx: + $ref: '#/components/examples/CreateLinkedObjectResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '409': + description: Conflict + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ErrorInvalidLinkedObjectDefEx: + $ref: '#/components/examples/ErrorInvalidLinkedObjectDef' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.linkedObjects.manage + tags: + - LinkedObject + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/meta/schemas/user/linkedObjects/{linkedObjectName}: + get: + summary: Retrieve a linked object definition + description: Retrieves a Linked Object definition + operationId: getLinkedObjectDefinition + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/LinkedObject' + examples: + CreateLinkedObjectResponseEx: + $ref: '#/components/examples/CreateLinkedObjectResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.linkedObjects.read + tags: + - LinkedObject + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + x-okta-iam-permissions: + - okta.apps.manage + x-okta-iam-admin-roles: + - API_ACCESS_MANAGEMENT_ADMIN + - APP_ADMIN + - ORG_ADMIN + summary: Delete a linked object definition + description: >- + Deletes the Linked Object definition specified by either the `primary` + or `associated` name. The entire definition is removed, regardless of + which name that you specify. + operationId: deleteLinkedObjectDefinition + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.linkedObjects.manage + tags: + - LinkedObject + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathLinkedObjectName' + /api/v1/meta/schemas/user/{schemaId}: + get: + x-okta-iam-permissions: + - okta.apps.manage + x-okta-iam-admin-roles: + - API_ACCESS_MANAGEMENT_ADMIN + - APP_ADMIN + - ORG_ADMIN + summary: Retrieve a user schema + description: Retrieves the schema for a user type + operationId: getUserSchema + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserSchema' + examples: + Response with a subset of properties for brevity: + $ref: '#/components/examples/UserSchemaResponse' + Response using default with a subset of properties for brevity: + $ref: '#/components/examples/UserSchemaDefaultResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.schemas.read + tags: + - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + x-okta-iam-admin-roles: + - API_ACCESS_MANAGEMENT_ADMIN + - ORG_ADMIN + - APP_ADMIN + summary: Update a user schema + description: >- + Updates a user schema. Use this request to update, add, or remove one or + more profile properties in a user schema. If you specify `default` for + the `schemaId`, updates will apply to the default user type. + + + Unlike custom user profile properties, limited changes are allowed to + base user profile properties (permissions, nullability of the + `firstName` and `lastName` properties, or pattern for `login`). + + You can't remove a property from the default schema if it's being + referenced as a + [`matchAttribute`](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy/subject/matchAttribute&t=request) + in `SAML2` IdPs. + + Currently, all validation of SAML assertions are only performed against + the default user type. + + + > **Note:** You must set properties explicitly to `null` to remove them + from the schema; otherwise, `POST` is interpreted as a partial update. + operationId: updateUserProfile + x-codegen-request-body-name: userSchema + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UserSchema' + examples: + Add a custom property to the user schema: + $ref: '#/components/examples/UserSchemaAddRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserSchema' + examples: + Response with a subset of properties for brevity: + $ref: '#/components/examples/UserSchemaResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.schemas.manage + tags: + - Schema + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathSchemaId' + /api/v1/meta/types/user: + get: + summary: List all user types + description: Lists all user types in your org + operationId: listUserTypes + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/UserType' + examples: + ListsAllUserTypes: + $ref: '#/components/examples/ListsAllUserTypes' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.userTypes.read + tags: + - UserType + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a user type + description: >- + Creates a new user type. Okta automatically creates a `default` user + type for your org. You may add up to nine additional user types. + + > **Note**: New user types are based on the current default schema + template. Modifications to this schema do not automatically propagate to + previously created user types. + operationId: createUserType + x-codegen-request-body-name: userType + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UserType' + examples: + CreateUserRequest: + $ref: '#/components/examples/CreateUserRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserType' + examples: + CreateUserResponse: + $ref: '#/components/examples/CreateUserResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.userTypes.manage + tags: + - UserType + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/meta/types/user/{typeId}: + get: + summary: Retrieve a user type + description: >- + Retrieves a user type by ID. Use `default` to fetch the default user + type. + operationId: getUserType + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserType' + examples: + GetUserResponse: + $ref: '#/components/examples/GetUserResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.userTypes.read + tags: + - UserType + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Update a user type + description: >- + Updates an existing user type. This operation is a partial update. + + > **Note**: You can only update the `displayName` and `description` + elements. The `name` of an existing user type can't be changed. + operationId: updateUserType + x-codegen-request-body-name: userType + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UserTypePostRequest' + examples: + UpdateUserTypePostRequest: + $ref: '#/components/examples/UpdateUserTypePostRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserType' + examples: + UpdateUserTypePutRequest: + $ref: '#/components/examples/UpdateUserTypePostResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.userTypes.manage + tags: + - UserType + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a user type + description: >- + Replaces an existing user type. This operation is a full update. + + > **Note**: The `name` of an existing user type can't be changed, but + must be part of the request body. You can only replace the `displayName` + and `description` elements. + operationId: replaceUserType + x-codegen-request-body-name: userType + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UserTypePutRequest' + examples: + ReplaceUserTypePutRequest: + $ref: '#/components/examples/ReplaceUserTypePutRequest' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserType' + examples: + ReplaceUserTypePutResponse: + $ref: '#/components/examples/ReplaceUserTypePutResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.userTypes.manage + tags: + - UserType + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a user type + description: >- + Deletes a user type permanently. + + > **Note**: You can't delete the default user type or a user type that + is currently assigned to users. + operationId: deleteUserType + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.userTypes.manage + tags: + - UserType + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathTypeId' + /api/v1/meta/uischemas: + get: + summary: List all UI schemas + description: Lists all UI Schemas in your org + operationId: listUISchemas + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/UISchemasResponseObject' + examples: + UIISchemaList: + summary: Lists all UI schemas response + $ref: '#/components/examples/ListUISchemaResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.uischemas.read + tags: + - UISchema + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + post: + summary: Create a UI schema + description: Creates an input for an enrollment form + operationId: createUISchema + x-codegen-request-body-name: uischemabody + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CreateUISchema' + examples: + UISchemaCreate: + $ref: '#/components/examples/CreateUISchemaBody' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UISchemasResponseObject' + examples: + UISchemaCreate: + $ref: '#/components/examples/CreateUISchemaResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.uischemas.manage + tags: + - UISchema + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/meta/uischemas/{id}: + get: + summary: Retrieve a UI schema + description: Retrieves a UI Schema by `id` + operationId: getUISchema + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UISchemasResponseObject' + examples: + UISchemaRetrieve: + summary: Retrieves a UI schema response + $ref: '#/components/examples/RetrieveUISchemaResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.uischemas.read + tags: + - UISchema + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace a UI schema + description: Replaces a UI Schema by `id` + operationId: replaceUISchemas + x-codegen-request-body-name: updateUISchemaBody + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UpdateUISchema' + examples: + UISchemaPUT: + $ref: '#/components/examples/CreateUISchemaBody' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UISchemasResponseObject' + examples: + UISchemaUpdate: + $ref: '#/components/examples/CreateUISchemaResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.uischemas.manage + tags: + - UISchema + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + delete: + summary: Delete a UI schema + description: Deletes a UI Schema by `id` + operationId: deleteUISchemas + responses: + '204': + description: No Content + content: {} + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.uischemas.manage + tags: + - UISchema + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/UISchemaId' +components: + schemas: + UserSchema: + type: object + properties: + $schema: + type: string + readOnly: true + description: JSON schema version identifier + created: + type: string + readOnly: true + description: Timestamp when the schema was created + definitions: + allOf: + - $ref: '#/components/schemas/UserSchemaDefinitions' + description: >- + User profile subschemas + + + The profile object for a user is defined by a composite schema of + base and custom properties using a JSON path to reference + subschemas. The `#base` properties are defined and versioned by + Okta, while `#custom` properties are extensible. Custom property + names for the profile object must be unique and can't conflict with + a property name defined in the `#base` subschema. + id: + type: string + readOnly: true + description: URI of user schema + lastUpdated: + type: string + readOnly: true + description: Timestamp when the schema was last updated + name: + type: string + readOnly: true + description: Name of the schema + properties: + allOf: + - $ref: '#/components/schemas/UserSchemaProperties' + description: User Object Properties + title: + type: string + description: User-defined display name for the schema + type: + type: string + readOnly: true + description: >- + Type of [root + schema](https://tools.ietf.org/html/draft-zyp-json-schema-04#section-3.4) + _links: + $ref: '#/components/schemas/LinksSelf' + GroupSchema: + type: object + properties: + $schema: + readOnly: true + type: string + description: JSON schema version identifier + created: + readOnly: true + type: string + description: Timestamp when the schema was created + definitions: + $ref: '#/components/schemas/GroupSchemaDefinitions' + description: + type: string + description: Description for the schema + id: + readOnly: true + type: string + description: URI of group schema + lastUpdated: + readOnly: true + type: string + description: Timestamp when the schema was last updated + name: + readOnly: true + type: string + description: Name of the schema + properties: + $ref: '#/components/schemas/UserSchemaProperties' + description: Group object properties + title: + type: string + description: User-defined display name for the schema + type: + readOnly: true + type: string + description: >- + Type of [root + schema](https://tools.ietf.org/html/draft-zyp-json-schema-04#section-3.4) + _links: + $ref: '#/components/schemas/LinksSelf' + x-okta-allow-null-property-value-for-updates: true + LogStreamSchema: + type: object + properties: + $schema: + type: string + readOnly: true + description: JSON schema version identifier + errorMessage: + type: object + description: >- + A collection of error messages for individual properties in the + schema. Okta implements a subset of + [ajv-errors](https://github.com/ajv-validator/ajv-errors). + id: + type: string + readOnly: true + description: URI of log stream schema + oneOf: + items: + $ref: '#/components/schemas/UserSchemaAttributeEnum' + type: array + nullable: true + description: >- + Non-empty array of valid JSON schemas. + + + Okta only supports `oneOf` for specifying display names for an + `enum`. Each schema has the following format: + + + ``` + + { + "const": "enumValue", + "title": "display name" + } + + ``` + pattern: + type: string + description: >- + For `string` log stream schema property type, specifies the regular + expression used to validate the property + properties: + type: object + description: log stream schema properties object + required: + type: array + items: + type: string + description: Required properties for this log stream schema object + title: + type: string + description: Name of the log streaming integration + type: + type: string + readOnly: true + description: Type of log stream schema property + _links: + $ref: '#/components/schemas/LinksSelf' + LinkedObject: + title: LinkedObject + type: object + properties: + associated: + $ref: '#/components/schemas/LinkedObjectDetails' + primary: + $ref: '#/components/schemas/LinkedObjectDetails' + _links: + $ref: '#/components/schemas/LinkedObjectLinksSelf' + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + UserType: + type: object + properties: + created: + type: string + format: date-time + description: A timestamp from when the user type was created + readOnly: true + createdBy: + type: string + description: The user ID of the account that created the user type + readOnly: true + default: + type: boolean + description: A boolean value to indicate if this is the default user type + readOnly: true + description: + type: string + description: The human-readable description of the user type + displayName: + type: string + description: The human-readable name of the user type + id: + type: string + description: The unique key for the user type + readOnly: true + lastUpdated: + type: string + format: date-time + description: A timestamp from when the user type was most recently updated + readOnly: true + lastUpdatedBy: + type: string + description: The user ID of the most recent account to edit the user type + readOnly: true + name: + type: string + description: >- + The name of the user type. The name must start with A-Z or a-z and + contain only A-Z, a-z, 0-9, or underscore (_) characters. This value + becomes read-only after creation and can't be updated. + _links: + $ref: '#/components/schemas/UserTypeLinks' + required: + - name + - displayName + UserTypePostRequest: + type: object + properties: + description: + type: string + description: The updated human-readable description of the user type + displayName: + type: string + description: The updated human-readable display name for the user type + UserTypePutRequest: + type: object + properties: + description: + type: string + description: The human-readable description of the user type + displayName: + type: string + description: The human-readable name of the user type + name: + type: string + description: The name of the existing type + required: + - name + - displayName + - description + UISchemasResponseObject: + type: object + properties: + created: + type: string + format: date-time + description: Timestamp when the UI Schema was created (ISO 86001) + readOnly: true + id: + type: string + description: Unique identifier for the UI Schema + readOnly: true + lastUpdated: + type: string + format: date-time + description: Timestamp when the UI Schema was last modified (ISO 86001) + readOnly: true + uiSchema: + $ref: '#/components/schemas/UISchemaObject' + _links: + $ref: '#/components/schemas/LinksSelf' + required: + - id + - uiSchema + - created + - lastUpdated + - _links + CreateUISchema: + description: The request body properties for the new UI Schema + type: object + properties: + uiSchema: + $ref: '#/components/schemas/UISchemaObject' + UpdateUISchema: + description: The updated request body properties + type: object + properties: + uiSchema: + $ref: '#/components/schemas/UISchemaObject' + UserSchemaDefinitions: + type: object + properties: + base: + $ref: '#/components/schemas/UserSchemaBase' + custom: + $ref: '#/components/schemas/UserSchemaPublic' + UserSchemaProperties: + type: object + properties: + profile: + $ref: '#/components/schemas/UserSchemaPropertiesProfile' + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + GroupSchemaDefinitions: + type: object + properties: + base: + $ref: '#/components/schemas/GroupSchemaBase' + custom: + $ref: '#/components/schemas/GroupSchemaCustom' + UserSchemaAttributeEnum: + type: object + properties: + const: + type: string + description: The enumerated value + title: + type: string + description: The display label for the enumerated value + LogStreamType: + description: >- + Specifies the streaming provider used + + + Supported providers: + * `aws_eventbridge` ([AWS EventBridge](https://aws.amazon.com/eventbridge)) + * `splunk_cloud_logstreaming` ([Splunk Cloud](https://www.splunk.com/en_us/software/splunk-cloud-platform.html)) + + Select the provider type to see provider-specific configurations in the + `settings` property: + type: string + enum: + - aws_eventbridge + - splunk_cloud_logstreaming + LinkedObjectDetails: + title: LinkedObjectDetails + type: object + properties: + description: + type: string + description: Description of the `primary` or the `associated` relationship + name: + type: string + description: >- + API name of the `primary` or the `associated` link. The `name` + parameter can't start with a number and can only contain the + following characters: `a-z`, `A-Z`,` 0-9`, and `_`. + title: + type: string + description: Display name of the `primary` or the `associated` link + type: + $ref: '#/components/schemas/LinkedObjectDetailsType' + required: + - name + - title + - type + LinkedObjectLinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the + current status of an application using the [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/LinkedHrefObject' + ErrorCause: + type: object + properties: + errorSummary: + type: string + UserTypeLinks: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + schema: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: The associated schema + UISchemaObject: + description: Properties of the UI schema + type: object + properties: + buttonLabel: + type: string + description: >- + Specifies the button label for the `Submit` button at the bottom of + the enrollment form + default: Submit + elements: + $ref: '#/components/schemas/UIElement' + label: + type: string + description: Specifies the label at the top of the enrollment form under the logo + default: Sign in + type: + type: string + description: Specifies the type of layout + UserSchemaBase: + description: >- + All Okta-defined profile properties are defined in a profile subschema + with the resolution scope `#base`. You can't modify these properties, + except to update permissions, to change the nullability of `firstName` + and `lastName`, or to specify a pattern for `login`. They can't be + removed. + + + The base user profile is based on the [System for Cross-domain Identity + Management: Core + Schema](https://tools.ietf.org/html/draft-ietf-scim-core-schema-22#section-4.1.1) + and has the standard properties detailed below. + type: object + properties: + id: + type: string + description: The subschema name + readOnly: true + properties: + description: The `#base` object properties + allOf: + - $ref: '#/components/schemas/UserSchemaBaseProperties' + required: + type: array + description: A collection indicating required property names + readOnly: true + items: + type: string + type: + type: string + description: The object type + readOnly: true + UserSchemaPublic: + description: >- + All custom profile properties are defined in a profile subschema with + the resolution scope `#custom`. + + + > **Notes:** + + > * When you refer to custom profile attributes that differ only by + case, name collisions occur. This includes naming custom profile + attributes the same as base profile attributes, for example, `firstName` + and `FirstName`. + + > * Certain attributes are reserved and can't be used for custom user + profiles. See [Review reserved + attributes](https://help.okta.com/okta_help.htm?type=oie&id=reserved-attributes). + type: object + properties: + id: + type: string + description: The subschema name + readOnly: true + properties: + type: object + description: The `#custom` object properties + additionalProperties: + $ref: '#/components/schemas/UserSchemaAttribute' + required: + type: array + description: A collection indicating required property names + readOnly: true + items: + type: string + type: + type: string + description: The object type + readOnly: true + UserSchemaPropertiesProfile: + type: object + properties: + allOf: + type: array + items: + $ref: '#/components/schemas/UserSchemaPropertiesProfileItem' + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + GroupSchemaBase: + type: object + properties: + id: + readOnly: true + type: string + description: The subschema name + properties: + description: The `#base` object properties + allOf: + - $ref: '#/components/schemas/GroupSchemaBaseProperties' + required: + items: + type: string + type: array + description: A collection indicating required property names + readOnly: true + type: + description: The object type + type: string + readOnly: true + GroupSchemaCustom: + description: >- + All custom profile properties are defined in a profile subschema with + the resolution scope `#custom` + type: object + properties: + id: + readOnly: true + type: string + description: The subschema name + properties: + additionalProperties: + $ref: '#/components/schemas/GroupSchemaAttribute' + type: object + description: The `#custom` object properties + required: + items: + type: string + type: array + description: A collection indicating required property names + readOnly: true + type: + type: string + description: The object type + readOnly: true + LinkedObjectDetailsType: + description: The object type for this relationship + type: string + enum: + - USER + x-enumDescriptions: + USER: Specifies the type of object + LinkedHrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + href: + type: string + description: Link URI + required: + - href + readOnly: true + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + UIElement: + description: Specifies the configuration of an input field on an enrollment form + type: object + properties: + label: + type: string + description: Label name for the UI element + options: + type: object + description: UI Schema element options object + properties: + format: + type: string + description: Specifies how the input appears + enum: + - text + - radio + - select + - checkbox + - radio_yes_no + - radio_true_false + x-enumDescriptions: + text: The default format for the majority of property types + radio: >- + Radio button options. This option is only available for + `string` data types with an `enum` or `one of` constraint. + select: >- + Displays input as a dropdown list. This option is only + available for the `country-code` data type or a string data + type with an enum or one of constraint. + checkbox: >- + Displays input as a checkbox. This option is only available + for Boolean data types. + radio_yes_no: >- + Displays input as two radio buttons, one with the option `yes` + and the other `no`. This option is only available for Boolean + data types. + radio_true_false: >- + Displays input as two radio buttons, one with the option + `true` and the other `false`. This option is only available + for Boolean data types. + scope: + type: string + description: >- + Specifies the property bound to the input field. It must follow the + format `#/properties/PROPERTY_NAME` where `PROPERTY_NAME` is a + variable name for an attribute in `profile editor`. + type: + type: string + description: >- + Specifies the relationship between this input element and `scope`. + The `Control` value specifies that this input controls the value + represented by `scope`. + UserSchemaBaseProperties: + type: object + properties: + city: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: City or locality component of the user's address (`locality`) + costCenter: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Name of a cost center assigned to the user + countryCode: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: >- + Country name component of the user's address (`country`.) This + property uses [ISO 3166-1 alpha 2 "short" code + format](https://tools.ietf.org/html/draft-ietf-scim-core-schema-22#ref-ISO3166). + department: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Name of the user's department + displayName: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Name of the user, suitable for display to end users + division: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Name of the user's division + email: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: >- + Primary email address of the user. This property is formatted + according to [RFC 5322 Section + 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). + employeeNumber: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Organization or company assigned unique identifier for the user + firstName: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Given name of the user (`givenName`) + honorificPrefix: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Honorific prefix(es) of the user or title in most Western languages + honorificSuffix: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Honorific suffix(es) of the user + lastName: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Family name of the user (`familyName`) + locale: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: >- + User's default location for purposes of localizing items such as + currency, date time format, numerical representations, and so on. + + + A locale value is a concatenation of the ISO 639-1 two-letter + language code, an underscore, and the ISO 3166-1 two-letter country + code. For example: `en_US` specifies the language English and + country US. This value is `en_US` by default. + login: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: >- + Unique identifier for the user (`userName`) + + + The login property is validated according to its pattern attribute, + which is a string. By default, the attribute is null. When the + attribute is null, the username is required to be formatted as an + email address as defined by [RFC 6531 Section + 3.3](http://tools.ietf.org/html/rfc6531#section-3.3). The pattern + can be set through the API to one of the following forms. (The Admin + Console provides access to the same forms.) + * A login pattern of `".+"` indicates that there is no restriction on usernames. Any non-empty, unique value is permitted, and the minimum length of five isn't enforced. In this case, usernames don't need to include the `@` character. If a name does include `@`, the portion ahead of the `@` can be used for logging in, provided it identifies a unique user within the org. + * A login pattern of the form `"[...]+"` indicates that usernames must only contain characters from the set given between the brackets. The enclosing brackets and final `+` are required for this form. Character ranges can be indicated using hyphens. To include the hyphen itself in the allowed set, the hyphen must appear first. Any characters in the set except the hyphen, a-z, A-Z, and 0-9 must be preceded by a backslash (`\`). For example, `"[a-z13579\.]+"` would restrict usernames to lowercase letters, odd digits, and periods, while `"[-a-zA-Z0-9]+"` would allow basic alphanumeric characters and hyphens. + manager: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: The `displayName` of the user's manager + managerId: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: The `id` of the user's manager + middleName: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Middle name(s) of the user + mobilePhone: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Mobile phone number of the user + nickName: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Casual way to address the user in real life + organization: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Name of the user's organization + postalAddress: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Mailing address component of the user's address + preferredLanguage: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: >- + User's preferred written or spoken languages. This property is + formatted according to [RFC 7231 Section + 5.3.5](https://tools.ietf.org/html/rfc7231#section-5.3.5). + primaryPhone: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Primary phone number of the user, such as home number + profileUrl: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: >- + URL of the user's online profile (for example, a web page.) This + property is formatted according to the [Relative Uniform Resource + Locators + specification](https://tools.ietf.org/html/draft-ietf-scim-core-schema-22#ref-ISO3166). + secondEmail: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: >- + Secondary email address of the user typically used for account + recovery. This property is formatted according to [RFC 5322 Section + 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). + state: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: State or region component of the user's address (`region`) + streetAddress: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: Full street address component of the user's address + timezone: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: >- + User's time zone. This property is formatted according to the [IANA + Time Zone database format](https://tools.ietf.org/html/rfc6557). + title: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: User's title, such as "Vice President" + userType: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: >- + Used to describe the organization to the user relationship such as + "Employee" or "Contractor". + + + **Note:** The `userType` field is an arbitrary string value and + isn't related to the newer [User + Types](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) + feature. + zipCode: + allOf: + - $ref: '#/components/schemas/UserSchemaAttribute' + description: >- + ZIP code or postal code component of the user's address + (`postalCode`) + UserSchemaAttribute: + type: object + properties: + default: + oneOf: + - type: string + - type: boolean + - type: integer + - type: array + - type: object + - type: number + description: >- + If specified, assigns the value as the default value for the custom + attribute. This is a nullable property. If you don't specify a value + for this custom attribute during user creation or update, the + `default` is used instead of setting the value to `null` or empty. + description: + type: string + description: Description of the property + enum: + type: array + nullable: true + description: >- + Enumerated value of the property. + + + The value of the property is limited to one of the values specified + in the enum definition. The list of values for the enum must consist + of unique elements. + items: + anyOf: + - type: string + - type: integer + externalName: + type: string + description: >- + Name of the property as it exists in an external application + + + **NOTE**: When you add a custom property, only Identity Provider app + user schemas require `externalName` to be + + included in the request body. If an existing custom Identity + Provider app user schema property has an empty + + `externalName`, requests aren't allowed to update other properties + until the `externalName` is defined. + externalNamespace: + type: string + description: Namespace from the external application + format: + description: Identifies the type of data represented by the string + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeFormat' + master: + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeMaster' + description: Identifies where the property is mastered + maxLength: + type: integer + description: Maximum character length of a string property + nullable: true + minLength: + type: integer + description: Minimum character length of a string property + nullable: true + mutability: + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeMutabilityString' + description: Defines the mutability of the property + oneOf: + type: array + nullable: true + description: >- + Non-empty array of valid JSON schemas. + + + The `oneOf` key is only supported in conjunction with `enum` and + provides a mechanism to return a display name for the `enum` + value.
+ + Each schema has the following format: + + + ``` + + { + "const": "enumValue", + "title": "display name" + } + + ``` + + + When `enum` is used in conjunction with `oneOf`, you must keep the + set of enumerated values and their order.
+ + For example: + + + ``` + + "enum": ["S","M","L","XL"], + + "oneOf": [ + {"const": "S", "title": "Small"}, + {"const": "M", "title": "Medium"}, + {"const": "L", "title": "Large"}, + {"const": "XL", "title": "Extra Large"} + ] + ``` + items: + $ref: '#/components/schemas/UserSchemaAttributeEnum' + pattern: + type: string + description: >- + For `string` property types, specifies the regular expression used + to validate the property + permissions: + type: array + nullable: true + description: Access control permissions for the property + items: + $ref: '#/components/schemas/UserSchemaAttributePermission' + required: + type: boolean + nullable: true + description: Determines whether the property is required + scope: + $ref: '#/components/schemas/UserSchemaAttributeScope' + title: + type: string + minLength: 1 + description: User-defined display name for the property + type: + description: Type of property + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeType' + unique: + description: Determines whether property values must be unique + type: boolean + nullable: true + x-okta-allow-null-property-value-for-updates: true + UserSchemaPropertiesProfileItem: + type: object + properties: + $ref: + type: string + GroupSchemaBaseProperties: + description: >- + All Okta-defined profile properties are defined in a profile subschema + with the resolution scope `#base`. These properties can't be removed or + edited, regardless of any attempt to do so. + type: object + properties: + description: + description: Human readable description of the group + allOf: + - $ref: '#/components/schemas/GroupSchemaAttribute' + name: + description: Unique identifier for the group + allOf: + - $ref: '#/components/schemas/GroupSchemaAttribute' + GroupSchemaAttribute: + type: object + properties: + description: + type: string + description: Description of the property + enum: + items: + anyOf: + - type: string + - type: integer + type: array + nullable: true + description: >- + Enumerated value of the property. + + + The value of the property is limited to one of the values specified + in the enum definition. The list of values for the enum must consist + of unique elements. + externalName: + type: string + description: Name of the property as it exists in an external application + externalNamespace: + type: string + description: Namespace from the external application + format: + description: Identifies the type of data represented by the string + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeFormat' + items: + $ref: '#/components/schemas/UserSchemaAttributeItems' + nullable: true + master: + description: Identifies where the property is mastered + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeMaster' + maxLength: + type: integer + nullable: true + description: Maximum character length of a string property + minLength: + type: integer + nullable: true + description: Minimum character length of a string property + mutability: + description: Defines the mutability of the property + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeMutabilityString' + oneOf: + items: + $ref: '#/components/schemas/UserSchemaAttributeEnum' + type: array + nullable: true + description: >- + Non-empty array of valid JSON schemas. + + + The `oneOf` key is only supported in conjunction with `enum` and + provides a mechanism to return a display name for the `enum` + value.
+ + Each schema has the following format: + + + ``` + + { + "const": "enumValue", + "title": "display name" + } + + ``` + + + When `enum` is used in conjunction with `oneOf`, you must keep the + set of enumerated values and their order.
+ + For example: + + + ``` + + "enum": ["S","M","L","XL"], + + "oneOf": [ + {"const": "S", "title": "Small"}, + {"const": "M", "title": "Medium"}, + {"const": "L", "title": "Large"}, + {"const": "XL", "title": "Extra Large"} + ] + ``` + permissions: + description: Access control permissions for the property + items: + $ref: '#/components/schemas/UserSchemaAttributePermission' + type: array + nullable: true + required: + type: boolean + nullable: true + description: Determines whether the property is required + scope: + description: >- + Determines whether a group attribute can be set at the individual or + group level + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeScope' + title: + type: string + minLength: 1 + description: User-defined display name for the property + type: + description: Type of property + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeType' + unique: + description: Determines whether property values must be unique + type: boolean + nullable: true + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + UserSchemaAttributeFormat: + type: string + enum: + - country-code + - date-time + - email + - encrypted + - hashed + - language-code + - locale + - ref-id + - timezone + - uri + UserSchemaAttributeMaster: + nullable: true + type: object + properties: + priority: + type: array + items: + $ref: '#/components/schemas/UserSchemaAttributeMasterPriority' + type: + $ref: '#/components/schemas/UserSchemaAttributeMasterType' + UserSchemaAttributeMutabilityString: + type: string + enum: + - IMMUTABLE + - READ_ONLY + - READ_WRITE + - WRITE_ONLY + UserSchemaAttributePermission: + type: object + properties: + action: + type: string + description: Determines whether the principal can view or modify the property + principal: + type: string + description: Security principal + UserSchemaAttributeScope: + type: string + enum: + - NONE + - SELF + UserSchemaAttributeType: + type: string + enum: + - array + - boolean + - integer + - number + - string + UserSchemaAttributeItems: + type: object + properties: + enum: + type: array + items: + type: string + oneOf: + type: array + items: + $ref: '#/components/schemas/UserSchemaAttributeEnum' + type: + type: string + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + UserSchemaAttributeMasterPriority: + type: object + properties: + type: + type: string + value: + type: string + UserSchemaAttributeMasterType: + type: string + enum: + - OKTA + - OVERRIDE + - PROFILE_MASTER + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + parameters: + pathAppId: + name: appId + description: Application ID + in: path + required: true + schema: + type: string + example: 0oafxqCAJWWGELFTYASJ + pathLogStreamType: + name: logStreamType + in: path + required: true + schema: + $ref: '#/components/schemas/LogStreamType' + pathLinkedObjectName: + name: linkedObjectName + description: Primary or Associated name + in: path + required: true + schema: + type: string + pathSchemaId: + name: schemaId + description: >- + Schema ID. You can also use `default` to refer to the default user type + schema. + in: path + required: true + schema: + type: string + pathTypeId: + name: typeId + in: path + required: true + schema: + type: string + description: The unique key for the user type + UISchemaId: + name: id + description: The unique ID of the UI Schema + in: path + required: true + schema: + type: string + example: uis4a7liocgcRgcxZ0g7 + examples: + DefaultAppUserSchemaResponse: + value: + id: https://{yourOktaDomain}/meta/schemas/apps/{appId}/default + $schema: http://json-schema.org/draft-04/schema# + name: Example app + title: Example app User + lastUpdated: '2015-09-05T10:40:45.000Z' + created: '2015-02-02T10:27:36.000Z' + definitions: + custom: + id: '#custom' + type: object + properties: {} + base: + id: '#base' + type: object + properties: + userName: + title: Username + type: string + required: true + scope: SELF + master: + type: PROFILE_MASTER + name: + title: Name + description: End-User's full name in displayable form. + type: string + scope: SELF + master: + type: PROFILE_MASTER + email: + title: Email + description: End-User's preferred email address. + type: string + scope: SELF + master: + type: PROFILE_MASTER + required: + - userName + type: object + properties: + profile: + allOf: + - $ref: '#/definitions/base' + - $ref: '#/definitions/custom' + AppUserSchemaAddRequest: + value: + definitions: + custom: + id: '#custom' + type: object + properties: + salesforceUserName: + title: Salesforce username + externalName: salesforceUserName + description: User's username for Salesforce + type: string + required: false + minLength: 1 + maxLength: 20 + required: [] + AppUserSchemaResponse: + value: + id: >- + https://{yourOktaDomain}/meta/schemas/apps/0oa25gejWwdXNnFH90g4/default + $schema: http://json-schema.org/draft-04/schema# + name: Example app + title: Example app user + lastUpdated: '2017-07-18T23:18:43.000Z' + created: '2017-07-18T22:35:30.000Z' + definitions: + base: + id: '#base' + type: object + properties: + userName: + title: Username + type: string + required: true + scope: NONE + maxLength: 100 + required: + - userName + custom: + id: '#custom' + type: object + properties: + salesforceUserName: + title: Salesforce username + externalName: salesforceUserName + description: User's username for Salesforce + type: string + scope: NONE + minLength: 1 + maxLength: 20 + required: [] + type: object + properties: + profile: + allOf: + - $ref: '#/definitions/base' + - $ref: '#/definitions/custom' + GroupSchemaResponse: + value: + $schema: http://json-schema.org/draft-04/schema# + _links: + self: + href: https://{yourOktaDomain}/api/v1/meta/schemas/group/default + method: GET + rel: self + created: '2021-01-30T00:18:24.000Z' + definitions: + base: + id: '#base' + properties: {} + required: + - name + type: object + custom: + id: '#custom' + properties: + groupContact: + description: Group administrative contact + master: + type: PROFILE_MASTER + mutability: READ_WRITE + permissions: + - action: READ_WRITE + principal: SELF + scope: NONE + title: Group administrative contact + type: string + required: [] + type: object + description: Okta group profile template + id: https://{yourOktaDomain}/meta/schemas/group/default + lastUpdated: '2021-02-25T23:05:31.000Z' + name: group + properties: + profile: + allOf: + - $ref: '#/definitions/custom' + - $ref: '#/definitions/base' + title: Okta group + type: object + GroupSchemaAddRequest: + value: + definitions: + custom: + id: '#custom' + type: object + properties: + groupContact: + title: Group administrative contact + description: Group administrative contact + type: string + required: false + minLength: 1 + maxLength: 20 + permissions: + - principal: SELF + action: READ_WRITE + required: [] + LogStreamSchemaList: + value: + - $schema: https://json-schema.org/draft/2020-12/schema + $id: >- + http://{yourOktaDomain}/api/v1/meta/schemas/logStream/aws_eventbridge + title: AWS EventBridge + type: object + properties: + settings: + description: Configuration properties specific to AWS EventBridge + type: object + properties: + accountId: + title: AWS Account ID + description: Your Amazon AWS Account ID. + type: string + writeOnce: true + pattern: ^\d{12}$ + eventSourceName: + title: AWS Event Source Name + description: >- + An alphanumeric name (no spaces) to identify this event + source in AWS EventBridge. + type: string + writeOnce: true + pattern: ^[\.\-_A-Za-z0-9]{1,75}$ + region: + title: AWS Region + description: The destination AWS region for your system log events. + type: string + writeOnce: true + oneOf: + - title: US East (Ohio) + const: us-east-2 + - title: US East (N. Virginia) + const: us-east-1 + - title: US West (N. California) + const: us-west-1 + - title: US West (Oregon) + const: us-west-2 + - title: Canada (Central) + const: ca-central-1 + - title: Europe (Frankfurt) + const: eu-central-1 + - title: Europe (Ireland) + const: eu-west-1 + - title: Europe (London) + const: eu-west-2 + - title: Europe (Paris) + const: eu-west-3 + - title: Europe (Milan) + const: eu-south-1 + - title: Europe (Stockholm) + const: eu-north-1 + required: + - eventSourceName + - accountId + - region + errorMessage: + properties: + accountId: Account number must be 12 digits. + eventSourceName: >- + Event source name can use numbers, letters, the symbols ".", + "-" or "_". It must use fewer than 76 characters. + type: object + name: + title: Name + description: A name for this log stream in Okta + type: string + writeOnce: false + pattern: ^.{1,100}$ + required: + - name + - settings + errorMessage: + properties: + name: Name can't exceed 100 characters. + type: object + - $schema: https://json-schema.org/draft/2020-12/schema + id: >- + http://{yourOktaDomain}/api/v1/meta/schemas/logStream/splunk_cloud_logstreaming + title: Splunk Cloud + type: object + properties: + settings: + description: Configuration properties specific to Splunk Cloud + type: object + properties: + host: + title: Host + description: >- + The domain for your Splunk Cloud instance without http or + https. For example: acme.splunkcloud.com + type: string + writeOnce: false + pattern: ^([a-z0-9]+(-[a-z0-9]+)*){1,100}\.splunkcloud(gc|fed)?\.com$ + token: + title: HEC Token + description: The token from your Splunk Cloud HTTP Event Collector (HEC). + type: string + writeOnce: false + pattern: >- + [0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12} + required: + - host + - token + errorMessage: + properties: + host: >- + Host should be a domain without http or https. For example: + acme.splunkcloud.com + type: object + name: + title: Name + description: A name for this log stream in Okta + type: string + writeOnce: false + pattern: ^.{1,100}$ + required: + - name + - settings + errorMessage: + properties: + name: Name can't exceed 100 characters. + type: object + LogStreamSchemaAws: + value: + $schema: https://json-schema.org/draft/2020-12/schema + $id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/aws_eventbridge + title: AWS EventBridge + type: object + properties: + settings: + description: Configuration properties specific to AWS EventBridge + type: object + properties: + accountId: + title: AWS Account ID + description: Your Amazon AWS Account ID. + type: string + writeOnce: true + pattern: ^\d{12}$ + eventSourceName: + title: AWS Event Source Name + description: >- + An alphanumeric name (no spaces) to identify this event source + in AWS EventBridge. + type: string + writeOnce: true + pattern: ^[\.\-_A-Za-z0-9]{1,75}$ + region: + title: AWS Region + description: The destination AWS region for your system log events. + type: string + writeOnce: true + oneOf: + - title: US East (Ohio) + const: us-east-2 + - title: US East (N. Virginia) + const: us-east-1 + - title: US West (N. California) + const: us-west-1 + - title: US West (Oregon) + const: us-west-2 + - title: Canada (Central) + const: ca-central-1 + - title: Europe (Frankfurt) + const: eu-central-1 + - title: Europe (Ireland) + const: eu-west-1 + - title: Europe (London) + const: eu-west-2 + - title: Europe (Paris) + const: eu-west-3 + - title: Europe (Milan) + const: eu-south-1 + - title: Europe (Stockholm) + const: eu-north-1 + required: + - eventSourceName + - accountId + - region + errorMessage: + properties: + accountId: Account number must be 12 digits. + eventSourceName: >- + Event source name can use numbers, letters, the symbols ".", + "-" or "_". It must use fewer than 76 characters. + type: object + name: + title: Name + description: A name for this log stream in Okta + type: string + writeOnce: false + pattern: ^.{1,100}$ + required: + - name + - settings + errorMessage: + properties: + name: Name can't exceed 100 characters. + type: object + LogStreamSchemaSplunk: + value: + $schema: https://json-schema.org/draft/2020-12/schema + id: >- + http://{yourOktaDomain}/api/v1/meta/schemas/logStream/splunk_cloud_logstreaming + title: Splunk Cloud + type: object + properties: + settings: + description: Configuration properties specific to Splunk Cloud + type: object + properties: + host: + title: Host + description: >- + The domain for your Splunk Cloud instance without http or + https. For example: acme.splunkcloud.com + type: string + writeOnce: false + pattern: ^([a-z0-9]+(-[a-z0-9]+)*){1,100}\.splunkcloud(gc|fed)?\.com$ + token: + title: HEC Token + description: The token from your Splunk Cloud HTTP Event Collector (HEC). + type: string + writeOnce: false + pattern: >- + [0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12} + required: + - host + - token + errorMessage: + properties: + host: >- + Host should be a domain without http or https. For example: + acme.splunkcloud.com + type: object + name: + title: Name + description: A name for this log stream in Okta + type: string + writeOnce: false + pattern: ^.{1,100}$ + required: + - name + - settings + errorMessage: + properties: + name: Name can't exceed 100 characters. + type: object + ListLinkedObjects: + summary: List all linked object definitions + value: + - primary: + name: manager + title: manager + description: Manager link property + type: USER + associated: + name: subordinate + title: subordinate + description: Subordinate link property + type: USER + _links: + self: + href: >- + http://your-subdomain.okta.com/api/v1/meta/schemas/user/linkedObjects/manager + CreateLinkedObjectRequest: + summary: Create manager-subordinate link request + value: + primary: + name: manager + title: manager + description: Manager link property + type: USER + associated: + name: subordinate + title: subordinate + description: Subordinate link property + type: USER + CreateLinkedObjectResponse: + summary: Create manager-subordinate link property response + value: + primary: + name: manager + title: manager + description: Manager link property + type: USER + associated: + name: subordinate + title: subordinate + description: Subordinate link property + type: USER + _links: + self: + href: >- + http://your-subdomain.okta.com/api/v1/meta/schemas/user/linkedObjects/manager + ErrorInvalidLinkedObjectDef: + summary: Invalid linked objection definition + value: + errorCode: E0000127 + errorSummary: >- + Invalid linked objection definition. Linked object identifier is + already in use. + errorLink: E0000127 + errorId: oaeh5FICFF2RnqakoNofPadhw + errorCauses: + - errorSummary: Linked object identifier for primary is already in use. + reason: UNIQUE_CONSTRAINT + locationType: body + domain: linkedObjects + - errorSummary: Linked object identifier for associated is already in use. + reason: UNIQUE_CONSTRAINT + locationType: body + domain: linkedObjects + UserSchemaResponse: + value: + id: https://{yourOktaDomain}/meta/schemas/user/oscmlha7lcRyMn82P1d7 + $schema: http://json-schema.org/draft-04/schema# + name: user + title: An Okta user + lastUpdated: '2015-09-05T10:40:45.000Z' + created: '2015-02-02T10:27:36.000Z' + definitions: + base: + id: '#base' + type: object + properties: + login: + title: Username + type: string + required: true + minLength: 5 + maxLength: 100 + permissions: + - principal: SELF + action: READ_WRITE + firstName: + title: First name + type: string + required: true + minLength: 1 + maxLength: 50 + permissions: + - principal: SELF + action: READ_WRITE + lastName: + title: Last name + type: string + required: true + minLength: 1 + maxLength: 50 + permissions: + - principal: SELF + action: READ_WRITE + email: + title: Primary email + type: string + required: true + format: email + permissions: + - principal: SELF + action: READ_WRITE + required: + - login + - firstName + - lastName + - email + custom: + id: '#custom' + type: object + properties: + salesforceUserName: + title: Salesforce username + description: User's username for Salesforce + type: string + required: false + default: salesforce-username + minLength: 1 + maxLength: 20 + permissions: + - principal: SELF + action: READ_WRITE + required: [] + type: object + properties: + profile: + allOf: + - $ref: '#/definitions/base' + - $ref: '#/definitions/custom' + UserSchemaDefaultResponse: + value: + id: https://{yourOktaDomain}/meta/schemas/user/default + $schema: http://json-schema.org/draft-04/schema# + name: user + title: Default Okta user + descripton: Okta user profile template with default permission settings + lastUpdated: '2025-05-20T20:04:26.000Z' + created: '2025-05-20T20:04:26.000Z' + definitions: + base: + id: '#base' + type: object + properties: + login: + title: Username + type: string + required: true + minLength: 5 + maxLength: 100 + permissions: + - principal: SELF + action: READ_WRITE + firstName: + title: First name + type: string + required: true + minLength: 1 + maxLength: 50 + permissions: + - principal: SELF + action: READ_WRITE + lastName: + title: Last name + type: string + required: true + minLength: 1 + maxLength: 50 + permissions: + - principal: SELF + action: READ_WRITE + email: + title: Primary email + type: string + required: true + format: email + permissions: + - principal: SELF + action: READ_WRITE + required: + - login + - firstName + - lastName + - email + custom: + id: '#custom' + type: object + properties: {} + required: [] + type: object + properties: + profile: + allOf: + - $ref: '#/definitions/base' + - $ref: '#/definitions/custom' + UserSchemaAddRequest: + value: + definitions: + custom: + id: '#custom' + type: object + properties: + salesforceUserName: + title: Salesforce username + description: User's username for Salesforce + type: string + required: false + minLength: 1 + maxLength: 20 + permissions: + - principal: SELF + action: READ_WRITE + required: [] + ListsAllUserTypes: + summary: Lists all user types + value: + - id: otyfnly5cQjJT9PnR0g4 + displayName: New user type + name: newUserType + description: A new custom user type + createdBy: sprz9fj1ycBcsgopy1d6 + lastUpdatedBy: sprz9fj1ycBcsgopy1d6 + created: '2021-07-05T20:40:38.000Z' + lastUpdated: '2021-07-05T20:40:38.000Z' + default: false + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + schema: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + - id: otyz9fj2jMiRBC1ZT1d6 + displayName: User + name: user + description: Okta user profile template with default permission settings + createdBy: sprz9fj1ycBcsgopy1d6 + lastUpdatedBy: sprz9fj1ycBcsgopy1d6 + created: '2021-07-05T20:40:38.000Z' + lastUpdated: '2021-07-05T20:40:38.000Z' + default: true + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + schema: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + CreateUserRequest: + summary: Create a user type request + value: + description: A new custom user type + displayName: New user type + name: newUserType + CreateUserResponse: + summary: Create a user type response + value: + id: otyfnly5cQjJT9PnR0g4 + displayName: New user type + name: newUserType + description: A new custom user type + createdBy: sprz9fj1ycBcsgopy1d6 + lastUpdatedBy: sprz9fj1ycBcsgopy1d6 + created: '2021-07-05T20:40:38.000Z' + lastUpdated: '2021-07-05T20:40:38.000Z' + default: false + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + schema: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + GetUserResponse: + summary: Retrieve a user type response + value: + id: otyfnly5cQjJT9PnR0g4 + displayName: New user type + name: newUserType + description: A new custom user type + createdBy: sprz9fj1ycBcsgopy1d6 + lastUpdatedBy: sprz9fj1ycBcsgopy1d6 + created: '2021-07-05T20:40:38.000Z' + lastUpdated: '2021-07-05T20:40:38.000Z' + default: false + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + schema: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + UpdateUserTypePostRequest: + summary: Update user type request + value: + displayName: Updated Display Name + UpdateUserTypePostResponse: + summary: Update user type response + value: + id: otyfnly5cQjJT9PnR0g4 + displayName: Updated Display Name + name: newUserType + description: A new custom user type + createdBy: sprz9fj1ycBcsgopy1d6 + lastUpdatedBy: sprz9fj1ycBcsgopy1d6 + created: '2021-07-05T20:40:38.000Z' + lastUpdated: '2021-07-05T20:40:38.000Z' + default: false + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + schema: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + ReplaceUserTypePutRequest: + summary: Replace user type request + value: + displayName: Replacement Display Name + description: Replacement description + name: newUserType + ReplaceUserTypePutResponse: + summary: Replace user type response + value: + id: otyfnly5cQjJT9PnR0g4 + displayName: Replacement Display Name + name: newUserType + description: Replacement description + createdBy: sprz9fj1ycBcsgopy1d6 + lastUpdatedBy: sprz9fj1ycBcsgopy1d6 + created: '2021-07-05T20:40:38.000Z' + lastUpdated: '2021-07-05T20:40:38.000Z' + default: false + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + schema: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 + ListUISchemaResponse: + summary: Lists all UI schemas response + value: + - id: uis4a7liocgcRgcxZ0g7 + uiSchema: + type: Group + label: Sign in + buttonLabel: Submit + elements: + - type: Control + scope: '#/properties/firstName' + label: First name + options: + format: text + - type: Control + scope: '#/properties/lastName' + label: Last name + options: + format: text + - type: Control + scope: '#/properties/email' + label: Email + options: + format: text + - type: Control + scope: '#/properties/countryCode' + label: Country code + options: + format: select + - type: Control + scope: '#/properties/bool2' + label: bool2 + options: + format: checkbox + - type: Control + scope: '#/properties/date' + label: date + options: + format: text + - type: Control + scope: '#/properties/enum' + label: enum + options: + format: radio + created: '2022-07-25T12:56:31.000Z' + lastUpdated: '2022-07-26T11:53:59.000Z' + _links: + self: + href: https://example.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7 + hints: + allow: + - GET + - PUT + - DELETE + - id: uis4abjqkkKXVPGAU0g7 + uiSchema: + type: Group + label: Sign in 2 + buttonLabel: Submit + elements: + - type: Control + scope: '#/properties/firstName' + label: First name + options: + format: text + - type: Control + scope: '#/properties/lastName' + label: Last name + options: + format: text + - type: Control + scope: '#/properties/email' + label: Email + options: + format: text + - type: Control + scope: '#/properties/countryCode' + label: Country code + options: + format: select + - type: Control + scope: '#/properties/bool2' + label: bool2 + options: + format: checkbox + - type: Control + scope: '#/properties/date' + label: date + - type: Control + scope: '#/properties/enum' + label: enum + options: + format: radio + created: '2022-07-25T12:56:31.000Z' + lastUpdated: '2022-07-26T11:53:59.000Z' + _links: + self: + href: https://example.com/api/v1/meta/uischemas/uis4abjqkkKXVPGAU0g7 + hints: + allow: + - GET + - PUT + - DELETE + CreateUISchemaBody: + summary: UI schema body request + value: + uiSchema: + type: Group + elements: + - type: Control + scope: '#/properties/firstName' + label: First Name + options: + format: text + - type: Control + scope: '#/properties/lastName' + label: Last Name + options: + format: text + - type: Control + scope: '#/properties/email' + label: Primary email + options: + format: text + buttonLabel: Submit + label: Sign in + CreateUISchemaResponse: + summary: Returns full UI schema body + value: + id: uis4a7liocgcRgcxZ0g7 + uiSchema: + type: Group + label: Sign in + buttonLabel: Submit + elements: + - type: Control + scope: '#/properties/firstName' + label: First name + options: + format: text + - type: Control + scope: '#/properties/lastName' + label: Last name + options: + format: text + - type: Control + scope: '#/properties/email' + label: Primary email + options: + format: text + created: '2022-07-25T12:56:31.000Z' + lastUpdated: '2022-07-26T11:53:59.000Z' + _links: + self: + href: https://exmaple.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7 + hints: + allow: + - GET + - PUT + - DELETE + RetrieveUISchemaResponse: + summary: Retrieves a UI schema response + value: + id: uis4a7liocgcRgcxZ0g7 + uiSchema: + type: Group + label: Sign in + buttonLabel: Submit + elements: + - type: Control + scope: '#/properties/firstName' + label: First name + options: + format: text + - type: Control + scope: '#/properties/lastName' + label: Last name + options: + format: text + - type: Control + scope: '#/properties/email' + label: Email + options: + format: text + - type: Control + scope: '#/properties/countryCode' + label: Country code + options: + format: select + - type: Control + scope: '#/properties/bool2' + label: bool2 + options: + format: checkbox + - type: Control + scope: '#/properties/date' + label: date + - type: Control + scope: '#/properties/enum' + label: enum + options: + format: radio + created: '2022-07-25T12:56:31.000Z' + lastUpdated: '2022-07-26T11:53:59.000Z' + _links: + self: + href: https://exmaple.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7 + hints: + allow: + - GET + - PUT + - DELETE + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + x-stackQL-resources: + application_user_schemas: + id: okta.meta.application_user_schemas + name: application_user_schemas + title: Application User Schemas + methods: + get_application_user_schema: + operation: + $ref: '#/paths/~1api~1v1~1meta~1schemas~1apps~1{appId}~1default/get' + response: + mediaType: application/json + openAPIDocKey: '200' + update_application_user_profile: + operation: + $ref: '#/paths/~1api~1v1~1meta~1schemas~1apps~1{appId}~1default/post' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/application_user_schemas/methods/get_application_user_schema + insert: [] + update: + - $ref: >- + #/components/x-stackQL-resources/application_user_schemas/methods/update_application_user_profile + delete: [] + replace: [] + group_schemas: + id: okta.meta.group_schemas + name: group_schemas + title: Group Schemas + methods: + get_group_schema: + operation: + $ref: '#/paths/~1api~1v1~1meta~1schemas~1group~1default/get' + response: + mediaType: application/json + openAPIDocKey: '200' + update_group_schema: + operation: + $ref: '#/paths/~1api~1v1~1meta~1schemas~1group~1default/post' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/group_schemas/methods/get_group_schema + insert: [] + update: + - $ref: >- + #/components/x-stackQL-resources/group_schemas/methods/update_group_schema + delete: [] + replace: [] + log_stream_schemas: + id: okta.meta.log_stream_schemas + name: log_stream_schemas + title: Log Stream Schemas + methods: + list_log_stream_schemas: + operation: + $ref: '#/paths/~1api~1v1~1meta~1schemas~1logStream/get' + response: + mediaType: application/json + openAPIDocKey: '200' + get_log_stream_schema: + operation: + $ref: '#/paths/~1api~1v1~1meta~1schemas~1logStream~1{logStreamType}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/log_stream_schemas/methods/list_log_stream_schemas + - $ref: >- + #/components/x-stackQL-resources/log_stream_schemas/methods/get_log_stream_schema + insert: [] + update: [] + delete: [] + replace: [] + linked_object_definitions: + id: okta.meta.linked_object_definitions + name: linked_object_definitions + title: Linked Object Definitions + methods: + list_linked_object_definitions: + operation: + $ref: '#/paths/~1api~1v1~1meta~1schemas~1user~1linkedObjects/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_linked_object_definition: + operation: + $ref: '#/paths/~1api~1v1~1meta~1schemas~1user~1linkedObjects/post' + response: + mediaType: application/json + openAPIDocKey: '201' + get_linked_object_definition: + operation: + $ref: >- + #/paths/~1api~1v1~1meta~1schemas~1user~1linkedObjects~1{linkedObjectName}/get + response: + mediaType: application/json + openAPIDocKey: '200' + delete_linked_object_definition: + operation: + $ref: >- + #/paths/~1api~1v1~1meta~1schemas~1user~1linkedObjects~1{linkedObjectName}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/linked_object_definitions/methods/list_linked_object_definitions + - $ref: >- + #/components/x-stackQL-resources/linked_object_definitions/methods/get_linked_object_definition + insert: + - $ref: >- + #/components/x-stackQL-resources/linked_object_definitions/methods/create_linked_object_definition + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/linked_object_definitions/methods/delete_linked_object_definition + replace: [] + user_schemas: + id: okta.meta.user_schemas + name: user_schemas + title: User Schemas + methods: + get_user_schema: + operation: + $ref: '#/paths/~1api~1v1~1meta~1schemas~1user~1{schemaId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + update_user_profile: + operation: + $ref: '#/paths/~1api~1v1~1meta~1schemas~1user~1{schemaId}/post' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/user_schemas/methods/get_user_schema + insert: [] + update: + - $ref: >- + #/components/x-stackQL-resources/user_schemas/methods/update_user_profile + delete: [] + replace: [] + user_types: + id: okta.meta.user_types + name: user_types + title: User Types + methods: + list_user_types: + operation: + $ref: '#/paths/~1api~1v1~1meta~1types~1user/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_user_type: + operation: + $ref: '#/paths/~1api~1v1~1meta~1types~1user/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_user_type: + operation: + $ref: '#/paths/~1api~1v1~1meta~1types~1user~1{typeId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + update_user_type: + operation: + $ref: '#/paths/~1api~1v1~1meta~1types~1user~1{typeId}/post' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_user_type: + operation: + $ref: '#/paths/~1api~1v1~1meta~1types~1user~1{typeId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_user_type: + operation: + $ref: '#/paths/~1api~1v1~1meta~1types~1user~1{typeId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/user_types/methods/list_user_types + - $ref: '#/components/x-stackQL-resources/user_types/methods/get_user_type' + insert: + - $ref: >- + #/components/x-stackQL-resources/user_types/methods/create_user_type + update: + - $ref: >- + #/components/x-stackQL-resources/user_types/methods/update_user_type + delete: + - $ref: >- + #/components/x-stackQL-resources/user_types/methods/delete_user_type + replace: + - $ref: >- + #/components/x-stackQL-resources/user_types/methods/replace_user_type + ui_schemas: + id: okta.meta.ui_schemas + name: ui_schemas + title: Ui Schemas + methods: + list_uischemas: + operation: + $ref: '#/paths/~1api~1v1~1meta~1uischemas/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_uischema: + operation: + $ref: '#/paths/~1api~1v1~1meta~1uischemas/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_uischema: + operation: + $ref: '#/paths/~1api~1v1~1meta~1uischemas~1{id}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_uischemas: + operation: + $ref: '#/paths/~1api~1v1~1meta~1uischemas~1{id}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_uischemas: + operation: + $ref: '#/paths/~1api~1v1~1meta~1uischemas~1{id}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: '#/components/x-stackQL-resources/ui_schemas/methods/list_uischemas' + - $ref: '#/components/x-stackQL-resources/ui_schemas/methods/get_uischema' + insert: + - $ref: >- + #/components/x-stackQL-resources/ui_schemas/methods/create_uischema + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/ui_schemas/methods/delete_uischemas + replace: + - $ref: >- + #/components/x-stackQL-resources/ui_schemas/methods/replace_uischemas +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. +definitions: + base: + type: object + description: "Dummy base definition for parser compatibility" + properties: + id: + type: string + custom: + type: object + description: "Dummy custom definition for parser compatibility" + properties: + name: + type: string diff --git a/providers/src/okta/v00.00.00000/services/oauth2.yaml b/providers/src/okta/v00.00.00000/services/oauth2.yaml new file mode 100644 index 00000000..9434038d --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/oauth2.yaml @@ -0,0 +1,1451 @@ +openapi: 3.0.3 +info: + title: oauth2 API + description: okta oauth2 API + version: 5.1.0 +paths: + /oauth2/v1/clients/{clientId}/roles: + get: + summary: List all client role assignments + description: Lists all roles assigned to a client app identified by `clientId` + operationId: listRolesForClient + responses: + '200': + description: Success + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/StandardRolesListResponseClient' + Custom Roles: + $ref: '#/components/examples/CustomRolesListResponseClient' + IAM-based Standard Roles: + $ref: '#/components/examples/IAMStandardRolesListResponseClient' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleAssignmentClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Assign a client role + description: >- + Assigns a [standard + role](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#standard-roles) to a client + app. + + + You can also assign a custom role to a client app, but the preferred + method to assign a custom role to a client is to create a binding + between the custom role, the resource set, and the client app. See + [Create a role resource set + binding](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/RoleDResourceSetBinding/#tag/RoleDResourceSetBinding/operation/createResourceSetBinding). + + + > **Notes:** + + > * The request payload is different for standard and custom role + assignments. + + > * For IAM-based standard role assignments, use the request payload for + standard roles. However, the response payload for IAM-based role + assignments is similar to the custom role's assignment response. + operationId: assignRoleToClient + requestBody: + required: true + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/StandardRoleAssignmentSchema' + - $ref: '#/components/schemas/CustomRoleAssignmentSchema' + examples: + Standard Role: + $ref: '#/components/examples/StandardRoleAssignmentRequest' + Custom Role Assignment: + $ref: '#/components/examples/CustomRoleAssignmentRequest' + responses: + '200': + description: Success + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Role: + $ref: '#/components/examples/StandardRoleResponseClient' + Custom Role Assignment: + $ref: '#/components/examples/CustomRoleResponseClient' + IAM-based Role Assignment: + $ref: '#/components/examples/IAMStandardRolesListResponseClient' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleAssignmentClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathClientId' + /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}: + get: + summary: Retrieve a client role + description: >- + Retrieves a role assignment (identified by `roleAssignmentId`) for a + client app (identified by `clientId`) + operationId: retrieveClientRole + responses: + '200': + description: Success + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Role: + $ref: '#/components/examples/StandardRoleResponseClient' + Custom Role Assignment: + $ref: '#/components/examples/CustomRoleResponseClient' + IAM-based Standard Role Assignment: + $ref: '#/components/examples/IAMStandardRoleResponseClient' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleAssignmentClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign a client role + description: >- + Unassigns a role assignment (identified by `roleAssignmentId`) from a + client app (identified by `clientId`) + operationId: deleteRoleFromClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleAssignmentClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathClientId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/catalog/apps: + get: + summary: List all client role app targets + description: >- + Lists all OIN app targets for an `APP_ADMIN` role that's assigned to a + client (by `clientId`). + operationId: listAppTargetRoleToClient + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/CatalogApplication' + examples: + ClientRoleTargetExample: + $ref: '#/components/examples/ClientRoleTargetResponseFacebookEx' + ClientRoleTargetNonOINExample: + $ref: '#/components/examples/ClientRoleTargetResponseInstanceEx' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathClientId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}: + put: + summary: Assign a client role app target + description: >- + Assigns an OIN app target for an `APP_ADMIN` role assignment to a + client. When you assign an app target from the OIN catalog, you reduce + the scope of the role assignment. + + The role assignment applies to only app instances that are included in + the specified OIN app target. + + + An assigned OIN app target overrides any existing app instance targets. + + For example, if a user is assigned to administer a specific Facebook + instance, a successful request to add an OIN app target with `facebook` + for `appName` makes that user the administrator for all Facebook + instances. + operationId: assignAppTargetRoleToClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign a client role app target + description: >- + Unassigns an OIN app target for a role assignment to a client app + + + > **Note:** You can't remove the last OIN app target from a role + assignment. + + > If you need a role assignment that applies to all apps, delete the + role assignment with the target and create another one. See [Unassign a + client + role](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/RoleAssignmentClient/#tag/RoleAssignmentClient/operation/deleteRoleFromClient). + operationId: removeAppTargetRoleFromClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathClientId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathAppName' + /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}/{appId}: + put: + summary: Assign a client role app instance target + description: >- + Assigns an app instance target to an `APP_ADMIN` role assignment to a + client. When you assign the first OIN app or app instance target, you + reduce the scope of the role assignment. + + The role no longer applies to all app targets, but applies only to the + specified target. + + + > **Note:** You can target a mixture of both OIN app and app instance + targets, but you can't assign permissions to manage all instances of an + OIN app and then assign a subset of permissions to the same app. + + For example, you can't specify that an admin has access to manage all + instances of the Salesforce app and then also manage only specific + configurations of the Salesforce app. + operationId: assignAppTargetInstanceRoleForClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign a client role app instance target + description: >- + Unassigns an app instance target from a role assignment to a client app + + + > **Note:** You can't remove the last app instance target from a role + assignment. + + > If you need a role assignment that applies to all the apps, delete the + role assignment with the instance target and create another one. See + [Unassign a client + role](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/RoleAssignmentClient/#tag/RoleAssignmentClient/operation/deleteRoleFromClient). + operationId: removeAppTargetInstanceRoleForClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathClientId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathAppName' + - $ref: '#/components/parameters/pathAppId' + /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/groups: + get: + summary: List all client role group targets + description: >- + Lists all group targets for a + [`USER_ADMIN`](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#standard-roles), + `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to a + client. If the role isn't scoped to specific group targets, Okta returns + an empty array `[]`. + operationId: listGroupTargetRoleForClient + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/Group' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathClientId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/groups/{groupId}: + put: + summary: Assign a client role group target + description: >- + Assigns a group target to a + [`USER_ADMIN`](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#standard-roles), + `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to a + client app. When you assign the first group target, you reduce the scope + of the role assignment. The role no longer applies to all targets, but + applies only to the specified target. + operationId: assignGroupTargetRoleForClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign a client role group target + description: >- + Unassigns a Group target from a `USER_ADMIN`, `HELP_DESK_ADMIN`, or + `GROUP_MEMBERSHIP_ADMIN` role assignment to a client app. + + + > **Note:** You can't remove the last group target from a role + assignment. If you need a role assignment that applies to all groups, + delete the role assignment with the target and create another one. See + [Unassign a client + role](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/RoleAssignmentClient/#tag/RoleAssignmentClient/operation/deleteRoleFromClient). + operationId: removeGroupTargetRoleFromClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetClient + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathClientId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathGroupId' +components: + schemas: + StandardRole: + title: Standard Role Assignment + type: object + properties: + assignmentType: + $ref: '#/components/schemas/RoleAssignmentType' + created: + type: string + description: Timestamp when the object was created + format: date-time + readOnly: true + id: + type: string + description: Role assignment ID + readOnly: true + label: + type: string + description: Label for the role assignment + readOnly: true + lastUpdated: + type: string + description: Timestamp when the object was last updated + format: date-time + readOnly: true + status: + allOf: + - $ref: '#/components/schemas/LifecycleStatus' + - description: Status of the role assignment + type: + $ref: '#/components/schemas/RoleType' + _embedded: + type: object + description: Optional embedded resources for the role assignment + properties: + targets: + type: object + description: Targets configured for the role assignment + properties: + groups: + type: array + description: Group targets + items: + $ref: '#/components/schemas/Group' + catalog: + description: App targets + properties: + apps: + type: array + items: + $ref: '#/components/schemas/CatalogApplication' + type: object + _links: + $ref: '#/components/schemas/LinksAssignee' + CustomRole: + title: Custom role assignment + type: object + properties: + assignmentType: + $ref: '#/components/schemas/RoleAssignmentType' + created: + type: string + description: Timestamp when the object was created + format: date-time + readOnly: true + id: + type: string + description: Binding object ID + readOnly: true + label: + type: string + description: Label for the custom role assignment + readOnly: true + lastUpdated: + type: string + description: Timestamp when the object was last updated + format: date-time + readOnly: true + resource-set: + type: string + description: Resource set ID + readOnly: true + role: + type: string + description: Custom role ID + readOnly: true + status: + allOf: + - $ref: '#/components/schemas/LifecycleStatus' + - description: Status of the custom role assignment + type: + type: string + description: CUSTOM for a custom role + enum: + - CUSTOM + _links: + $ref: '#/components/schemas/LinksCustomRoleResponse' + StandardRoleAssignmentSchema: + title: Standard Role + type: object + properties: + type: + type: string + description: >- + Specify the standard or IAM-based role type. See [standard + roles](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#standard-roles). + CustomRoleAssignmentSchema: + title: Custom Role + type: object + properties: + resource-set: + type: string + description: Resource set ID + role: + type: string + description: Custom role ID + type: + type: string + description: The type of role. Specify `CUSTOM` for a custom role. + enum: + - CUSTOM + CatalogApplication: + description: An app in the OIN catalog + type: object + properties: + category: + type: string + description: Category for the app in the OIN catalog + example: SOCIAL + readOnly: true + description: + type: string + description: Description of the app in the OIN catalog + readOnly: true + displayName: + type: string + description: OIN catalog app display name + readOnly: true + features: + type: array + readOnly: true + description: >- + Features supported by the app. See app + [features](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/listApplications!c=200&path=0/features&t=response). + items: + type: string + id: + type: string + readOnly: true + description: >- + ID of the app instance. Okta returns this property only for apps not + in the OIN catalog. + lastUpdated: + type: string + description: Timestamp when the object was last updated + format: date-time + readOnly: true + example: '2024-09-19T23:37:37.000Z' + name: + type: string + description: >- + App key name. For OIN catalog apps, this is a unique key for the app + definition. + signOnModes: + type: array + description: >- + Authentication mode for the app. See app + [signOnMode](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/listApplications!c=200&path=0/signOnMode&t=response). + items: + type: string + status: + $ref: '#/components/schemas/CatalogApplicationStatus' + verificationStatus: + type: string + description: OIN verification status of the catalog app + example: OKTA_VERIFIED + website: + type: string + description: Website of the OIN catalog app + _links: + type: object + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using + the [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification + readOnly: true + properties: + logo: + type: array + description: List of app logo resources + items: + $ref: '#/components/schemas/HrefObjectLogoLink' + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + Group: + type: object + properties: + created: + type: string + format: date-time + readOnly: true + description: Timestamp when the group was created + id: + type: string + readOnly: true + example: 0gabcd1234 + description: Unique ID for the group + lastMembershipUpdated: + type: string + format: date-time + readOnly: true + description: Timestamp when the groups memberships were last updated + lastUpdated: + type: string + format: date-time + readOnly: true + description: Timestamp when the group's profile was last updated + objectClass: + type: array + readOnly: true + description: Determines the group's `profile` + items: + type: string + profile: + $ref: '#/components/schemas/GroupProfile' + type: + $ref: '#/components/schemas/GroupType' + _embedded: + type: object + description: Embedded resources related to the group + additionalProperties: + type: object + properties: {} + readOnly: true + _links: + description: >- + [Discoverable + resources](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!c=200&path=_links&t=response) + related to the group + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + apps: + $ref: '#/components/schemas/HrefObject' + logo: + type: array + items: + $ref: '#/components/schemas/HrefObject' + source: + $ref: '#/components/schemas/HrefObject' + users: + $ref: '#/components/schemas/HrefObject' + type: object + RoleAssignmentType: + description: Role assignment type + type: string + enum: + - CLIENT + - GROUP + - USER + x-enumDescriptions: + USER: The role is assigned to a user + GROUP: The role is assigned to a group + CLIENT: The role is assigned to a client app + LifecycleStatus: + type: string + enum: + - ACTIVE + - INACTIVE + RoleType: + description: Standard role type + type: string + enum: + - ACCESS_CERTIFICATIONS_ADMIN + - ACCESS_REQUESTS_ADMIN + - API_ACCESS_MANAGEMENT_ADMIN + - API_ADMIN + - APP_ADMIN + - CUSTOM + - GROUP_MEMBERSHIP_ADMIN + - HELP_DESK_ADMIN + - MOBILE_ADMIN + - ORG_ADMIN + - READ_ONLY_ADMIN + - REPORT_ADMIN + - SUPER_ADMIN + - USER_ADMIN + - WORKFLOWS_ADMIN + x-enumDescriptions: + API_ACCESS_MANAGEMENT_ADMIN: Access Management Administrator + API_ADMIN: Access Management Administrator + APP_ADMIN: Application Administrator + CUSTOM: Custom label specified by the client + GROUP_MEMBERSHIP_ADMIN: Group Membership Administrator + HELP_DESK_ADMIN: Help Desk Administrator + MOBILE_ADMIN: Mobile Administrator + ORG_ADMIN: Organizational Administrator + READ_ONLY_ADMIN: Read-Only Administrator + REPORT_ADMIN: Report Administrator + SUPER_ADMIN: Super Administrator + USER_ADMIN: Group Administrator + WORKFLOWS_ADMIN: Workflows Administrator + ACCESS_CERTIFICATIONS_ADMIN: Access Certifications Administrator (predefined resource sets) + ACCESS_REQUESTS_ADMIN: Access Requests Administrator (predefined resource sets) + LinksAssignee: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. + type: object + properties: + assignee: + $ref: '#/components/schemas/HrefObjectAssigneeLink' + LinksCustomRoleResponse: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources. + type: object + properties: + assignee: + $ref: '#/components/schemas/HrefObjectAssigneeLink' + member: + $ref: '#/components/schemas/HrefObjectMemberLink' + permissions: + $ref: '#/components/schemas/HrefObjectPermissionsLink' + resource-set: + $ref: '#/components/schemas/HrefObjectResourceSetLink' + role: + $ref: '#/components/schemas/HrefObjectRoleLink' + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + CatalogApplicationStatus: + description: App status + type: string + enum: + - ACTIVE + - INACTIVE + HrefObjectLogoLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the logo resource + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + GroupProfile: + description: >- + Specifies required and optional properties for a group. The + `objectClass` of a group determines which additional properties are + available. + + + You can extend group profiles with custom properties, but you must first + add the properties to the group profile schema before you can reference + them. Use the Profile Editor in the Admin Console or the [Schemas + API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/)to + manage schema extensions. + + + Custom properties can contain HTML tags. It is the client's + responsibility to escape or encode this data before displaying it. Use + [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) + to prevent cross-site scripting. + anyOf: + - $ref: '#/components/schemas/OktaUserGroupProfile' + - $ref: '#/components/schemas/OktaActiveDirectoryGroupProfile' + GroupType: + description: Determines how a group's profile and memberships are managed + type: string + enum: + - APP_GROUP + - BUILT_IN + - OKTA_GROUP + x-enumDescriptions: + APP_GROUP: >- + Group profile and memberships are imported and must be managed within + the app (such as Active Directory or LDAP) that imported the group + BUILT_IN: >- + Group profile and memberships are managed by Okta and can't be + modified + OKTA_GROUP: >- + Group profile and memberships are directly managed in Okta via static + assignments or indirectly through group rules + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + HrefObjectAssigneeLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the assignee resource + HrefObjectMemberLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the member resource + HrefObjectPermissionsLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the permissions resource + HrefObjectResourceSetLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource set resource + HrefObjectRoleLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the role resource + ErrorCause: + type: object + properties: + errorSummary: + type: string + OktaUserGroupProfile: + description: >- + Profile for any group that is not imported from Active Directory. + Specifies the standard + + and custom profile properties for a group. + + + The `objectClass` for these groups is `okta:user_group`. + type: object + properties: + description: + type: string + example: All users West of The Rockies + description: Description of the group + name: + type: string + example: West Coast users + description: Name of the group + x-okta-extensible: true + OktaActiveDirectoryGroupProfile: + description: |- + Profile for a group that is imported from Active Directory. + + The `objectClass` for such groups is `okta:windows_security_principal`. + type: object + properties: + description: + type: string + example: All users in the engineering department + description: Description of the Windows group + dn: + type: string + example: CN=West Coast users,OU=West Coast,DC=example,DC=com + description: The distinguished name of the Windows group + externalId: + type: string + example: VKzYZ1C+IkSZxIWlrW5ITg== + description: Base-64 encoded GUID (`objectGUID`) of the Windows group + name: + type: string + example: West Coast users + description: Name of the Windows group + samAccountName: + type: string + example: West Coast users + description: Pre-Windows 2000 name of the Windows group + windowsDomainQualifiedName: + type: string + example: EXAMPLE\\West Coast users + description: Fully qualified name of the Windows group + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + parameters: + pathClientId: + name: clientId + description: Client app ID + in: path + required: true + schema: + type: string + example: 52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD + pathRoleAssignmentId: + name: roleAssignmentId + description: The `id` of the role assignment + in: path + required: true + schema: + type: string + example: JBCUYUC7IRCVGS27IFCE2SKO + queryAfter: + name: after + in: query + schema: + type: string + description: >- + The cursor to use for pagination. It is an opaque string that specifies + your current location in the list and is obtained from the `Link` + response header. See + [Pagination](https://developer.okta.com/docs/api/#pagination). + queryLimit: + name: limit + in: query + schema: + type: integer + minimum: 1 + maximum: 200 + default: 20 + description: A limit on the number of objects to return + pathAppName: + name: appName + description: Name of the app definition (the OIN catalog app key name) + in: path + required: true + schema: + type: string + example: google + pathAppId: + name: appId + description: Application ID + in: path + required: true + schema: + type: string + example: 0oafxqCAJWWGELFTYASJ + pathGroupId: + name: groupId + description: The `id` of the group + in: path + required: true + schema: + type: string + example: 00g1emaKYZTWRYYRRTSK + examples: + StandardRolesListResponseClient: + value: + - id: JBCUYUC7IRCVGS27IFCE2SKO + label: Help Desk Administrator + type: HELP_DESK_ADMIN + status: ACTIVE + created: '2023-05-01T14:24:54.000Z' + lastUpdated: '2023-05-01T14:24:54.000Z' + assignmentType: CLIENT + _links: + assignee: + href: >- + https://{yourOktaDomain}/oauth2/v1/clients/0jrabyQWm4B9zVJPbotY/roles + CustomRolesListResponseClient: + value: + - id: irb4ey26fpFI3vQ8y0g7 + label: view_minimal + type: CUSTOM + status: ACTIVE + created: '2023-05-01T15:16:47.000Z' + lastUpdated: '2023-05-01T15:16:47.000Z' + assignmentType: CLIENT + resource-set: iam4cxy6z7hhaZCSk0g7 + role: cr04cxy6yzSCtNciD0g7 + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7 + resource-set: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7 + permissions: + href: >- + https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7/permissions + member: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7/bindings/cr04cxy6yzSCtNciD0g7/members/irb4ey26fpFI3vQ8y0g7 + assignee: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oa4ee9vgbIuqTUvd0g7 + IAMStandardRolesListResponseClient: + value: + - id: irb5e92YgBazyyQ3x1q5 + role: ACCESS_CERTIFICATIONS_ADMIN + label: Access Certifications Administrator + type: ACCESS_CERTIFICATIONS_ADMIN + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: CLIENT + resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/clients/0oa4ee9vgbIuqTUvd0g7 + resource-set: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY + member: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_CERTIFICATIONS_ADMIN/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: >- + https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_CERTIFICATIONS_ADMIN + permissions: + href: >- + https://{yourOktaDomain}/api/v1/iam/permission-sets/OKTA_IAM_TEST_DELIVERED_ROLE/permissionsZ + StandardRoleAssignmentRequest: + value: + type: HELP_DESK_ADMIN + CustomRoleAssignmentRequest: + value: + type: CUSTOM + role: cr04cxy6yzSCtNciD0g7 + resource-set: iam4cxy6z7hhaZCSk0g7 + StandardRoleResponseClient: + value: + id: JBCUYUC7IRCVGS27IFCE2SKO + label: Help Desk Administrator + type: HELP_DESK_ADMIN + status: ACTIVE + created: '2023-05-01T14:24:54.000Z' + lastUpdated: '2023-05-01T14:24:54.000Z' + assignmentType: CLIENT + _links: + assignee: + href: >- + https://{yourOktaDomain}/oauth2/v1/clients/0jrabyQWm4B9zVJPbotY/roles + CustomRoleResponseClient: + value: + id: irb4ey26fpFI3vQ8y0g7 + label: view_minimal + type: CUSTOM + status: ACTIVE + created: '2023-05-01T15:16:47.000Z' + lastUpdated: '2023-05-01T15:16:47.000Z' + assignmentType: CLIENT + resource-set: iam4cxy6z7hhaZCSk0g7 + role: cr04cxy6yzSCtNciD0g7 + _links: + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7 + resource-set: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7 + permissions: + href: >- + https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7/permissions + member: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7/bindings/cr04cxy6yzSCtNciD0g7/members/irb4ey26fpFI3vQ8y0g7 + assignee: + href: https://{yourOktaDomain}/oauth2/v1/clients/0oa4ee9vgbIuqTUvd0g7 + IAMStandardRoleResponseClient: + value: + id: irb4jlodtdN4yJ88b0g7 + role: ACCESS_REQUESTS_ADMIN + label: Access Requests Administrator + type: ACCESS_REQUESTS_ADMIN + status: ACTIVE + created: '2023-07-06T21:52:48.000Z' + lastUpdated: '2023-07-06T21:52:48.000Z' + assignmentType: CLIENT + resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/client/0oa5vymVNCe2cPEeZ0g4 + resource-set: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN + permissions: + href: >- + https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN/permissions + member: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_REQUESTS_ADMIN/members/irb4jlomnnDBuBDyJ0g7 + ClientRoleTargetResponseFacebookEx: + summary: Facebook target app example + value: + - name: facebook + displayName: Facebook + description: >- + Giving people the power to share and make the world more open and + connected. + status: ACTIVE + lastUpdated: '2021-03-18T17:37:56.000Z' + category: SOCIAL + verificationStatus: OKTA_VERIFIED + website: https://www.facebook.com/ + signOnModes: + - BROWSER_PLUGIN + _links: + logo: + - name: medium + href: https://{oktaCDNDomain}/fs/bcg/4/abcdefghijABCC4V1234 + self: + href: https://{yourOktaDomain}/api/v1/catalog/apps/facebook + ClientRoleTargetResponseInstanceEx: + summary: Non-catalog target app example + value: + - name: My_access_app + status: ACTIVE + id: 0oasrudLtMlzAsTxk0g3 + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oasrudLtMlzAsTxk0g3 + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + x-stackQL-resources: + client_roles: + id: okta.oauth2.client_roles + name: client_roles + title: Client Roles + methods: + list_roles_for_client: + operation: + $ref: '#/paths/~1oauth2~1v1~1clients~1{clientId}~1roles/get' + response: + mediaType: application/json + openAPIDocKey: '200' + assign_role_to_client: + operation: + $ref: '#/paths/~1oauth2~1v1~1clients~1{clientId}~1roles/post' + response: + mediaType: application/json + openAPIDocKey: '200' + retrieve_client_role: + operation: + $ref: >- + #/paths/~1oauth2~1v1~1clients~1{clientId}~1roles~1{roleAssignmentId}/get + response: + mediaType: application/json + openAPIDocKey: '200' + delete_role_from_client: + operation: + $ref: >- + #/paths/~1oauth2~1v1~1clients~1{clientId}~1roles~1{roleAssignmentId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/client_roles/methods/list_roles_for_client + - $ref: >- + #/components/x-stackQL-resources/client_roles/methods/retrieve_client_role + insert: + - $ref: >- + #/components/x-stackQL-resources/client_roles/methods/assign_role_to_client + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/client_roles/methods/delete_role_from_client + replace: [] + app_target_roles: + id: okta.oauth2.app_target_roles + name: app_target_roles + title: App Target Roles + methods: + list_app_target_role_to_client: + operation: + $ref: >- + #/paths/~1oauth2~1v1~1clients~1{clientId}~1roles~1{roleAssignmentId}~1targets~1catalog~1apps/get + response: + mediaType: application/json + openAPIDocKey: '200' + assign_app_target_role_to_client: + operation: + $ref: >- + #/paths/~1oauth2~1v1~1clients~1{clientId}~1roles~1{roleAssignmentId}~1targets~1catalog~1apps~1{appName}/put + response: + mediaType: '' + openAPIDocKey: '204' + remove_app_target_role_from_client: + operation: + $ref: >- + #/paths/~1oauth2~1v1~1clients~1{clientId}~1roles~1{roleAssignmentId}~1targets~1catalog~1apps~1{appName}/delete + response: + mediaType: '' + openAPIDocKey: '204' + assign_app_target_instance_role_for_client: + operation: + $ref: >- + #/paths/~1oauth2~1v1~1clients~1{clientId}~1roles~1{roleAssignmentId}~1targets~1catalog~1apps~1{appName}~1{appId}/put + response: + mediaType: '' + openAPIDocKey: '204' + remove_app_target_instance_role_for_client: + operation: + $ref: >- + #/paths/~1oauth2~1v1~1clients~1{clientId}~1roles~1{roleAssignmentId}~1targets~1catalog~1apps~1{appName}~1{appId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/app_target_roles/methods/list_app_target_role_to_client + insert: [] + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/app_target_roles/methods/remove_app_target_role_from_client + - $ref: >- + #/components/x-stackQL-resources/app_target_roles/methods/remove_app_target_instance_role_for_client + replace: + - $ref: >- + #/components/x-stackQL-resources/app_target_roles/methods/assign_app_target_role_to_client + group_target_roles: + id: okta.oauth2.group_target_roles + name: group_target_roles + title: Group Target Roles + methods: + list_group_target_role_for_client: + operation: + $ref: >- + #/paths/~1oauth2~1v1~1clients~1{clientId}~1roles~1{roleAssignmentId}~1targets~1groups/get + response: + mediaType: application/json + openAPIDocKey: '200' + assign_group_target_role_for_client: + operation: + $ref: >- + #/paths/~1oauth2~1v1~1clients~1{clientId}~1roles~1{roleAssignmentId}~1targets~1groups~1{groupId}/put + response: + mediaType: '' + openAPIDocKey: '204' + remove_group_target_role_from_client: + operation: + $ref: >- + #/paths/~1oauth2~1v1~1clients~1{clientId}~1roles~1{roleAssignmentId}~1targets~1groups~1{groupId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/group_target_roles/methods/list_group_target_role_for_client + insert: [] + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/group_target_roles/methods/remove_group_target_role_from_client + replace: + - $ref: >- + #/components/x-stackQL-resources/group_target_roles/methods/assign_group_target_role_for_client +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/okta_personal_settings.yaml b/providers/src/okta/v00.00.00000/services/okta_personal_settings.yaml new file mode 100644 index 00000000..1b3f0e8d --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/okta_personal_settings.yaml @@ -0,0 +1,309 @@ +openapi: 3.0.3 +info: + title: okta_personal_settings API + description: okta okta_personal_settings API + version: 5.1.0 +paths: + /okta-personal-settings/api/v1/edit-feature: + put: + summary: Replace the Okta Personal admin settings + description: Replaces Okta Personal admin settings in a Workforce org + operationId: replaceOktaPersonalAdminSettings + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OktaPersonalAdminFeatureSettings' + examples: + exampleSettings: + $ref: '#/components/examples/editFeatureExample' + required: true + responses: + '204': + description: No Content + content: {} + '401': + $ref: '#/components/responses/Error-FF-NotEnabled-Response-401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.personal.adminSettings.manage + tags: + - OktaPersonalSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /okta-personal-settings/api/v1/export-blocklists: + get: + summary: List all blocked email domains + description: Lists all blocked email domains which are excluded from app migration + operationId: listPersonalAppsExportBlockList + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/PersonalAppsBlockList' + examples: + exampleSettings: + $ref: '#/components/examples/getBlockListExample' + '401': + $ref: '#/components/responses/Error-FF-NotEnabled-Response-401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.personal.adminSettings.read + tags: + - OktaPersonalSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the blocked email domains + description: >- + Replaces the list of blocked email domains which are excluded from app + migration + operationId: replaceBlockedEmailDomains + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PersonalAppsBlockList' + examples: + exampleSettings: + $ref: '#/components/examples/getBlockListExample' + required: true + responses: + '204': + description: No Content + content: {} + '401': + $ref: '#/components/responses/Error-FF-NotEnabled-Response-401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.personal.adminSettings.manage + tags: + - OktaPersonalSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true +components: + schemas: + OktaPersonalAdminFeatureSettings: + description: >- + Defines a list of Okta Personal settings that can be enabled or disabled + for the org + type: object + properties: + enableEnduserEntryPoints: + type: boolean + description: Allow entry points for an Okta Personal account in a Workforce org + enableExportApps: + type: boolean + description: >- + Allow users to migrate apps from a Workforce account to an Okta + Personal account + PersonalAppsBlockList: + description: >- + Defines a list of email domains with a subset of the properties for each + domain + type: object + properties: + domains: + type: array + description: List of blocked email domains + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + ErrorCause: + type: object + properties: + errorSummary: + type: string + responses: + Error-FF-NotEnabled-Response-401: + description: Unauthorized + content: + application/json: + examples: + Unauthorized: + value: + errorCode: E0000015 + errorSummary: >- + You do not have permission to access the feature you are + requesting + errorLink: E0000015 + errorId: oaeStOuPPxDRUm3PJhf-tL7bQ + errorCauses: [] + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + examples: + editFeatureExample: + summary: Enable Okta Personal admin settings + value: + enableExportApps: true + enableEnduserEntryPoints: true + getBlockListExample: + summary: List of blocked email domains + value: + domains: + - yahoo.com + - google.com + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + x-stackQL-resources: + settings: + id: okta.okta_personal_settings.settings + name: settings + title: Settings + methods: + replace_okta_personal_admin_settings: + operation: + $ref: '#/paths/~1okta-personal-settings~1api~1v1~1edit-feature/put' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: [] + insert: [] + update: [] + delete: [] + replace: + - $ref: >- + #/components/x-stackQL-resources/settings/methods/replace_okta_personal_admin_settings + personal_apps_export_block_list: + id: okta.okta_personal_settings.personal_apps_export_block_list + name: personal_apps_export_block_list + title: Personal Apps Export Block List + methods: + list_personal_apps_export_block_list: + operation: + $ref: '#/paths/~1okta-personal-settings~1api~1v1~1export-blocklists/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/personal_apps_export_block_list/methods/list_personal_apps_export_block_list + insert: [] + update: [] + delete: [] + replace: [] + blocked_email_domains: + id: okta.okta_personal_settings.blocked_email_domains + name: blocked_email_domains + title: Blocked Email Domains + methods: + replace_blocked_email_domains: + operation: + $ref: '#/paths/~1okta-personal-settings~1api~1v1~1export-blocklists/put' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: [] + insert: [] + update: [] + delete: [] + replace: + - $ref: >- + #/components/x-stackQL-resources/blocked_email_domains/methods/replace_blocked_email_domains +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/orgs.yaml b/providers/src/okta/v00.00.00000/services/orgs.yaml new file mode 100644 index 00000000..c8e24e52 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/orgs.yaml @@ -0,0 +1,479 @@ +openapi: 3.0.3 +info: + title: orgs API + description: okta orgs API + version: 5.1.0 +paths: + /api/v1/orgs: + post: + summary: Create an org + description: >- + Creates an org (child org) that has the same features as the current + requesting org (parent org). + + A child org inherits any new features added to the parent org, but new + features added to the child org aren't propagated back to the parent + org. + + > **Notes:** + + > * Some features associated with products, such as Atspoke, Workflows, + and Okta Identity Governance, aren't propagated to the child org. + + > * Wait at least 30 seconds after a 201-Created response before you + make API requests to the new child org. + + > * For rate limits, see [Org creation rate + limits](https://developer.okta.com/docs/reference/rl-additional-limits/#org-creation-rate-limits). + operationId: createChildOrg + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ChildOrg' + examples: + CreateChildOrg: + $ref: '#/components/examples/CreateChildOrgRequestEx' + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/ChildOrg' + examples: + CreateChildOrg: + $ref: '#/components/examples/CreateChildOrgResponseEx' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + '500': + $ref: '#/components/responses/ErrorInternalServer500' + security: + - apiToken: [] + - oauth2: + - okta.orgs.manage + tags: + - OrgCreator + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true +components: + schemas: + ChildOrg: + type: object + properties: + admin: + $ref: '#/components/schemas/OrgCreationAdmin' + created: + description: Timestamp when the org was created + type: string + format: date-time + readOnly: true + example: '2022-08-25T00:05:00.000Z' + edition: + description: Edition for the org. `SKU` is the only supported value. + type: string + enum: + - SKU + example: SKU + id: + type: string + description: Org ID + readOnly: true + example: 00o1n8sbwArJ7OQRw406 + lastUpdated: + description: Timestamp when the org was last updated + type: string + format: date-time + readOnly: true + example: '2022-08-25T00:05:00.000Z' + name: + description: >- + Unique name of the org. + + This name appears in the HTML `` tag of the new org sign-in + page. + + Only less than 4-width UTF-8 encoded characters are allowed. + type: string + format: utf-8 + minimum: 1 + maximum: 100 + example: My Child Org 1 + settings: + description: Settings associated with the created org + readOnly: true + type: object + additionalProperties: true + status: + description: Status of the org. `ACTIVE` is returned after the org is created. + type: string + readOnly: true + enum: + - ACTIVE + subdomain: + description: Subdomain of the org. Must be unique and include no spaces. + type: string + minimum: 1 + maximum: 57 + example: my-child-org-1 + token: + description: >- + API token associated with the child org super admin account. + + Use this API token to provision resources (such as policies, apps, + and groups) on the newly created child org. + + This token is revoked if the super admin account is deactivated. + + > **Note:** If this API token expires, sign in to the Admin Console + as the super admin user and create a new API token. See [Create an + API + token](https://developer.okta.com/docs/guides/create-an-api-token/). + type: string + readOnly: true + tokenType: + description: >- + Type of returned `token`. See [Okta API + tokens](https://developer.okta.com/docs/guides/create-an-api-token/main/#okta-api-tokens). + type: string + readOnly: true + example: SSWS + enum: + - SSWS + website: + description: Default website for the org + type: string + example: https://www.okta.com + _links: + description: >- + Specifies available link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) using the [JSON + Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification + readOnly: true + type: object + additionalProperties: true + required: + - admin + - edition + - name + - subdomain + OrgCreationAdmin: + description: >- + Profile and credential information for the first super admin user of the + child org. + + If you plan to configure and manage the org programmatically, create a + system user with a dedicated email address and a strong password. + + > **Note:** If you don't provide `credentials`, the super admin user is + prompted to set up their credentials when they sign in to the org for + the first time. + writeOnly: true + type: object + properties: + credentials: + type: object + description: >- + Specifies primary authentication and recovery credentials for a + user. Credential types and requirements vary depending on the + provider and security policy of the org. + properties: + password: + type: object + description: >- + Specifies a password for a user + + > **Note:** For information on defaults and configuring your + password policies, see [Configure the password + authenticator](https://help.okta.com/okta_help.htm?type=oie&id=ext-configure-password) + in the help documentation. + properties: + value: + type: string + writeOnly: true + description: Password value (which is validated by the password policy) + format: password + example: pa$$word + recovery_question: + $ref: '#/components/schemas/RecoveryQuestionCredential' + profile: + type: object + description: >- + Specifies the profile attributes for the first super admin user. The + minimal set of required attributes are `email`, `firstName`, + `lastName`, and `login`. + + See + [profile](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/getUser!c=200&path=profile&t=response) + for additional profile attributes. + properties: + firstName: + type: string + description: Given name of the User (`givenName`) + minLength: 1 + maxLength: 50 + nullable: true + lastName: + type: string + description: The family name of the User (`familyName`) + minLength: 1 + maxLength: 50 + nullable: true + email: + type: string + description: >- + The primary email address of the User. For validation, see [RFC + 5322 Section + 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). + format: email + minLength: 5 + maxLength: 100 + login: + type: string + description: The unique identifier for the User (`username`) + maxLength: 100 + additionalProperties: true + required: + - email + - login + - firstName + - lastName + required: + - profile + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + RecoveryQuestionCredential: + description: >- + Specifies a secret question and answer that's validated (case + insensitive) when a user forgets their + + password or unlocks their account. The answer property is write-only. + type: object + properties: + answer: + type: string + description: The answer to the recovery question + minimum: 1 + maximum: 100 + writeOnly: true + example: se7en + question: + type: string + description: The recovery question + minimum: 1 + maximum: 100 + example: what is your favourite movie? + ErrorCause: + type: object + properties: + errorSummary: + type: string + responses: + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorInvalidToken401: + description: Unauthorized + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + InvalidTokenProvided: + $ref: '#/components/examples/ErrorInvalidTokenProvided' + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorInternalServer500: + description: Internal Server Error + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + InternalServerError: + $ref: '#/components/examples/ErrorInternalServer' + examples: + CreateChildOrgRequestEx: + summary: Create org request + value: + subdomain: my-child-org-1 + name: My Child Org 1 + website: http://www.examplecorp.com + edition: SKU + admin: + profile: + firstName: First + lastName: Last + email: FirstLast@example.com + login: FirstLast@example.com + mobilePhone: null + credentials: + password: + value: XXXX + CreateChildOrgResponseEx: + summary: Create org response + value: + id: 00o1n8sbwArJ7OQRw406 + subdomain: my-child-org-1 + name: My Child Org 1 + website: http://www.examplecorp.com + status: ACTIVE + edition: SKU + expiresAt: null + created: '2024-08-27T15:42:52.000Z' + lastUpdated: '2024-08-27T15:42:56.000Z' + licensing: + apps: [] + settings: + app: + errorRedirectUrl: null + interstitialUrl: null + interstitialMinWaitTime: 1200 + userAccount: + attributes: + secondaryEmail: true + secondaryImage: true + portal: + errorRedirectUrl: null + signOutUrl: null + logs: + level: INFO + token: XXXXXXXXXXXXX + tokenType: SSWS + _links: + administrator: + href: >- + https://my-child-org-1.oktapreview.com/api/v1/users/00u1n8sheI1WBQlDV406 + uploadLogo: + href: https://my-child-org-1.oktapreview.com/api/v1/org/logo + organization: + href: https://my-child-org-1.oktapreview.com/api/v1/orgs/my-child-org-1 + contacts: + href: >- + https://my-child-org-1.oktapreview.com/api/v1/orgs/my-child-org-1/contacts + policy: + href: >- + https://my-child-org-1.oktapreview.com/api/v1/orgs/my-child-org-1/policy + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorInvalidTokenProvided: + summary: Invalid Token Provided + value: + errorCode: E0000011 + errorSummary: Invalid token provided + errorLink: E0000011 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorInternalServer: + summary: Internal Server Error + value: + errorCode: E0000009 + errorSummary: Internal Server Error + errorLink: E0000000 + errorId: sampleAlJ82XS2SDB_vaNIWgcA + errorCauses: [] + x-stackQL-resources: + child_orgs: + id: okta.orgs.child_orgs + name: child_orgs + title: Child Orgs + methods: + create_child_org: + operation: + $ref: '#/paths/~1api~1v1~1orgs/post' + response: + mediaType: application/json + openAPIDocKey: '201' + sqlVerbs: + select: [] + insert: + - $ref: >- + #/components/x-stackQL-resources/child_orgs/methods/create_child_org + update: [] + delete: [] + replace: [] +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/policies.yaml b/providers/src/okta/v00.00.00000/services/policies.yaml new file mode 100644 index 00000000..bc3f92bd --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/policies.yaml @@ -0,0 +1,5267 @@ +openapi: 3.0.3 +info: + title: policies API + description: okta policies API + version: 5.1.0 +paths: + /api/v1/policies: + get: + summary: List all policies + description: Lists all policies with the specified type + operationId: listPolicies + parameters: + - name: type + in: query + required: true + schema: + type: string + enum: + - OKTA_SIGN_ON + - PASSWORD + - MFA_ENROLL + - IDP_DISCOVERY + - ACCESS_POLICY + - DEVICE_SIGNAL_COLLECTION + - PROFILE_ENROLLMENT + - POST_AUTH_SESSION + - ENTITY_RISK + description: >- + Specifies the type of policy to return. The following policy types + are available only with the Okta Identity Engine - `ACCESS_POLICY`, + <x-lifecycle class="ea"></x-lifecycle> `DEVICE_SIGNAL_COLLECTION`, + `PROFILE_ENROLLMENT`, `POST_AUTH_SESSION`, and `ENTITY_RISK`. + - name: status + in: query + schema: + type: string + description: >- + Refines the query by the `status` of the policy - `ACTIVE` or + `INACTIVE` + - name: q + in: query + schema: + type: string + description: >- + Refines the query by policy name prefix (startWith method) passed in + as `q=string` + - name: expand + in: query + schema: + type: string + default: '' + - name: sortBy + in: query + schema: + type: string + description: Refines the query by sorting on the policy `name` in ascending order + - name: limit + in: query + schema: + type: string + description: >- + Defines the number of policies returned, see + [Pagination](https://developer.okta.com/docs/api/#pagination) + - name: resourceId + in: query + schema: + type: string + description: Reference to the associated authorization server + - name: after + in: query + schema: + type: string + description: >- + End page cursor for pagination, see + [Pagination](https://developer.okta.com/docs/api/#pagination) + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Policy' + examples: + password: + $ref: '#/components/examples/password-policy-response' + mfa-enroll: + $ref: >- + #/components/examples/mfa-enroll-policy-with-grace-period-response + idp-discovery: + $ref: '#/components/examples/idp-discovery-policy-response' + profile-enrollment: + $ref: '#/components/examples/profile-enrollment-policy-response' + access-policy: + $ref: '#/components/examples/list-access-policy-response' + device-signal-collection-policy: + $ref: >- + #/components/examples/list-device-signal-collection-policy-response + okta-sign-on-policy: + $ref: '#/components/examples/list-okta-sign-on-policy-response' + entity-risk-policy: + $ref: '#/components/examples/list-entity-risk-policy-response' + post-auth-session-policy: + $ref: '#/components/examples/list-post-auth-session-policy-response' + passwordWithBreachedProtection: + $ref: >- + #/components/examples/password-policy-with-breached-protection-response + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.read + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a policy + description: >- + Creates a policy. There are many types of policies that you can create. + See [Policies](https://developer.okta.com/docs/concepts/policies/) for + an overview of the types of policies available and links to more indepth + information. + operationId: createPolicy + parameters: + - name: activate + description: This query parameter is only valid for Classic Engine orgs. + in: query + schema: + type: boolean + default: true + x-codegen-request-body-name: policy + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CreateOrUpdatePolicy' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/CreateOrUpdatePolicy' + examples: + password: + $ref: '#/components/examples/password-policy-response' + mfa-enroll: + $ref: >- + #/components/examples/mfa-enroll-policy-with-grace-period-response + idp-discovery: + $ref: '#/components/examples/idp-discovery-policy-response' + profile-enrollment: + $ref: '#/components/examples/profile-enrollment-policy-response' + access-policy: + $ref: '#/components/examples/create-access-policy-response' + device-signal-collection-policy: + $ref: >- + #/components/examples/device-signal-collection-policy-response + okta-sign-on-policy: + $ref: '#/components/examples/create-okta-sign-on-policy-response' + passwordWithBreachedProtection: + $ref: >- + #/components/examples/password-policy-with-breached-protection-response + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.manage + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/policies/simulate: + post: + summary: Create a policy simulation + description: >- + Creates a policy or policy rule simulation. The access simulation + evaluates policy and policy rules based on the existing policy rule + configuration. + + The evaluation result simulates what the real-world authentication flow + is and what policy rules have been applied or matched to the + authentication flow. + operationId: createPolicySimulation + x-codegen-request-body-name: simulatePolicy + requestBody: + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/SimulatePolicyBody' + examples: + SimulatePolicy: + $ref: '#/components/examples/SimulatePolicyBody' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/SimulatePolicyResponse' + examples: + SimulatePolicy: + $ref: '#/components/examples/SimulatePolicyResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.read + tags: + - Policy + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/simulateParameter' + /api/v1/policies/{policyId}: + get: + summary: Retrieve a policy + description: Retrieves a policy + operationId: getPolicy + parameters: + - name: expand + in: query + schema: + type: string + default: '' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Policy' + examples: + password: + $ref: '#/components/examples/password-policy-response' + mfa-enroll: + $ref: >- + #/components/examples/mfa-enroll-policy-with-grace-period-response + idp-discovery: + $ref: '#/components/examples/idp-discovery-policy-response' + profile-enrollment: + $ref: '#/components/examples/profile-enrollment-policy-response' + access-policy: + $ref: '#/components/examples/create-access-policy-response' + device-signal-collection-policy: + $ref: >- + #/components/examples/device-signal-collection-policy-response + okta-sign-on-policy: + $ref: '#/components/examples/create-okta-sign-on-policy-response' + entity-risk-policy: + $ref: '#/components/examples/get-entity-risk-policy-response' + post-auth-session-policy: + $ref: '#/components/examples/get-post-auth-session-policy-response' + passwordWithBreachedProtection: + $ref: >- + #/components/examples/password-policy-with-breached-protection-response + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.read + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a policy + description: Replaces the properties of a policy identified by `policyId` + operationId: replacePolicy + x-codegen-request-body-name: policy + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CreateOrUpdatePolicy' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Policy' + examples: + password: + $ref: '#/components/examples/password-policy-response' + mfa-enroll: + $ref: >- + #/components/examples/mfa-enroll-policy-with-grace-period-response + idp-discovery: + $ref: '#/components/examples/idp-discovery-policy-response' + profile-enrollment: + $ref: '#/components/examples/profile-enrollment-policy-response' + access-policy: + $ref: '#/components/examples/create-access-policy-response' + device-signal-collection-policy: + $ref: >- + #/components/examples/device-signal-collection-policy-response + okta-sign-on-policy: + $ref: '#/components/examples/create-okta-sign-on-policy-response' + passwordWithBreachedProtection: + $ref: >- + #/components/examples/password-policy-with-breached-protection-response + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.manage + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a policy + description: Deletes a policy + operationId: deletePolicy + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.manage + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathPolicyId' + /api/v1/policies/{policyId}/app: + get: + deprecated: true + summary: List all apps mapped to a policy + description: >- + Lists all applications mapped to a policy identified by `policyId` + + + > **Note:** Use [List all resources mapped to a + Policy](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/#tag/Policy/operation/listPolicyMappings) + to list all applications mapped to a policy. + operationId: listPolicyApps + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/Application' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.read + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathPolicyId' + /api/v1/policies/{policyId}/clone: + post: + summary: Clone an existing policy + description: Clones an existing policy + operationId: clonePolicy + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Policy' + examples: + password: + $ref: '#/components/examples/password-policy-response' + mfa-enroll: + $ref: >- + #/components/examples/mfa-enroll-policy-with-grace-period-response + idp-discovery: + $ref: '#/components/examples/idp-discovery-policy-response' + profile-enrollment: + $ref: '#/components/examples/profile-enrollment-policy-response' + access-policy: + $ref: '#/components/examples/create-access-policy-response' + okta-sign-on-policy: + $ref: '#/components/examples/create-okta-sign-on-policy-response' + passwordWithBreachedProtection: + $ref: >- + #/components/examples/password-policy-with-breached-protection-response + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.manage + tags: + - Policy + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathPolicyId' + /api/v1/policies/{policyId}/lifecycle/activate: + post: + summary: Activate a policy + description: Activates a policy + operationId: activatePolicy + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.manage + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathPolicyId' + /api/v1/policies/{policyId}/lifecycle/deactivate: + post: + summary: Deactivate a policy + description: Deactivates a policy + operationId: deactivatePolicy + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.manage + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathPolicyId' + /api/v1/policies/{policyId}/mappings: + get: + summary: List all resources mapped to a policy + description: Lists all resources mapped to a policy identified by `policyId` + operationId: listPolicyMappings + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/PolicyMapping' + examples: + policy-mapping-response: + $ref: '#/components/examples/policy-mapping-list-response' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.read + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Map a resource to a policy + description: Maps a resource to a policy identified by `policyId` + operationId: mapResourceToPolicy + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PolicyMappingRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/PolicyMapping' + examples: + policy-mapping-response: + $ref: '#/components/examples/policy-mapping-response' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.manage + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathPolicyId' + /api/v1/policies/{policyId}/mappings/{mappingId}: + get: + summary: Retrieve a policy resource mapping + description: >- + Retrieves a resource mapping for a policy identified by `policyId` and + `mappingId` + operationId: getPolicyMapping + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/PolicyMapping' + examples: + policy-mapping-response: + $ref: '#/components/examples/policy-mapping-response' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.read + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a policy resource mapping + description: >- + Deletes the resource mapping for a policy identified by `policyId` and + `mappingId` + operationId: deletePolicyResourceMapping + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.manage + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/pathPolicyMappingId' + /api/v1/policies/{policyId}/rules: + get: + summary: List all policy rules + description: Lists all policy rules + operationId: listPolicyRules + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/PolicyRule' + examples: + okta-sign-on: + $ref: '#/components/examples/list-all-sign-on-policy-rule-response' + access: + $ref: '#/components/examples/list-all-access-policy-rule-response' + device-signal-collection: + $ref: >- + #/components/examples/list-all-device-signal-collection-rule-response + entity-risk: + $ref: >- + #/components/examples/list-all-entity-risk-policy-rule-response + post-auth-session: + $ref: >- + #/components/examples/list-all-post-auth-session-policy-rule-response + password: + $ref: '#/components/examples/list-all-password-policy-rule-response' + idp-discovery: + $ref: >- + #/components/examples/list-all-idp-discovery-policy-rule-response + mfa-enroll: + $ref: >- + #/components/examples/list-all-mfa-enroll-policy-rule-response + profile-enrollment: + $ref: >- + #/components/examples/list-all-profile-enrollment-policy-rule-response + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.read + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a policy rule + description: >- + Creates a policy rule + + + > **Note:** You can't create additional rules for the + `PROFILE_ENROLLMENT` or `POST_AUTH_SESSION` policies. + operationId: createPolicyRule + parameters: + - name: activate + description: Set this parameter to `false` to create an `INACTIVE` rule. + in: query + schema: + type: boolean + default: true + x-codegen-request-body-name: policyRule + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PolicyRule' + examples: + EnableSsprSecurityQuestionStepUp: + $ref: '#/components/examples/sspr-enabled-sq-step-up' + EnableSsprSSOStepUp: + $ref: '#/components/examples/sspr-enabled-sso-step-up' + EnableSsprNoStepUp: + $ref: '#/components/examples/sspr-enabled-no-step-up' + EnableSsprOAMP: + $ref: '#/components/examples/sspr-enabled-OAMP' + Enable2FAPreciseAuth: + $ref: >- + #/components/examples/twofa-enabled-disallow-password-allow-phishing + DeviceSignalCollectionRule: + $ref: '#/components/examples/create-device-signal-collection-rule' + EnableSpecificRoutingRule: + $ref: '#/components/examples/idp-discovery-specific-routing-rule' + EnableDynamicRoutingRule: + $ref: '#/components/examples/idp-discovery-dynamic-routing-rule' + CreateAuthPolicyRuleDevicePlatformCondition: + $ref: '#/components/examples/create-auth-policy-rule-condition' + SignOnPolicy: + $ref: '#/components/examples/sign-on-policy-rule' + SkipFactorChallengeOnPremRule: + $ref: '#/components/examples/skip-factor-challenge-on-prem-rule' + RadiusRule: + $ref: '#/components/examples/radius-rule' + CloudRule: + $ref: '#/components/examples/cloud-rule' + DenyRule: + $ref: '#/components/examples/deny-rule' + CreateAuthPolicyRule2FAEnablePostAuthKmsi: + $ref: '#/components/examples/twofa-enabled-post-auth-kmsi-enabled' + CreateAuthPolicyRule2FADisablePostAuthKmsi: + $ref: '#/components/examples/twofa-enabled-post-auth-kmsi-disabled' + CreateAuthPolicyRuleAmc2Chains: + $ref: '#/components/examples/amc-two-chain' + EnableSsprWithConstraints: + $ref: >- + #/components/examples/sspr-enabled-sso-step-up-with-constraints + EnableIdProofingForOamp: + $ref: '#/components/examples/oamp-id-proofing-policy-rule' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/PolicyRule' + examples: + EnableSsprSecurityQuestionStepUp: + $ref: '#/components/examples/sspr-enabled-sq-step-up-response' + EnableSsprSSOStepUp: + $ref: '#/components/examples/sspr-enabled-sso-step-up-response' + EnableSsprNoStepUp: + $ref: '#/components/examples/sspr-enabled-no-step-up-response' + EnableSsprWithOAMP: + $ref: '#/components/examples/sspr-enabled-OAMP-response' + Enable2FAPreciseAuth: + $ref: >- + #/components/examples/twofa-enabled-disallow-password-allow-phishing-response + EnableSpecificRoutingRule: + $ref: >- + #/components/examples/idp-discovery-specific-routing-rule-response + EnableDynamicRoutingRule: + $ref: >- + #/components/examples/idp-discovery-dynamic-routing-rule-response + DeviceSignalCollectionRule: + $ref: '#/components/examples/device-signal-collection-rule-response' + CreateAuthPolicyRuleDevicePlatformCondition: + $ref: >- + #/components/examples/create-auth-policy-rule-condition-response + SignOnPolicy: + $ref: '#/components/examples/sign-on-policy-rule-response' + SkipFactorChallengeOnPremRule: + $ref: >- + #/components/examples/skip-factor-challenge-on-prem-rule-response + RadiusRule: + $ref: '#/components/examples/radius-rule-response' + CloudRule: + $ref: '#/components/examples/cloud-rule-response' + DenyRule: + $ref: '#/components/examples/deny-rule-response' + CreateAuthPolicyRule2FAEnablePostAuthKmsi: + $ref: >- + #/components/examples/twofa-enabled-post-auth-kmsi-enabled-response + CreateAuthPolicyRule2FADisablePostAuthKmsi: + $ref: >- + #/components/examples/twofa-enabled-post-auth-kmsi-disabled-response + CreateAuthPolicyRuleAmc2Chains: + $ref: '#/components/examples/amc-two-chain' + EnableSsprWithConstraints: + $ref: >- + #/components/examples/sspr-enabled-sso-step-up-with-constraints-response + EnableIdProofingForOamp: + $ref: '#/components/examples/oamp-id-proofing-policy-rule-response' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.manage + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/limitParameter' + /api/v1/policies/{policyId}/rules/{ruleId}: + get: + summary: Retrieve a policy rule + description: Retrieves a policy rule + operationId: getPolicyRule + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/PolicyRule' + examples: + EnableSsprSecurityQuestionStepUp: + $ref: '#/components/examples/sspr-enabled-sq-step-up-update' + EnableSsprSSOStepUp: + $ref: '#/components/examples/sspr-enabled-sso-step-up-update' + EnableSsprNoStepUp: + $ref: '#/components/examples/sspr-enabled-no-step-up-update' + EnableSsprWithOAMP: + $ref: '#/components/examples/sspr-enabled-OAMP-update' + EnableSpecificRoutingRule: + $ref: >- + #/components/examples/idp-discovery-specific-routing-rule-response + EnableDynamicRoutingRule: + $ref: >- + #/components/examples/idp-discovery-dynamic-routing-rule-response + SignOnPolicy: + $ref: '#/components/examples/sign-on-policy-rule-response' + SkipFactorChallengeOnPremRule: + $ref: >- + #/components/examples/skip-factor-challenge-on-prem-rule-response + RadiusRule: + $ref: '#/components/examples/radius-rule-response' + CloudRule: + $ref: '#/components/examples/cloud-rule-response' + DenyRule: + $ref: '#/components/examples/deny-rule-response' + DeviceSignalCollectionRule: + $ref: '#/components/examples/device-signal-collection-rule-response' + AuthenticationPolicyRuleWithPlatformDeviceConstraints: + $ref: >- + #/components/examples/update-auth-policy-rule-condition-response + AuthPolicyRule2FAEnablePostAuthKmsi: + $ref: >- + #/components/examples/twofa-enabled-post-auth-kmsi-enabled-response + AuthPolicyRule2FADisablePostAuthKmsi: + $ref: >- + #/components/examples/twofa-enabled-post-auth-kmsi-disabled-response + EnableSsprWithConstraints: + $ref: >- + #/components/examples/sspr-enabled-sso-step-up-with-constraints-update + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.read + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a policy rule + description: >- + Replaces the properties for a policy rule identified by `policyId` and + `ruleId` + operationId: replacePolicyRule + x-codegen-request-body-name: policyRule + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PolicyRule' + examples: + EnableSsprSecurityQuestionStepUp: + $ref: '#/components/examples/sspr-enabled-sq-step-up-update' + EnableSsprSSOStepUp: + $ref: '#/components/examples/sspr-enabled-sso-step-up-update' + EnableSsprNoStepUp: + $ref: '#/components/examples/sspr-enabled-no-step-up-update' + UpdateAuthenticationPolicyRuleWithPlatformDeviceConstraints: + $ref: '#/components/examples/update-auth-policy-rule-condition' + UpdateAllowedIdentifiersInUserProfilePolicy: + $ref: >- + #/components/examples/update-identifiers-in-user-profile-policy + UpdateAuthPolicyRule2FAEnablePostAuthKmsi: + $ref: '#/components/examples/twofa-enabled-post-auth-kmsi-enabled' + UpdateAuthPolicyRule2FADisablePostAuthKmsi: + $ref: '#/components/examples/twofa-enabled-post-auth-kmsi-disabled' + UpdateDeviceSignalCollectionRule: + $ref: '#/components/examples/update-device-signal-collection-rule' + EnableSpecificRoutingRule: + $ref: '#/components/examples/idp-discovery-specific-routing-rule' + EnableDynamicRoutingRule: + $ref: '#/components/examples/idp-discovery-dynamic-routing-rule' + SignOnPolicy: + $ref: '#/components/examples/sign-on-policy-rule' + SkipFactorChallengeOnPremRule: + $ref: '#/components/examples/skip-factor-challenge-on-prem-rule' + RadiusRule: + $ref: '#/components/examples/radius-rule' + CloudRule: + $ref: '#/components/examples/cloud-rule' + DenyRule: + $ref: '#/components/examples/deny-rule' + EnableSsprWithConstraints: + $ref: >- + #/components/examples/sspr-enabled-sso-step-up-with-constraints-update + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/PolicyRule' + examples: + EnableSsprSecurityQuestionStepUp: + $ref: '#/components/examples/sspr-enabled-sq-step-up-response' + EnableSsprSSOStepUp: + $ref: '#/components/examples/sspr-enabled-sso-step-up-response' + EnableSsprNoStepUp: + $ref: '#/components/examples/sspr-enabled-no-step-up-response' + UpdateAuthenticationPolicyRuleWithPlatformDeviceConstraints: + $ref: >- + #/components/examples/update-auth-policy-rule-condition-response + UpdateAllowedIdentifiersInUserProfilePolicy: + $ref: >- + #/components/examples/update-identifiers-in-user-profile-policy-response + UpdateAuthPolicyRule2FAEnablePostAuthKmsi: + $ref: >- + #/components/examples/twofa-enabled-post-auth-kmsi-enabled-response + UpdateAuthPolicyRule2FADisablePostAuthKmsi: + $ref: >- + #/components/examples/twofa-enabled-post-auth-kmsi-disabled-response + UpdateDeviceSignalCollectionRule: + $ref: >- + #/components/examples/update-device-signal-collection-rule-response + EnableSpecificRoutingRule: + $ref: >- + #/components/examples/idp-discovery-specific-routing-rule-response + EnableDynamicRoutingRule: + $ref: >- + #/components/examples/idp-discovery-dynamic-routing-rule-response + SignOnPolicy: + $ref: '#/components/examples/sign-on-policy-rule-response' + SkipFactorChallengeOnPremRule: + $ref: >- + #/components/examples/skip-factor-challenge-on-prem-rule-response + RadiusRule: + $ref: '#/components/examples/radius-rule-response' + CloudRule: + $ref: '#/components/examples/cloud-rule-response' + DenyRule: + $ref: '#/components/examples/deny-rule-response' + EnableSsprWithConstraints: + $ref: >- + #/components/examples/sspr-enabled-sso-step-up-with-constraints-response + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.manage + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a policy rule + description: Deletes a policy rule identified by `policyId` and `ruleId` + operationId: deletePolicyRule + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.manage + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/pathRuleId' + /api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/activate: + post: + summary: Activate a policy rule + description: Activates a policy rule identified by `policyId` and `ruleId` + operationId: activatePolicyRule + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.manage + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/pathRuleId' + /api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate: + post: + summary: Deactivate a policy rule + description: Deactivates a policy rule identified by `policyId` and `ruleId` + operationId: deactivatePolicyRule + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.policies.manage + tags: + - Policy + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathPolicyId' + - $ref: '#/components/parameters/pathRuleId' +components: + schemas: + Policy: + type: object + properties: + created: + description: Timestamp when the policy was created + type: string + format: date-time + readOnly: true + default: Assigned + description: + description: Description of the policy + type: string + default: null + id: + description: Identifier of the policy + type: string + readOnly: true + default: Assigned + lastUpdated: + description: Timestamp when the policy was last modified + type: string + format: date-time + readOnly: true + default: Assigned + name: + description: Name of the policy + type: string + priority: + description: >- + Specifies the order in which this policy is evaluated in relation to + the other policies + type: integer + default: Last / Lowest Priority, for example `1` + status: + allOf: + - $ref: '#/components/schemas/LifecycleStatus' + - description: >- + Whether or not the policy is active. Use the `activate` query + parameter to set the status of a policy. + system: + description: Specifies whether Okta created the policy + type: boolean + default: false + type: + $ref: '#/components/schemas/PolicyType' + _embedded: + type: object + additionalProperties: + type: object + properties: {} + readOnly: true + _links: + $ref: '#/components/schemas/PolicyLinks' + required: + - name + - type + discriminator: + propertyName: type + mapping: + ACCESS_POLICY: '#/components/schemas/AccessPolicy' + IDP_DISCOVERY: '#/components/schemas/IdpDiscoveryPolicy' + MFA_ENROLL: '#/components/schemas/AuthenticatorEnrollmentPolicy' + OKTA_SIGN_ON: '#/components/schemas/OktaSignOnPolicy' + PASSWORD: '#/components/schemas/PasswordPolicy' + PROFILE_ENROLLMENT: '#/components/schemas/ProfileEnrollmentPolicy' + POST_AUTH_SESSION: '#/components/schemas/PostAuthSessionPolicy' + ENTITY_RISK: '#/components/schemas/EntityRiskPolicy' + DEVICE_SIGNAL_COLLECTION: '#/components/schemas/DeviceSignalCollectionPolicy' + CreateOrUpdatePolicy: + type: object + properties: + created: + description: Timestamp when the policy was created + type: string + format: date-time + readOnly: true + default: Assigned + description: + description: Description of the policy + type: string + default: null + id: + description: Identifier of the policy + type: string + readOnly: true + default: Assigned + lastUpdated: + description: Timestamp when the policy was last modified + type: string + format: date-time + readOnly: true + default: Assigned + name: + description: Name of the policy + type: string + priority: + description: >- + Specifies the order in which this policy is evaluated in relation to + the other policies + type: integer + default: Last / Lowest Priority, for example `1` + status: + allOf: + - $ref: '#/components/schemas/LifecycleStatus' + - description: >- + Whether or not the policy is active. Use the `activate` query + parameter to set the status of a policy. + system: + description: Specifies whether Okta created the policy + type: boolean + default: false + type: + $ref: '#/components/schemas/PolicyType' + _embedded: + type: object + additionalProperties: + type: object + properties: {} + readOnly: true + _links: + $ref: '#/components/schemas/PolicyLinks' + required: + - name + - type + discriminator: + propertyName: type + mapping: + ACCESS_POLICY: '#/components/schemas/AccessPolicy' + MFA_ENROLL: '#/components/schemas/AuthenticatorEnrollmentPolicy' + OKTA_SIGN_ON: '#/components/schemas/OktaSignOnPolicy' + PASSWORD: '#/components/schemas/PasswordPolicy' + PROFILE_ENROLLMENT: '#/components/schemas/ProfileEnrollmentPolicy' + DEVICE_SIGNAL_COLLECTION: '#/components/schemas/DeviceSignalCollectionPolicy' + SimulatePolicyBody: + description: The request body required for a simulate policy operation + type: object + properties: + appInstance: + type: string + description: The application instance ID for a simulate operation + policyContext: + $ref: '#/components/schemas/PolicyContext' + policyTypes: + type: array + description: >- + Supported policy types for a simulate operation. The default value, + `null`, returns all types. + items: + $ref: '#/components/schemas/PolicyTypeSimulation' + required: + - appInstance + SimulatePolicyResponse: + description: >- + The response body returned for a simulate policy operation. An array of + `evaluations`. + items: + $ref: '#/components/schemas/SimulatePolicyEvaluations' + type: array + Application: + type: object + properties: + accessibility: + $ref: '#/components/schemas/ApplicationAccessibility' + created: + type: string + format: date-time + readOnly: true + description: Timestamp when the application object was created + features: + type: array + description: > + Enabled app features + + > **Note:** See [Application + Features](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationFeatures/) + for app provisioning features. + readOnly: true + items: + type: string + enum: + - GROUP_PUSH + - IMPORT_NEW_USERS + - IMPORT_PROFILE_UPDATES + - IMPORT_USER_SCHEMA + - PROFILE_MASTERING + - PUSH_NEW_USERS + - PUSH_PASSWORD_UPDATES + - PUSH_PROFILE_UPDATES + - PUSH_USER_DEACTIVATION + - REACTIVATE_USERS + - OUTBOUND_DEL_AUTH + - DESKTOP_SSO + - FEDERATED_PROFILE + - SUPPRESS_ACTIVATION_EMAIL + - PUSH_PENDING_USERS + - MFA + - UPDATE_EXISTING_USERNAME + - EXCLUDE_USERNAME_UPDATE_ON_PROFILE_PUSH + - EXCHANGE_ACTIVE_SYNC + - IMPORT_SYNC + - IMPORT_SYNC_CONTACTS + - DEVICE_COMPLIANCE + - VPN_CONFIG + - IMPORT_SCHEMA_ENUM_VALUES + - SCIM_PROVISIONING + - DEVICE_FILTER_IN_SIGN_ON_RULES + - PROFILE_TEMPLATE_UPGRADE + - DEFAULT_PUSH_STATUS_TO_PUSH + - REAL_TIME_SYNC + - SSO + - AUTHN_CONTEXT + - JIT_PROVISIONING + - GROUP_SYNC + - OPP_SCIM_INCREMENTAL_IMPORTS + - IN_MEMORY_APP_USER + - LOG_STREAMING + - OAUTH_INTEGRATION + - IDP + - PUSH_NEW_USERS_WITHOUT_PASSWORD + - SKYHOOK_SERVICE + - ENTITLEMENT_MANAGEMENT + - PUSH_NEW_USERS_WITH_HASHED_PASSWORD + x-enumDescriptions: + GROUP_PUSH: >- + Creates or links a group in the app when a mapping is defined + for a group in Okta. Okta is the source for group memberships + and all group members in Okta who are also assigned to the app + are synced as group members to the app. + IMPORT_NEW_USERS: Creates or links a user in Okta to a user from the app + IMPORT_PROFILE_UPDATES: >- + Updates a linked user's app profile during manual or scheduled + imports + IMPORT_USER_SCHEMA: >- + Discovers the profile schema for a user from the app + automatically + PROFILE_MASTERING: >- + Designates the app as the identity lifecycle and profile + attribute authority for linked users. The user's profile in Okta + is read-only. + PUSH_NEW_USERS: >- + Creates or links a user account in the app when assigning the + app to a user in Okta + PUSH_PASSWORD_UPDATES: >- + Updates the user's app password when their password changes in + Okta + PUSH_PROFILE_UPDATES: >- + Updates a user's profile in the app when the user's profile + changes in Okta (the profile source) + PUSH_USER_DEACTIVATION: >- + Deactivates a user's account in the app when unassigned from the + app in Okta or deactivated + REACTIVATE_USERS: >- + Reactivates an existing inactive user when provisioning a user + to the app + OUTBOUND_DEL_AUTH: >- + Okta user authentication requests are delegated to a third-party + app + DESKTOP_SSO: >- + Okta user authentication requests are handled by desktop SSO + negotiation (if possible) + FEDERATED_PROFILE: >- + App user profiles are synchronized at sign-in and profile-view + instances instead of during bulk imports + SUPPRESS_ACTIVATION_EMAIL: >- + Activation emails aren't sent to users sourced by AD and orgs + with DelAuth enabled + PUSH_PENDING_USERS: >- + Users are in PENDING state in Okta and are created but not + active in the sourced app user + MFA: App can verify credentials as a second factor + UPDATE_EXISTING_USERNAME: App can update the user name for existing users + EXCLUDE_USERNAME_UPDATE_ON_PROFILE_PUSH: Exclude username update during profile push + EXCHANGE_ACTIVE_SYNC: App supports synchronizing credentials with OMM enrolled devices + IMPORT_SYNC: Synchronize import events + IMPORT_SYNC_CONTACTS: Synchronize contacts + DEVICE_COMPLIANCE: Apps support device compliance rules + VPN_CONFIG: App supports pushing VPN configuration to OMM enrolled devices + IMPORT_SCHEMA_ENUM_VALUES: >- + App supports downloading schema enum values. You can download + custom objects and integrating them with UD without being tied + to the type metadata system. + SCIM_PROVISIONING: >- + App supports generic SCIM client provisioning and can leverage + SCIM standard for provisioning and push custom attributes to a + third-party app + DEVICE_FILTER_IN_SIGN_ON_RULES: App supports filtering by client type in app sign-on rules + PROFILE_TEMPLATE_UPGRADE: >- + App supports profile template upgrades. This is primarily to + help roll out the profile template upgrade feature for + individual apps + DEFAULT_PUSH_STATUS_TO_PUSH: >- + App defaults Push status to `PUSH`. This feature is for apps, + such as SharePoint, that want to receive App User profile + updates even though they didn't implement traditional + PUSH_PROFILE_UPDATES in the client API. + REAL_TIME_SYNC: Apps support real-time synchronization + SSO: Apps support establishing a subject based on claims from an IdP + AUTHN_CONTEXT: >- + Apps support establishing an authentication context based on + claims from an IdP + JIT_PROVISIONING: Apps support provisioning a user based on claims from an IdP + GROUP_SYNC: >- + Apps support syncing group information based on claims from an + IdP + OPP_SCIM_INCREMENTAL_IMPORTS: Apps support incremental imports. Used for SCIM app instances + IN_MEMORY_APP_USER: >- + Apps support in-memory app users. This feature is used as an + alternative to Implicit App Assignment for a non-persisted app + user. + LOG_STREAMING: Apps support log streaming + OAUTH_INTEGRATION: App is an OAuth 2.0 integration + IDP: Apps support IdP functionalities + PUSH_NEW_USERS_WITHOUT_PASSWORD: Don't send generated password for new users + SKYHOOK_SERVICE: Use the Skyhook microservice for LCM operations + ENTITLEMENT_MANAGEMENT: Marker to showcase which OIN apps are entitlement enabled + PUSH_NEW_USERS_WITH_HASHED_PASSWORD: >- + Send hashed password for new users. This feature is only used + for CIS to CIC migration. + id: + type: string + readOnly: true + description: Unique ID for the app instance + label: + $ref: '#/components/schemas/ApplicationLabel' + lastUpdated: + type: string + format: date-time + readOnly: true + description: Timestamp when the application object was last updated + licensing: + $ref: '#/components/schemas/ApplicationLicensing' + orn: + type: string + readOnly: true + description: The Okta resource name (ORN) for the current app instance + profile: + type: object + description: >- + Contains any valid JSON schema for specifying properties that can be + referenced from a request (only available to OAuth 2.0 client apps). + + For example, add an app manager contact email address or define an + allowlist of groups that you can then reference using the Okta + Expression Language `getFilteredGroups` function. + + + > **Notes:** + + > * `profile` isn't encrypted, so don't store sensitive data in it. + + > * `profile` doesn't limit the level of nesting in the JSON schema + you created, but there is a practical size limit. Okta recommends a + JSON schema size of 1 MB or less for best performance. + additionalProperties: true + signOnMode: + $ref: '#/components/schemas/ApplicationSignOnMode' + status: + $ref: '#/components/schemas/ApplicationLifecycleStatus' + universalLogout: + $ref: '#/components/schemas/ApplicationUniversalLogout' + visibility: + $ref: '#/components/schemas/ApplicationVisibility' + _embedded: + type: object + description: >- + Embedded resources related to the app using the [JSON Hypertext + Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. If the `expand=user/{userId}` query parameter is + specified, then the assigned [Application + User](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/) is + embedded. + properties: + user: + type: object + description: >- + The specified [Application + User](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/) + assigned to the app + additionalProperties: + type: object + properties: {} + readOnly: true + _links: + $ref: '#/components/schemas/ApplicationLinks' + required: + - signOnMode + - label + discriminator: + propertyName: signOnMode + mapping: + AUTO_LOGIN: '#/components/schemas/AutoLoginApplication' + BASIC_AUTH: '#/components/schemas/BasicAuthApplication' + BOOKMARK: '#/components/schemas/BookmarkApplication' + BROWSER_PLUGIN: '#/components/schemas/BrowserPluginApplication' + OPENID_CONNECT: '#/components/schemas/OpenIdConnectApplication' + SAML_1_1: '#/components/schemas/Saml11Application' + SAML_2_0: '#/components/schemas/SamlApplication' + SECURE_PASSWORD_STORE: '#/components/schemas/SecurePasswordStoreApplication' + WS_FEDERATION: '#/components/schemas/WsFederationApplication' + PolicyMapping: + type: object + properties: + id: + type: string + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + application: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the mapped application + policy: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the mapped policy + type: object + PolicyMappingRequest: + type: object + properties: + resourceId: + type: string + description: Unique identifier of the resource to map + resourceType: + $ref: '#/components/schemas/PolicyMappingResourceType' + PolicyRule: + type: object + properties: + created: + type: string + description: Timestamp when the rule was created + format: date-time + readOnly: true + nullable: true + id: + type: string + description: Identifier for the rule + readOnly: true + lastUpdated: + type: string + description: Timestamp when the rule was last modified + format: date-time + readOnly: true + nullable: true + name: + type: string + description: Name of the rule + priority: + type: integer + description: Priority of the rule + nullable: true + status: + allOf: + - $ref: '#/components/schemas/LifecycleStatus' + - description: >- + Whether or not the rule is active. Use the `activate` query + parameter to set the status of a rule. + system: + type: boolean + description: >- + Specifies whether Okta created the policy rule (`system=true`). You + can't delete policy rules that have `system` set to `true`. + default: false + type: + $ref: '#/components/schemas/PolicyRuleType' + _links: + $ref: '#/components/schemas/PolicyLinks' + discriminator: + propertyName: type + mapping: + ACCESS_POLICY: '#/components/schemas/AccessPolicyRule' + PASSWORD: '#/components/schemas/PasswordPolicyRule' + PROFILE_ENROLLMENT: '#/components/schemas/ProfileEnrollmentPolicyRule' + SIGN_ON: '#/components/schemas/OktaSignOnPolicyRule' + IDP_DISCOVERY: '#/components/schemas/IdpDiscoveryPolicyRule' + POST_AUTH_SESSION: '#/components/schemas/PostAuthSessionPolicyRule' + ENTITY_RISK: '#/components/schemas/EntityRiskPolicyRule' + MFA_ENROLL: '#/components/schemas/AuthenticatorEnrollmentPolicyRule' + DEVICE_SIGNAL_COLLECTION: '#/components/schemas/DeviceSignalCollectionPolicyRule' + LifecycleStatus: + type: string + enum: + - ACTIVE + - INACTIVE + PolicyType: + description: >- + All Okta orgs contain only one IdP discovery policy with an immutable + default rule routing to your org's sign-in page, one entity risk policy, + and one session protection policy. + + Creating or replacing a policy with the `IDP_DISCOVERY` type, the + `ENTITY_RISK` type, or the `POST_AUTH_SESSION` type isn't supported. + + The following policy types are available with Identity Engine: + `ACCESS_POLICY`, `PROFILE_ENROLLMENT`, `POST_AUTH_SESSION`, <x-lifecycle + class="ea"></x-lifecycle> `DEVICE_SIGNAL_COLLECTION`, and `ENTITY_RISK`. + type: string + enum: + - <x-lifecycle class="ea"></x-lifecycle> DEVICE_SIGNAL_COLLECTION + - ACCESS_POLICY + - ENTITY_RISK + - IDP_DISCOVERY + - MFA_ENROLL + - OKTA_SIGN_ON + - PASSWORD + - POST_AUTH_SESSION + - PROFILE_ENROLLMENT + PolicyLinks: + type: object + properties: + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + mappings: + $ref: '#/components/schemas/HrefObjectMappingsLink' + rules: + $ref: '#/components/schemas/HrefObjectRulesLink' + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + PolicyContext: + type: object + properties: + device: + type: object + properties: + platform: + type: string + description: The platform of the device, for example, IOS. + registered: + type: boolean + description: If the device is registered + managed: + type: boolean + description: If the device is managed + assuranceId: + type: string + description: The device assurance policy ID for the simulation + groups: + type: object + description: >- + An array of Group IDs for the simulate operation. Only user IDs or + Group IDs are allowed, not both. + properties: + ids: + type: array + items: + type: string + uniqueItems: true + required: + - ids + ip: + type: string + description: The network rule condition, zone, or IP address + risk: + type: object + description: The risk rule condition level + properties: + level: + type: string + enum: + - LOW + - MEDIUM + - HIGH + user: + type: object + description: >- + The user ID for the simulate operation. Only user IDs or Group IDs + are allowed, not both. + properties: + id: + type: string + description: The unique ID number for the user. + required: + - id + zones: + type: object + description: The zone ID under the network rule condition. + properties: + ids: + type: array + items: + type: string + required: + - user + - groups + PolicyTypeSimulation: + type: string + enum: + - ACCESS_POLICY + - MFA_ENROLL + - OKTA_SIGN_ON + - PROFILE_ENROLLMENT + SimulatePolicyEvaluations: + type: object + properties: + evaluated: + type: object + description: A list of evaluated but not matched policies and rules + properties: + policies: + $ref: '#/components/schemas/SimulateResultPolicies' + policyType: + type: array + description: The policy type of the simulate operation + items: + $ref: '#/components/schemas/PolicyTypeSimulation' + result: + $ref: '#/components/schemas/SimulatePolicyResult' + status: + $ref: '#/components/schemas/SimulateResultStatus' + undefined: + type: object + description: A list of undefined but not matched policies and rules + properties: + policies: + $ref: '#/components/schemas/SimulateResultPolicies' + ApplicationAccessibility: + description: Specifies access settings for the app + type: object + properties: + errorRedirectUrl: + type: string + description: Custom error page URL for the app + loginRedirectUrl: + type: string + description: >- + Custom login page URL for the app + + > **Note:** The `loginRedirectUrl` property is deprecated in + Identity Engine. This property is used with the custom app login + feature. Orgs that actively use this feature can continue to do so. + See [Okta-hosted sign-in (redirect + authentication)](https://developer.okta.com/docs/guides/redirect-authentication/) + or [configure IdP routing + rules](https://help.okta.com/okta_help.htm?type=oie&id=ext-cfg-routing-rules) + to redirect users to the appropriate sign-in app for orgs that don't + use the custom app login feature. + selfService: + type: boolean + description: Represents whether the app can be self-assignable by users + ApplicationLabel: + description: User-defined display name for app + type: string + ApplicationLicensing: + description: Licenses for the app + type: object + properties: + seatCount: + type: integer + description: Number of licenses purchased for the app + ApplicationSignOnMode: + description: > + Authentication mode for the app + + + | signOnMode | Description | + + | ---------- | ----------- | + + | AUTO_LOGIN | Secure Web Authentication (SWA) | + + | BASIC_AUTH | HTTP Basic Authentication with Okta Browser Plugin | + + | BOOKMARK | Just a bookmark (no-authentication) | + + | BROWSER_PLUGIN | Secure Web Authentication (SWA) with Okta Browser + Plugin | + + | OPENID_CONNECT | Federated Authentication with OpenID Connect (OIDC) | + + | SAML_1_1 | Federated Authentication with SAML 1.1 WebSSO (not + supported for custom apps) | + + | SAML_2_0 | Federated Authentication with SAML 2.0 WebSSO | + + | SECURE_PASSWORD_STORE | Secure Web Authentication (SWA) with POST + (plugin not required) | + + | WS_FEDERATION | Federated Authentication with WS-Federation Passive + Requestor Profile | + + + Select the `signOnMode` for your custom app: + type: string + enum: + - AUTO_LOGIN + - BASIC_AUTH + - BOOKMARK + - BROWSER_PLUGIN + - OPENID_CONNECT + - SAML_1_1 + - SAML_2_0 + - SECURE_PASSWORD_STORE + - WS_FEDERATION + ApplicationLifecycleStatus: + description: App instance status + type: string + enum: + - ACTIVE + - DELETED + - INACTIVE + readOnly: true + ApplicationUniversalLogout: + description: >- + <div class="x-lifecycle-container"><x-lifecycle + class="oie"></x-lifecycle></div> + + Universal Logout properties for the app. These properties are only + returned and can't be updated. + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + example: ACTIVE + type: object + properties: + identityStack: + type: string + description: >- + Indicates whether the app uses a shared identity stack that may + cause the user to sign out of other apps by the same company + enum: + - SHARED + - NOT_SHARED + example: SHARED + protocol: + type: string + description: The protocol used for Universal Logout + enum: + - PROPRIETARY + - GLOBAL_TOKEN_REVOCATION + x-enumDescriptions: + PROPRIETARY: Universal Logout is implemented with a proprietary method. + GLOBAL_TOKEN_REVOCATION: >- + Universal Logout is implemented with the [Global Token + Revocation](https://datatracker.ietf.org/doc/draft-parecki-oauth-global-token-revocation/) + protocol. See the [Global Token Revocation + API](https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/GlobalTokenRevocation/). + example: PROPRIETARY + status: + type: string + description: Universal Logout status for the app instance + enum: + - ENABLED + - DISABLED + - UNSUPPORTED + example: ENABLED + x-enumDescriptions: + ENABLED: >- + Universal Logout is enabled. Users are signed out of the app + instance when the Okta system or an admin initiates logout. + DISABLED: Universal Logout is disabled + UNSUPPORTED: The app doesn't support Universal Logout + supportType: + type: string + description: >- + Indicates whether the app supports full or partial Universal Logout + (UL). + enum: + - FULL + - PARTIAL + x-enumDescriptions: + FULL: >- + Full UL support (users are signed out of an app when the Okta + system or an admin initiates logout) + PARTIAL: >- + This app's sign-out behavior can be different from other supported + UL apps. + example: FULL + readOnly: true + ApplicationVisibility: + description: Specifies visibility settings for the app + type: object + properties: + appLinks: + type: object + description: >- + Links or icons that appear on the End-User Dashboard if they're set + to `true`. + additionalProperties: + type: boolean + autoLaunch: + type: boolean + description: Automatically signs in to the app when user signs into Okta + autoSubmitToolbar: + type: boolean + description: Automatically sign in when user lands on the sign-in page + hide: + $ref: '#/components/schemas/ApplicationVisibilityHide' + ApplicationLinks: + description: Discoverable resources related to the app + properties: + accessPolicy: + $ref: '#/components/schemas/AccessPolicyLink' + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + appLinks: + type: array + description: List of app link resources + items: + $ref: '#/components/schemas/HrefObject' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + groups: + $ref: '#/components/schemas/GroupsLink' + help: + $ref: '#/components/schemas/HelpLink' + logo: + type: array + description: List of app logo resources + items: + $ref: '#/components/schemas/HrefObject' + metadata: + $ref: '#/components/schemas/MetadataLink' + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + users: + $ref: '#/components/schemas/UsersLink' + readOnly: true + type: object + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + PolicyMappingResourceType: + description: >- + Specifies the type of resource to map. You can either map an app onto a + policy, or map a device signal collection policy onto an authentication + policy. + type: string + enum: + - ACCESS_POLICY + - APP + PolicyRuleType: + description: Rule type + type: string + enum: + - ACCESS_POLICY + - DEVICE_SIGNAL_COLLECTION + - ENTITY_RISK + - IDP_DISCOVERY + - MFA_ENROLL + - PASSWORD + - POST_AUTH_SESSION + - PROFILE_ENROLLMENT + - SIGN_ON + HrefObjectActivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to activate the resource + HrefObjectDeactivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to deactivate the resource + HrefObjectMappingsLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the mappings resource + HrefObjectRulesLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the rules resource + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + ErrorCause: + type: object + properties: + errorSummary: + type: string + SimulateResultPolicies: + items: + $ref: '#/components/schemas/SimulateResultPoliciesItems' + type: array + SimulatePolicyResult: + description: The result of the policy evaluation + type: object + properties: + policies: + $ref: '#/components/schemas/SimulateResultPolicies' + SimulateResultStatus: + description: The result of this entity evaluation + type: string + enum: + - MATCH + - NOT_MATCH + - UNDEFINED + ApplicationVisibilityHide: + description: Hides the app for specific end-user apps + type: object + properties: + iOS: + type: boolean + description: Okta Mobile for iOS or Android (pre-dates Android) + default: false + example: false + web: + type: boolean + description: Okta End-User Dashboard on a web browser + default: false + example: true + AccessPolicyLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the app access policy resource + GroupsLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + Link to the [Application + Groups](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationGroups/#tag/ApplicationGroups/operation/listApplicationGroupAssignments) + resource + HelpLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the app help resource + MetadataLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + Link to the [SAML + metadata](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationSSO/#tag/ApplicationSSO/operation/previewSAMLmetadataForApplication) + for SSO + UsersLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: >- + Link to the [Application + Users](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/#tag/ApplicationUsers/operation/listApplicationUsers) + resource + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + SimulateResultPoliciesItems: + type: object + properties: + conditions: + type: array + description: List of all conditions involved for this policy evaluation + items: + $ref: '#/components/schemas/SimulateResultConditions' + id: + type: string + description: ID of the specified policy type + name: + type: string + description: Policy name + rules: + type: array + items: + $ref: '#/components/schemas/SimulateResultRules' + status: + $ref: '#/components/schemas/SimulateResultStatus' + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + SimulateResultConditions: + type: object + properties: + status: + $ref: '#/components/schemas/SimulateResultStatus' + type: + type: string + description: The type of condition + SimulateResultRules: + type: object + properties: + conditions: + type: array + description: List of all conditions involved for this rule evaluation + items: + $ref: '#/components/schemas/SimulateResultConditions' + id: + type: string + description: The unique ID number of the policy rule + name: + type: string + description: The name of the policy rule + status: + $ref: '#/components/schemas/SimulateResultStatus' + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + simulateParameter: + name: expand + description: >- + Use `expand=EVALUATED` to include a list of evaluated but not matched + policies and policy rules. Use `expand=RULE` to include details about + why a rule condition wasn't matched. + in: query + schema: + type: string + example: EVALUATED + pathPolicyId: + name: policyId + description: '`id` of the Policy' + in: path + required: true + schema: + type: string + example: 00plrilJ7jZ66Gn0X0g3 + pathPolicyMappingId: + name: mappingId + description: '`id` of the policy resource Mapping' + in: path + required: true + schema: + type: string + example: maplr2rLjZ6NsGn1P0g3 + limitParameter: + name: limit + in: query + schema: + type: string + description: >- + Defines the number of policy rules returned. See + [Pagination](https://developer.okta.com/docs/api/#pagination). + pathRuleId: + name: ruleId + description: '`id` of the policy rule' + in: path + required: true + schema: + type: string + example: ruld3hJ7jZh4fn0st0g3 + examples: + password-policy-response: + summary: PASSWORD + value: + type: PASSWORD + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: true + created: createdDate + lastUpdated: lastUpdated + conditions: + people: + groups: + include: + - groupId + authProvider: + provider: provider + settings: + password: + complexity: + minLength: 8 + minLowerCase: 1 + minUpperCase: 1 + minNumber: null + minSymbol: 0 + excludeUsername: true + dictionary: + common: + exclude: false + excludeAttributes: [] + age: + maxAgeDays: 0 + expireWarnDays: 0 + minAgeMinutes: 0 + historyCount: 4 + lockout: + maxAttempts: 0 + autoUnlockMinutes: 0 + userLockoutNotificationChannels: [] + showLockoutFailures: false + recovery: + factors: + recovery_question: + status: ACTIVE + properties: + complexity: + complexity: 4 + type: object + okta_email: + status: ACTIVE + properties: + recoveryToken: + tokenLifetimeMinutes: 10080 + type: object + okta_sms: + status: INACTIVE + okta_call: + status: INACTIVE + delegation: + options: + skipUnlock: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - POST + - GET + mfa-enroll-policy-with-grace-period-response: + summary: MFA_ENROLL + value: + type: MFA_ENROLL + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: true + created: createdDate + lastUpdated: lastUpdated + conditions: + people: + groups: + include: + - groupId + settings: + type: AUTHENTICATORS + authenticators: + - key: okta_email + enroll: + self: NOT_ALLOWED + - key: okta_verify + enroll: + self: OPTIONAL + - key: okta_password + enroll: + self: REQUIRED + - key: phone_number + enroll: + self: REQUIRED + gracePeriod: + type: BY_DATE_TIME + expiry: '2025-01-01T18:30:45.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - POST + - GET + mappings: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/mappings + hints: + allow: + - GET + - POST + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/lifecycle/deactivate + hints: + allow: + - POST + idp-discovery-policy-response: + summary: IDP_DISCOVERY + value: + type: IDP_DISCOVERY + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: true + created: createdDate + lastUpdated: lastUpdated + conditions: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - POST + - GET + profile-enrollment-policy-response: + summary: PROFILE_ENROLLMENT + value: + type: PROFILE_ENROLLMENT + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: true + created: createdDate + lastUpdated: lastUpdated + conditions: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - POST + - GET + list-access-policy-response: + summary: ACCESS_POLICY + value: + - type: ACCESS_POLICY + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: true + conditions: null + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - GET + - POST + list-device-signal-collection-policy-response: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: DEVICE_SIGNAL_COLLECTION + value: + - type: DEVICE_SIGNAL_COLLECTION + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: false + conditions: null + created: '2025-04-25T17:35:02.000Z' + lastUpdated: '2025-04-25T17:35:02.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + - DELETE + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - GET + - POST + list-okta-sign-on-policy-response: + summary: OKTA_SIGN_ON + value: + - type: OKTA_SIGN_ON + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: true + conditions: + people: + groups: + include: + - groupId + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - GET + - POST + list-entity-risk-policy-response: + summary: ENTITY_RISK + value: + - type: ENTITY_RISK + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: true + conditions: null + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - GET + - POST + list-post-auth-session-policy-response: + summary: POST_AUTH_SESSION + value: + - type: POST_AUTH_SESSION + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: true + conditions: null + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - GET + - POST + password-policy-with-breached-protection-response: + summary: PASSWORD_WITH_BREACHED_PROTECTION + value: + type: PASSWORD + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: true + created: createdDate + lastUpdated: lastUpdated + conditions: + people: + groups: + include: + - groupId + authProvider: + provider: provider + settings: + password: + complexity: + minLength: 8 + minLowerCase: 1 + minUpperCase: 1 + minNumber: null + minSymbol: 0 + excludeUsername: true + dictionary: + common: + exclude: false + excludeAttributes: [] + age: + maxAgeDays: 0 + expireWarnDays: 0 + minAgeMinutes: 0 + historyCount: 4 + lockout: + maxAttempts: 0 + autoUnlockMinutes: 0 + userLockoutNotificationChannels: [] + showLockoutFailures: false + breachedProtection: + expireAfterDays: 1 + logoutEnabled: true + deletegatedWorkflowId: workflowId + recovery: + factors: + recovery_question: + status: ACTIVE + properties: + complexity: + complexity: 4 + type: object + okta_email: + status: ACTIVE + properties: + recoveryToken: + tokenLifetimeMinutes: 10080 + type: object + okta_sms: + status: INACTIVE + okta_call: + status: INACTIVE + delegation: + options: + skipUnlock: false + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - POST + - GET + create-access-policy-response: + summary: ACCESS_POLICY + value: + type: ACCESS_POLICY + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: false + conditions: null + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + _links: + mappings: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/mappings + hints: + allow: + - GET + - POST + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + - DELETE + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - GET + - POST + deviceSignalCollectionPolicy: + href: >- + https://{yourOktaDomain}/api/v1/policies/{deviceSignalCollectionPolicyId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/lifecycle/deactivate + hints: + allow: + - POST + device-signal-collection-policy-response: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: DEVICE_SIGNAL_COLLECTION + value: + type: DEVICE_SIGNAL_COLLECTION + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: false + conditions: null + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + - DELETE + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - GET + - POST + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/lifecycle/deactivate + hints: + allow: + - POST + create-okta-sign-on-policy-response: + summary: OKTA_SIGN_ON + value: + type: OKTA_SIGN_ON + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: false + conditions: + people: + groups: + include: + - groupId + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + _links: + mappings: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/mappings + hints: + allow: + - GET + - POST + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + - DELETE + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - GET + - POST + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/lifecycle/deactivate + hints: + allow: + - POST + SimulatePolicyBody: + summary: Simulate policy request body + value: + policyType: + - OKTA_SIGN_ON + - MFA_ENROLL + appInstance: 0oa4eroj3nYCIJIW70g7 + policyContext: + groups: + ids: + - 00g4eralvekR5RLuS0g7 + - 00g4eralvekR5RLuS0g8 + risk: + level: LOW + zones: + ids: + - nzo4eralxcRnbIHYJ0g7 + device: + platform: IOS + registered: true + managed: true + SimulatePolicyResponse: + summary: Simulate policy response body + value: + evaluation: + - status: null + policyType: OKTA_SIGN_ON + result: + policies: + - id: 00p4eromwukk6qUku0g7 + name: test policy + status: MATCH + conditions: [] + rules: + - id: 0pr4erof85nGcyC7Y0g7 + name: test rule + status: MATCH + conditions: + - type: people.groups.include + status: MATCH + undefined: + policies: [] + evaluated: + policies: [] + - status: null + policyType: MFA_ENROLL + result: + policies: + - id: 00p4eram2kw1aLcrx0g7 + name: Default Policy + status: MATCH + conditions: [] + rules: + - id: 0pr4eram2lMQT5FZF0g7 + name: null + status: MATCH + conditions: [] + undefined: + policies: [] + evaluated: + policies: [] + - status: null + policyType: ACCESS_POLICY + result: + policies: + - id: rst4eram06ZKZewEe0g7 + name: Any two factors + status: MATCH + conditions: [] + rules: + - id: rul4eram07VsWgybo0g7 + name: Catch-all rule + status: MATCH + conditions: [] + undefined: + policies: [] + evaluated: + policies: [] + - status: null + policyType: PROFILE_ENROLLMENT + result: + policies: + - id: rst4eram08ZSjPTOl0g7 + name: Default Policy + status: MATCH + conditions: [] + rules: + - id: rul4eram094PrQ2BX0g7 + name: Catch-all rule + status: MATCH + conditions: [] + undefined: + policies: [] + evaluated: + policies: [] + get-entity-risk-policy-response: + summary: ENTITY_RISK + value: + type: ENTITY_RISK + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: true + conditions: null + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - GET + - POST + get-post-auth-session-policy-response: + summary: POST_AUTH_SESSION + value: + type: POST_AUTH_SESSION + id: policyId + status: ACTIVE + name: Policy name + description: Policy description + priority: 1 + system: true + conditions: null + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + rules: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules + hints: + allow: + - GET + - POST + policy-mapping-list-response: + summary: List all mappings for a policy + value: + - id: policyId + _links: + application: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + hints: + allow: + - GET + - PUT + - DELETE + self: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/mappings/{mappingId} + hints: + allow: + - GET + - PUT + - DELETE + policy: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + - DELETE + policy-mapping-response: + summary: Policy mapping for a policy + value: + id: policyId + _links: + application: + href: https://{yourOktaDomain}/api/v1/apps/{appId} + hints: + allow: + - GET + - PUT + - DELETE + self: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/mappings/{mappingId} + hints: + allow: + - GET + - PUT + - DELETE + policy: + href: https://{yourOktaDomain}/api/v1/policies/{policyId} + hints: + allow: + - GET + - PUT + - DELETE + list-all-sign-on-policy-rule-response: + summary: OKTA_SIGN_ON + value: + - id: 0prh1sd28q5sXGW08697 + status: ACTIVE + name: Test rule + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + risk: + behaviors: [] + riskScore: + level: ANY + identityProvider: + provider: ANY + actions: + signon: + requireFactor: false + factorPromptMode: ALWAYS + factorLifetime: 15 + access: ALLOW + primaryFactor: PASSWORD_IDP_ANY_FACTOR + session: + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + usePersistentCookie: false + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - POST + type: SIGN_ON + list-all-access-policy-rule-response: + summary: ACCESS_POLICY + value: + - id: ruleId + status: ACTIVE + name: Catch-all rule + priority: 99 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: true + conditions: null + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 1FA + type: ASSURANCE + reauthenticateIn: PT12H + constraints: [] + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + type: ACCESS_POLICY + list-all-device-signal-collection-rule-response: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: DEVICE_SIGNAL_COLLECTION + value: + - id: ruleId + status: ACTIVE + name: Device signal collection rule + priority: 0 + created: '2024-11-20T18:22:15.000Z' + lastUpdated: '2025-01-03T23:04:33.000Z' + system: false + conditions: + network: + connection: ZONE + exclude: + - nzo9o4rctwQCJNE6y1d7 + platform: + include: + - type: MOBILE + os: + type: ANDROID + actions: + deviceSignalCollection: + deviceContextProviders: + - key: OKTA_VERIFY + userIdentification: IGNORE + - key: CHROME_DEVICE_TRUST + - key: DEVICE_POSTURE_IDP + id: 0oa159mE9aOSpCwmr0g4 + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + type: DEVICE_SIGNAL_COLLECTION + list-all-entity-risk-policy-rule-response: + summary: ENTITY_RISK + value: + - id: ruleId + status: ACTIVE + name: Catch-all rule + priority: 99 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: true + conditions: null + actions: + entityRisk: + actions: [] + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + type: ENTITY_RISK + list-all-post-auth-session-policy-rule-response: + summary: POST_AUTH_SESSION + value: + - id: ruleId + status: ACTIVE + name: Post auth rule + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + people: + users: + exclude: [] + actions: + postAuthSession: + failureActions: [] + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + type: POST_AUTH_SESSION + - id: ruleId2 + status: ACTIVE + name: Catch-all rule + priority: 99 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: true + conditions: null + actions: + postAuthSession: + failureActions: [] + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId2} + hints: + allow: + - GET + - PUT + type: POST_AUTH_SESSION + list-all-password-policy-rule-response: + summary: PASSWORD + value: + - id: 0prgu3baytQGHuVEv1d7 + status: ACTIVE + name: Test Rule + priority: 1 + created: '2024-08-27T19:51:11.000Z' + lastUpdated: '2024-08-27T19:51:17.000Z' + system: true + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - email + stepUp: + required: false + selfServiceUnlock: + access: DENY + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + type: PASSWORD + list-all-idp-discovery-policy-rule-response: + summary: IDP_DISCOVERY + value: + - id: 0prgu3bb10hce267M1d7 + status: ACTIVE + name: Test rule + priority: 1 + created: '2024-08-27T19:51:15.000Z' + lastUpdated: '2024-08-27T19:51:15.000Z' + system: true + conditions: + network: + connection: ANYWHERE + platform: + include: [] + exclude: [] + userIdentifier: + patterns: [] + app: + include: [] + exclude: [] + actions: + idp: + providers: + - type: OKTA + idpSelectionType: SPECIFIC + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + type: IDP_DISCOVERY + list-all-mfa-enroll-policy-rule-response: + summary: MFA_ENROLL + value: + - id: 0prgu3g4mon9ARm9F1d7 + status: ACTIVE + name: Test Rule + priority: 1 + created: '2024-08-27T19:51:39.000Z' + lastUpdated: '2024-08-27T19:51:39.000Z' + system: true + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + enroll: + self: CHALLENGE + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + type: MFA_ENROLL + list-all-profile-enrollment-policy-rule-response: + summary: PROFILE_ENROLLMENT + value: + - id: rulgu3bb4oWR7qbMi1d7 + status: ACTIVE + name: Test Rule + priority: 99 + created: '2024-08-27T19:51:18.000Z' + lastUpdated: '2024-08-27T19:51:22.000Z' + system: true + conditions: null + actions: + profileEnrollment: + access: ALLOW + preRegistrationInlineHooks: null + profileAttributes: + - name: email + label: Email + required: true + - name: firstName + label: First name + required: true + - name: lastName + label: Last name + required: true + targetGroupIds: null + unknownUserAction: DENY + activationRequirements: + emailVerification: true + uiSchemaId: uisgu3bb4zTbvwD8S1d7 + progressiveProfilingAction: DISABLED + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + type: PROFILE_ENROLLMENT + sspr-enabled-sq-step-up: + summary: >- + Password policy - Self-service password change, reset, or unlock with + security question as step up + value: + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + stepUp: + required: true + methods: + - security_question + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-sso-step-up: + summary: >- + Password policy - Self-service password change, reset, or unlock with + any SSO authenticator as step up + value: + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + stepUp: + required: true + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-no-step-up: + summary: >- + Password policy - Self-service password change, reset, or unlock with no + step up + value: + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - sms + - email + stepUp: + required: false + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-OAMP: + summary: >- + Password policy - Self-service password change, reset, or unlock + requirements defined by Okta account management policy + value: + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + accessControl: AUTH_POLICY + primary: + methods: + - sms + - email + stepUp: + required: false + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + twofa-enabled-disallow-password-allow-phishing: + summary: Authentication policy - 2FA with granular authentication + value: + name: Passwordless 2FA + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT0S + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + possession: + deviceBound: REQUIRED + phishingREsistant: REQUIRED + type: ACCESS_POLICY + create-device-signal-collection-rule: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: >- + Device signal collection policy - collect context for Okta Verify + devices + value: + name: Device signal collection rule + actions: + deviceSignalCollection: + deviceContextProviders: + - key: OKTA_VERIFY + userIdentification: ALLOW + - key: DEVICE_POSTURE_IDP + id: 0oa159mE9aOSpCwmr0g4 + type: DEVICE_SIGNAL_COLLECTION + idp-discovery-specific-routing-rule: + summary: IdP discovery policy - Routing rule with specific IdP + value: + name: Specific routing rule + priority: 1 + status: ACTIVE + conditions: + network: + connection: ANYWHERE + actions: + idp: + providers: + - type: GOOGLE + id: 0oa5ks3WmHLRh8Ivr0g4 + idpSelectionType: SPECIFIC + system: false + type: IDP_DISCOVERY + idp-discovery-dynamic-routing-rule: + summary: IdP discovery policy - Routing rule with dynamic IdP + value: + name: Dynamic routing rule + priority: 1 + status: ACTIVE + conditions: + network: + connection: ANYWHERE + actions: + idp: + providers: [] + idpSelectionType: DYNAMIC + matchCriteria: + - providerExpression: login.identifier.substringAfter('@') + propertyName: name + system: false + type: IDP_DISCOVERY + create-auth-policy-rule-condition: + summary: Authentication policy - Create rule with conditions + value: + system: false + type: ACCESS_POLICY + name: Rule with conditions + conditions: + userType: + include: [] + exclude: + - otyezu4m0xN6w5JEa1d7 + network: + connection: ZONE + exclude: + - 00u7yq5goxNFTiMjW1d7 + riskScore: + level: ANY + people: + users: + exclude: + - 00u7yq5goxNFTiMjW1d7 + include: [] + groups: + include: + - 00g9i12jictsYdZdi1d7 + exclude: [] + platform: + include: + - type: MOBILE + os: + type: IOS + - type: MOBILE + os: + type: ANDROID + - type: DESKTOP + os: + type: MACOS + elCondition: + condition: security.risk.level == 'HIGH' + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + reauthenticateIn: PT2H + constraints: + - knowledge: + reauthenticateIn: PT2H + types: + - password + type: ASSURANCE + sign-on-policy-rule: + summary: Sign-on policy - Rule with factor mode always + value: + type: SIGN_ON + name: Test Sign On + conditions: + network: + connection: ANYWHERE + riskScore: + level: ANY + identityProvider: + provider: ANY + authContext: + authType: ANY + actions: + signon: + requireFactor: false + factorPromptMode: ALWAYS + factorLifetime: 15 + access: ALLOW + session: + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + usePersistentCookie: false + primaryFactor: PASSWORD_IDP_ANY_FACTOR + skip-factor-challenge-on-prem-rule: + summary: Global session policy - Skip factor challenge for on-prem sign-in use + value: + type: SIGN_ON + status: ACTIVE + name: Skip Factor Challenge when On-Prem + conditions: + network: + connection: ZONE + include: + - 00u7yq5goxNFTiMjW1d7 + authContext: + authType: ANY + actions: + signon: + access: ALLOW + requireFactor: false + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + radius-rule: + summary: Global session policy - Challenge VPN users with Radius + value: + type: SIGN_ON + status: ACTIVE + name: Challenge VPN users + conditions: + network: + connection: ANYWHERE + authContext: + authType: RADIUS + people: + users: + exclude: [] + risk: + behaviors: [] + riskScore: + level: ANY + identityProvider: + provider: ANY + actions: + signon: + access: ALLOW + requireFactor: true + primaryFactor: PASSWORD_IDP_ANY_FACTOR + factorPromptMode: ALWAYS + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + cloud-rule: + summary: Global session policy - Challenge cloud users + value: + type: SIGN_ON + name: Challenge Cloud Users + conditions: + people: + users: + include: [] + exclude: [] + groups: + include: [] + exclude: [] + network: + connection: ZONE + include: + - 00u7yq5goxNFTiMjW1d7 + authContext: + authType: ANY + actions: + signon: + access: ALLOW + requireFactor: true + factorPromptMode: ALWAYS + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + deny-rule: + summary: Global session policy - Deny users + value: + type: SIGN_ON + name: Deny users + conditions: + network: + connection: ANYWHERE + authContext: + authType: ANY + actions: + signon: + access: DENY + requireFactor: false + twofa-enabled-post-auth-kmsi-enabled: + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + summary: >- + Authentication policy - 2FA with granular authentication with Keep Me + Signed In (KMSI) enabled + value: + name: 2FA with Post Auth KMSI prompt enabled + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT2H + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + keepMeSignedIn: + postAuth: ALLOWED + postAuthPromptFrequency: P30D + twofa-enabled-post-auth-kmsi-disabled: + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + summary: >- + Authentication policy - 2FA with granular authentication with Keep Me + Signed In (KMSI) disabled + value: + name: 2FA with Post Auth KMSI prompt disabled + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT2H + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + keepMeSignedIn: + postAuth: NOT_ALLOWED + type: ACCESS_POLICY + amc-two-chain: + summary: Authentication policy - Allow two authentication method chains + value: + name: Allow two authentication method chains + actions: + appSignOn: + access: ALLOW + verificationMethod: + type: AUTH_METHOD_CHAIN + chains: + - authenticationMethods: + - key: okta_password + method: password + next: + - authenticationMethods: + - key: phone_number + method: sms + - authenticationMethods: + - key: okta_verify + method: signed_nonce + userVerification: REQUIRED + type: ACCESS_POLICY + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + sspr-enabled-sso-step-up-with-constraints: + summary: >- + Password policy - Enable self-service password change, reset, or unlock + with OTP enabled and Google Authenticator constraint + value: + id: ruleId + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + - otp + methodConstraints: + - method: otp + allowedAuthenticators: + - key: google_otp + stepUp: + required: true + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + oamp-id-proofing-policy-rule: + summary: >- + Account Management Policy - Account management policy rule with ID + proofing enabled + value: + id: ruleId + name: Account Management Policy Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + appSignOn: + access: ALLOW + verificationMethod: + id: entity_id + type: ID_PROOFING + sspr-enabled-sq-step-up-response: + summary: >- + Password policy - Self-service password change, reset, or unlock with + security question as step up + value: + id: ruleId + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + stepUp: + required: true + methods: + - security_question + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-sso-step-up-response: + summary: Password policy - SSPR with any SSO authenticator as step up + value: + id: ruleId + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + stepUp: + required: true + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-no-step-up-response: + summary: >- + Password policy - Self-service password change, reset, or unlock with no + step up + value: + id: ruleId + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - sms + - email + stepUp: + required: false + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-OAMP-response: + summary: >- + Password policy - Self-service password change, reset, or unlock + requirements defined by Okta account management policy + value: + id: ruleId + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + accessControl: AUTH_POLICY + primary: + methods: + - sms + - email + stepUp: + required: false + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + twofa-enabled-disallow-password-allow-phishing-response: + summary: Authentication policy - 2FA with granular authentication + value: + id: rul7yut96gmsOzKAA1d6 + status: ACTIVE + name: Passwordless 2FA + priority: 0 + created: '2023-05-01T21:13:15.000Z' + lastUpdated: '2023-05-01T21:13:15.000Z' + system: false + conditions: null + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT0S + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + required: false + possession: + deviceBound: REQUIRED + phishingREsistant: REQUIRED + required: true + type: ACCESS_POLICY + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + idp-discovery-specific-routing-rule-response: + summary: IdP discovery policy - Routing rule with specific IdP + value: + id: ruleId + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: Specific routing rule + priority: 1 + status: ACTIVE + conditions: + network: + connection: ANYWHERE + actions: + idp: + providers: + - type: GOOGLE + id: 0oa5ks3WmHLRh8Ivr0g4 + idpSelectionType: SPECIFIC + system: false + type: IDP_DISCOVERY + idp-discovery-dynamic-routing-rule-response: + summary: IdP discovery policy - Routing rule with dynamic IdP + value: + id: ruleId + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: Dynamic routing rule + priority: 1 + status: ACTIVE + conditions: + network: + connection: ANYWHERE + actions: + idp: + providers: [] + idpSelectionType: DYNAMIC + matchCriteria: + - providerExpression: login.identifier.substringAfter('@') + propertyName: name + system: false + type: IDP_DISCOVERY + device-signal-collection-rule-response: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: >- + Device signal collection policy - collect context for Okta Verify + devices + value: + id: rul7yut96gmsOzKAA1d6 + status: ACTIVE + name: Device signal collection rule + priority: 0 + created: '2023-05-01T21:13:15.000Z' + lastUpdated: '2023-05-01T21:13:15.000Z' + system: false + conditions: null + actions: + deviceSignalCollection: + deviceContextProviders: + - key: OKTA_VERIFY + userIdentification: IGNORE + - key: DEVICE_POSTURE_IDP + id: 0oa159mE9aOSpCwmr0g4 + type: DEVICE_SIGNAL_COLLECTION + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + create-auth-policy-rule-condition-response: + summary: Authentication policy - Policy rule with conditions + value: + id: rule8jjozjGMGbHyC1d6 + status: ACTIVE + name: Rule with conditions + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + people: + users: + exclude: + - 00u7yq5goxNFTiMjW1d7 + groups: + include: + - 00g9i12jictsYdZdi1d7 + network: + connection: ZONE + exclude: + - nzo9o4rctwQCJNE6y1d7 + platform: + include: + - type: MOBILE + os: + type: IOS + - type: MOBILE + os: + type: ANDROID + - type: DESKTOP + os: + type: MACOS + exclude: [] + riskScore: + level: ANY + userType: + include: [] + exclude: + - otyezu4m0xN6w5JEa1d7 + elCondition: + condition: security.risk.level == 'HIGH' + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT2H + constraints: + knowledge: + required: true + types: + - password + reauthenticateIn: PT2H + type: ACCESS_POLICY + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + - DELETE + sign-on-policy-rule-response: + summary: Sign-on policy - Rule with factor mode always + value: + type: SIGN_ON + name: Test Sign On + id: 0prh1sd28q5sXGW08697 + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + status: ACTIVE + conditions: + network: + connection: ANYWHERE + riskScore: + level: ANY + identityProvider: + provider: ANY + authContext: + authType: ANY + people: + users: + exclude: [] + actions: + signon: + requireFactor: false + factorPromptMode: ALWAYS + factorLifetime: 15 + access: ALLOW + session: + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + usePersistentCookie: false + primaryFactor: PASSWORD_IDP_ANY_FACTOR + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + skip-factor-challenge-on-prem-rule-response: + summary: Global session policy - Skip factor challenge for on-prem sign-in use + value: + id: rule8jjozjGMGbHyC1d6 + status: ACTIVE + name: Skip Factor Challenge when On-Prem + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + network: + connection: ZONE + include: + - 00u7yq5goxNFTiMjW1d7 + authContext: + authType: ANY + people: + users: + exclude: [] + risk: + behaviors: [] + riskScore: + level: ANY + identityProvider: + provider: ANY + actions: + signon: + access: ALLOW + requireFactor: false + primaryFactor: PASSWORD_IDP_ANY_FACTOR + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + type: SIGN_ON + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + radius-rule-response: + summary: Global session policy - Challenge VPN users with Radius + value: + id: rule8jjozjGMGbHyC1d6 + status: ACTIVE + type: SIGN_ON + name: Challenge VPN users + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + network: + connection: ANYWHERE + authContext: + authType: RADIUS + actions: + signon: + access: ALLOW + requireFactor: true + factorPromptMode: ALWAYS + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + cloud-rule-response: + summary: Global session policy - Challenge cloud users + value: + id: rule8jjozjGMGbHyC1d6 + status: ACTIVE + type: SIGN_ON + name: Challenge Cloud Users + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + people: + users: + include: [] + exclude: [] + groups: + include: [] + exclude: [] + network: + connection: ZONE + include: + - 00u7yq5goxNFTiMjW1d7 + authContext: + authType: ANY + risk: + behaviors: [] + riskScore: + level: ANY + identityProvider: + provider: ANY + actions: + signon: + access: ALLOW + requireFactor: true + primaryFactor: PASSWORD_IDP_ANY_FACTOR + factorPromptMode: ALWAYS + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 720 + maxSessionLifetimeMinutes: 0 + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deny-rule-response: + summary: Global session policy - Deny users + value: + id: rule8jjozjGMGbHyC1d6 + status: ACTIVE + type: SIGN_ON + name: Deny + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + authContext: + authType: ANY + risk: + behaviors: [] + riskScore: + level: ANY + identityProvider: + provider: ANY + actions: + signon: + access: DENY + requireFactor: false + primaryFactor: PASSWORD_IDP + rememberDeviceByDefault: false + session: + usePersistentCookie: false + maxSessionIdleMinutes: 120 + maxSessionLifetimeMinutes: 0 + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + twofa-enabled-post-auth-kmsi-enabled-response: + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + summary: >- + Authentication policy - 2FA with granular authentication with Keep Me + Signed In (KMSI) enabled + value: + id: rul7yut96gmsOzKAA1d6 + status: ACTIVE + name: 2FA with Post Auth KMSI prompt enabled + priority: 0 + created: '2023-05-01T21:13:15.000Z' + lastUpdated: '2023-05-01T21:13:15.000Z' + system: false + conditions: null + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT0S + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + required: true + keepMeSignedIn: + postAuth: ALLOWED + postAuthPromptFrequency: PT720H + type: ACCESS_POLICY + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + twofa-enabled-post-auth-kmsi-disabled-response: + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + summary: >- + Authentication policy - 2FA with granular authentication with Keep Me + Signed In (KMSI) disabled + value: + id: rul7yut96gmsOzKAA1d6 + status: ACTIVE + name: 2FA with Post Auth KMSI prompt disabled + priority: 0 + created: '2023-05-01T21:13:15.000Z' + lastUpdated: '2023-05-01T21:13:15.000Z' + system: false + conditions: null + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT0S + constraints: + knowledge: + excludedAuthenticationMethods: + key: okta_password + required: true + keepMeSignedIn: + postAuth: NOT_ALLOWED + type: ACCESS_POLICY + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + sspr-enabled-sso-step-up-with-constraints-response: + summary: >- + Password policy - Enable self-service password change, reset, or unlock + with OTP enabled and Google Authenticator constraint + value: + id: ruleId + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + - otp + methodConstraints: + - method: otp + allowedAuthenticators: + - key: google_otp + stepUp: + required: true + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + oamp-id-proofing-policy-rule-response: + summary: >- + Account Management Policy - Account management policy rule with ID + proofing enabled + value: + id: ruleId + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate + hints: + allow: + - POST + name: Account Management Policy Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + appSignOn: + access: ALLOW + verificationMethod: + id: entity_id + type: ID_PROOFING + sspr-enabled-sq-step-up-update: + summary: >- + Password policy - Self-service password change, reset, or unlock with + security question as step up + value: + id: ruleId + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + stepUp: + required: true + methods: + - security_question + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-sso-step-up-update: + summary: >- + Password policy - Self-service password change, reset, or unlock with + any SSO authenticator as step up + value: + id: ruleId + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + stepUp: + required: true + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-no-step-up-update: + summary: >- + Password policy - Self-service password change, reset, or unlock with no + step up + value: + id: ruleId + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - sms + - email + stepUp: + required: false + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + sspr-enabled-OAMP-update: + summary: >- + Password policy - Self-service password change, reset, or unlock + requirements defined by Okta account management policy + value: + id: ruleId + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + accessControl: AUTH_POLICY + primary: + methods: + - sms + - email + stepUp: + required: false + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + update-auth-policy-rule-condition-response: + summary: Authentication policy - Rule with conditions + value: + id: rulezuo73ySrHndLb1d7 + status: ACTIVE + name: Rule with conditions - exclude a group + priority: 0 + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + system: false + conditions: + people: + users: + exclude: [] + groups: + exclude: + - 00u7yq5goxNFTiMjW1d7 + network: + connection: ZONE + exclude: + - nzo9o4rctwQCJNE6y1d7 + platform: + include: + - type: MOBILE + os: + type: IOS + - type: MOBILE + os: + type: ANDROID + - type: DESKTOP + os: + type: MACOS + exclude: [] + riskScore: + level: ANY + userType: + include: [] + exclude: + - otyezu4m0xN6w5JEa1d7 + elCondition: + condition: security.risk.level == 'HIGH' + actions: + appSignOn: + access: ALLOW + verificationMethod: + factorMode: 2FA + type: ASSURANCE + reauthenticateIn: PT2H + constraints: + knowledge: + required: true + types: + - password + reauthenticateIn: PT2H + type: ACCESS_POLICY + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + - DELETE + sspr-enabled-sso-step-up-with-constraints-update: + summary: >- + Password policy - Enable self-service password change, reset, or unlock + with OTP enabled and Google Authenticator constraint + value: + id: ruleId + name: SSPR Rule + priority: 1 + status: ACTIVE + conditions: + people: + users: + exclude: [] + network: + connection: ANYWHERE + actions: + passwordChange: + access: ALLOW + selfServicePasswordReset: + access: ALLOW + requirement: + primary: + methods: + - push + - sms + - otp + methodConstraints: + - method: otp + allowedAuthenticators: + - key: google_otp + stepUp: + required: true + selfServiceUnlock: + access: ALLOW + system: false + type: PASSWORD + update-auth-policy-rule-condition: + summary: Authentication policy - Rule with conditions + value: + type: ACCESS_POLICY + name: Rule with conditions - exclude a group + description: Updated policy rule + conditions: + userType: + include: [] + exclude: + - otyezu4m0xN6w5JEa1d7 + network: + connection: ZONE + exclude: + - nzo9o4rctwQCJNE6y1d7 + riskScore: + level: ANY + people: + users: + exclude: + - 00u7yq5goxNFTiMjW1d7 + include: [] + groups: + include: [] + exclude: + - 00g8vta8qzkxPEfKC1d7 + platform: + include: + - type: MOBILE + os: + type: IOS + - type: MOBILE + os: + type: ANDROID + - type: DESKTOP + os: + type: MACOS + elCondition: + condition: security.risk.level == 'HIGH' + update-identifiers-in-user-profile-policy: + summary: User profile policy - Configure multiple identifiers + value: + type: PROFILE_ENROLLMENT, + id: rulgu3bb4oWR7qbMi1d7, + status: ACTIVE, + name: Test Rule, + priority: 99, + system: true, + conditions: null, + actions: + profileEnrollment: + access: ALLOW + preRegistrationInlineHooks: null + profileAttributes: + - name: email + label: Email + required: true + - name: firstName + label: First name + required: true + - name: lastName + label: Last name + required: true + targetGroupIds: null + unknownUserAction: DENY + activationRequirements: + emailVerification: true + uiSchemaId: uisgu3bb4zTbvwD8S1d7 + progressiveProfilingAction: DISABLED + allowedIdentifiers: + - login + - customAttribute + update-device-signal-collection-rule: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: >- + Device signal collection policy - disallow Okta Verify from identifying + users + value: + name: Device signal collection rule + actions: + deviceSignalCollection: + deviceContextProviders: + - key: OKTA_VERIFY + userIdentification: IGNORE + - key: DEVICE_POSTURE_IDP + id: 0oa159mE9aOSpCwmr0g4 + type: DEVICE_SIGNAL_COLLECTION + update-identifiers-in-user-profile-policy-response: + summary: User profile policy - Configure multiple identifiers + value: + type: PROFILE_ENROLLMENT, + id: rulgu3bb4oWR7qbMi1d7, + status: ACTIVE, + name: Test Rule, + priority: 99, + system: true, + conditions: null, + _links: + self: + href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} + hints: + allow: + - GET + - PUT + actions: + profileEnrollment: + access: ALLOW + preRegistrationInlineHooks: null + profileAttributes: + - name: email + label: Email + required: true + - name: firstName + label: First name + required: true + - name: lastName + label: Last name + required: true + targetGroupIds: null + unknownUserAction: DENY + activationRequirements: + emailVerification: true + uiSchemaId: uisgu3bb4zTbvwD8S1d7 + progressiveProfilingAction: DISABLED + allowedIdentifiers: + - login + - customAttribute + update-device-signal-collection-rule-response: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + summary: >- + Device signal collection policy - collect context for Okta Verify + devices + value: + id: rul7yut96gmsOzKAA1d6 + status: ACTIVE + name: Device signal collection rule + priority: 0 + created: '2023-05-01T21:13:15.000Z' + lastUpdated: '2023-05-01T21:13:15.000Z' + system: false + conditions: null + actions: + deviceSignalCollection: + deviceContextProviders: + - key: OKTA_VERIFY + userIdentification: IGNORE + - key: DEVICE_POSTURE_IDP + id: 0oa159mE9aOSpCwmr0g4 + type: DEVICE_SIGNAL_COLLECTION + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 + hints: + allow: + - GET + - PUT + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + policies: + id: okta.policies.policies + name: policies + title: Policies + methods: + list_policies: + operation: + $ref: '#/paths/~1api~1v1~1policies/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_policy: + operation: + $ref: '#/paths/~1api~1v1~1policies/post' + response: + mediaType: application/json + openAPIDocKey: '200' + create_policy_simulation: + operation: + $ref: '#/paths/~1api~1v1~1policies~1simulate/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_policy: + operation: + $ref: '#/paths/~1api~1v1~1policies~1{policyId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_policy: + operation: + $ref: '#/paths/~1api~1v1~1policies~1{policyId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_policy: + operation: + $ref: '#/paths/~1api~1v1~1policies~1{policyId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + clone_policy: + operation: + $ref: '#/paths/~1api~1v1~1policies~1{policyId}~1clone/post' + response: + mediaType: application/json + openAPIDocKey: '200' + activate_policy: + operation: + $ref: '#/paths/~1api~1v1~1policies~1{policyId}~1lifecycle~1activate/post' + response: + mediaType: '' + openAPIDocKey: '204' + deactivate_policy: + operation: + $ref: >- + #/paths/~1api~1v1~1policies~1{policyId}~1lifecycle~1deactivate/post + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: '#/components/x-stackQL-resources/policies/methods/list_policies' + - $ref: '#/components/x-stackQL-resources/policies/methods/get_policy' + insert: + - $ref: '#/components/x-stackQL-resources/policies/methods/create_policy' + update: [] + delete: + - $ref: '#/components/x-stackQL-resources/policies/methods/delete_policy' + replace: + - $ref: '#/components/x-stackQL-resources/policies/methods/replace_policy' + policy_apps: + id: okta.policies.policy_apps + name: policy_apps + title: Policy Apps + methods: + list_policy_apps: + operation: + $ref: '#/paths/~1api~1v1~1policies~1{policyId}~1app/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/policy_apps/methods/list_policy_apps + insert: [] + update: [] + delete: [] + replace: [] + policy_mappings: + id: okta.policies.policy_mappings + name: policy_mappings + title: Policy Mappings + methods: + list_policy_mappings: + operation: + $ref: '#/paths/~1api~1v1~1policies~1{policyId}~1mappings/get' + response: + mediaType: application/json + openAPIDocKey: '200' + map_resource_to_policy: + operation: + $ref: '#/paths/~1api~1v1~1policies~1{policyId}~1mappings/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_policy_mapping: + operation: + $ref: '#/paths/~1api~1v1~1policies~1{policyId}~1mappings~1{mappingId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_policy_resource_mapping: + operation: + $ref: >- + #/paths/~1api~1v1~1policies~1{policyId}~1mappings~1{mappingId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/policy_mappings/methods/list_policy_mappings + - $ref: >- + #/components/x-stackQL-resources/policy_mappings/methods/get_policy_mapping + insert: [] + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/policy_mappings/methods/delete_policy_resource_mapping + replace: [] + policy_rules: + id: okta.policies.policy_rules + name: policy_rules + title: Policy Rules + methods: + list_policy_rules: + operation: + $ref: '#/paths/~1api~1v1~1policies~1{policyId}~1rules/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_policy_rule: + operation: + $ref: '#/paths/~1api~1v1~1policies~1{policyId}~1rules/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_policy_rule: + operation: + $ref: '#/paths/~1api~1v1~1policies~1{policyId}~1rules~1{ruleId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_policy_rule: + operation: + $ref: '#/paths/~1api~1v1~1policies~1{policyId}~1rules~1{ruleId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_policy_rule: + operation: + $ref: '#/paths/~1api~1v1~1policies~1{policyId}~1rules~1{ruleId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + activate_policy_rule: + operation: + $ref: >- + #/paths/~1api~1v1~1policies~1{policyId}~1rules~1{ruleId}~1lifecycle~1activate/post + response: + mediaType: '' + openAPIDocKey: '204' + deactivate_policy_rule: + operation: + $ref: >- + #/paths/~1api~1v1~1policies~1{policyId}~1rules~1{ruleId}~1lifecycle~1deactivate/post + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/policy_rules/methods/list_policy_rules + - $ref: >- + #/components/x-stackQL-resources/policy_rules/methods/get_policy_rule + insert: + - $ref: >- + #/components/x-stackQL-resources/policy_rules/methods/create_policy_rule + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/policy_rules/methods/delete_policy_rule + replace: + - $ref: >- + #/components/x-stackQL-resources/policy_rules/methods/replace_policy_rule +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/principal_rate_limits.yaml b/providers/src/okta/v00.00.00000/services/principal_rate_limits.yaml new file mode 100644 index 00000000..41663890 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/principal_rate_limits.yaml @@ -0,0 +1,515 @@ +openapi: 3.0.3 +info: + title: principal_rate_limits API + description: okta principal_rate_limits API + version: 5.1.0 +paths: + /api/v1/principal-rate-limits: + get: + summary: List all principal rate limits + description: >- + Lists all Principal Rate Limit entities considering the provided + parameters + operationId: listPrincipalRateLimitEntities + parameters: + - name: filter + in: query + description: >- + Filters the list of principal rate limit entities by the provided + principal type (`principalType`). For example, + + `filter=principalType eq "SSWS_TOKEN"` or `filter=principalType eq + "OAUTH_CLIENT"`. + schema: + type: string + required: true + - name: after + in: query + description: >- + The cursor to use for pagination. It's an opaque string that + specifies your current location in the list and is obtained from the + `Link` response header. See + [Pagination](https://developer.okta.com/docs/api/#pagination). + schema: + type: string + - name: limit + in: query + description: Specifies the number of items to return in a single response page. + schema: + type: integer + format: int32 + default: 20 + maximum: 50 + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/PrincipalRateLimitEntity' + examples: + SSWSListAll: + $ref: '#/components/examples/PrincipalRateLimitsSSWSListAllExample' + OAuthClientListAll: + $ref: >- + #/components/examples/PrincipalRateLimitsOAuthClientListAllExample + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.principalRateLimits.read + tags: + - PrincipalRateLimit + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a principal rate limit + description: >- + Creates a new principal rate limit entity. Okta only allows one + principal rate limit entity per org and principal. + operationId: createPrincipalRateLimitEntity + x-codegen-request-body-name: entity + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PrincipalRateLimitEntity' + examples: + SSWSToken: + $ref: '#/components/examples/PrincipalRateLimitEntityRequestSSWSToken' + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/PrincipalRateLimitEntity' + examples: + SSWSToken: + $ref: >- + #/components/examples/PrincipalRateLimitEntityResponseSSWSToken + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.principalRateLimits.manage + tags: + - PrincipalRateLimit + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/principal-rate-limits/{principalRateLimitId}: + get: + summary: Retrieve a principal rate limit + description: Retrieves a principal rate limit entity by `principalRateLimitId` + operationId: getPrincipalRateLimitEntity + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/PrincipalRateLimitEntity' + examples: + SSWSToken: + $ref: >- + #/components/examples/PrincipalRateLimitEntityResponseSSWSToken + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.principalRateLimits.read + tags: + - PrincipalRateLimit + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a principal rate limit + description: Replaces a principal rate limit entity by `principalRateLimitId` + operationId: replacePrincipalRateLimitEntity + x-codegen-request-body-name: entity + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PrincipalRateLimitEntity' + examples: + SSWSToken: + $ref: >- + #/components/examples/PrincipalRateLimitEntityReplaceRequestSSWSToken + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/PrincipalRateLimitEntity' + examples: + SSWSToken: + $ref: >- + #/components/examples/PrincipalRateLimitEntityReplaceResponseSSWSToken + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.principalRateLimits.manage + tags: + - PrincipalRateLimit + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathPrincipalRateLimitId' +components: + schemas: + PrincipalRateLimitEntity: + title: PrincipalRateLimitEntity + description: '' + type: object + properties: + createdBy: + description: >- + The Okta user ID of the user who created the principle rate limit + entity + type: string + readOnly: true + createdDate: + description: The date and time the principle rate limit entity was created + type: string + format: date-time + readOnly: true + defaultConcurrencyPercentage: + description: >- + The default percentage of a given concurrency limit threshold that + the owning principal can consume + type: integer + defaultPercentage: + description: >- + The default percentage of a given rate limit threshold that the + owning principal can consume + type: integer + id: + description: The unique identifier of the principle rate limit entity + type: string + readOnly: true + lastUpdate: + description: The date and time the principle rate limit entity was last updated + type: string + format: date-time + readOnly: true + lastUpdatedBy: + description: >- + The Okta user ID of the user who last updated the principle rate + limit entity + type: string + readOnly: true + orgId: + description: The unique identifier of the Okta org + type: string + readOnly: true + principalId: + description: >- + The unique identifier of the principal. This is the ID of the API + token or OAuth 2.0 app. + type: string + principalType: + $ref: '#/components/schemas/PrincipalType' + required: + - principalId + - principalType + PrincipalType: + description: The type of principal, either an API token or an OAuth 2.0 app + type: string + enum: + - OAUTH_CLIENT + - SSWS_TOKEN + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + ErrorCause: + type: object + properties: + errorSummary: + type: string + responses: + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + pathPrincipalRateLimitId: + name: principalRateLimitId + in: path + schema: + type: string + example: 0oacamvryxiyMqgiY1d7 + required: true + description: ID of the principal rate limit + examples: + PrincipalRateLimitsSSWSListAllExample: + summary: List all SSWS API token principal rate limits + value: + - id: prlh5hd7qct3aHDry1f6 + orgId: 00o7xut90ucsjAQ7S1e6 + principalId: 00T14q3ns31qMEJUU1d7 + principalType: SSWS_TOKEN + defaultPercentage: 50 + defaultConcurrencyPercentage: 50 + lastUpdate: '2024-09-12T17:28:56.000Z' + lastUpdatedBy: 00uid52637YwIXkJq1d4 + createdDate: '2024-09-12T17:28:56.000Z' + createdBy: 00u7xut94qEWYx5ss1d4 + - id: prlid6w9ilOWlVbpG1f6 + orgId: 00o7xut90ucsjAQ7S1e6 + principalId: 00T16ewcxyIrMV6Lb1d7 + principalType: SSWS_TOKEN + defaultPercentage: 50 + defaultConcurrencyPercentage: 50 + lastUpdate: '2024-11-13T17:07:14.000Z' + lastUpdatedBy: 00uid52637YwIXkJq1d4 + createdDate: '2024-11-13T17:07:14.000Z' + createdBy: 00uid52637YwIXkJq1d4 + PrincipalRateLimitsOAuthClientListAllExample: + summary: List all OAuth 2.0 client principal rate limits + value: + - id: prl7yh347wuzN5P1C1e7 + orgId: 00o7xut90ucsjAQ7S1e6 + principalId: 0oa7yh346zIE1y84p1e7 + principalType: OAUTH_CLIENT + defaultPercentage: 40 + defaultConcurrencyPercentage: 40 + lastUpdate: '2024-11-29T14:56:06.000Z' + lastUpdatedBy: 00uid52637YwIXkJq1d4 + createdDate: '2023-05-02T20:37:38.000Z' + createdBy: 00uid52637YwIXkJq1d4 + - id: prlbqdob5bhM6nff61e7 + orgId: 00o7xut90ucsjAQ7S1e6 + principalId: 0oabqdob4da0JGuMf1e7 + principalType: OAUTH_CLIENT + defaultPercentage: 50 + defaultConcurrencyPercentage: 50 + lastUpdate: '2023-12-07T21:58:02.000Z' + lastUpdatedBy: 00uid52637YwIXkJq1d4 + createdDate: '2023-12-07T21:58:02.000Z' + createdBy: 00uid52637YwIXkJq1d4 + - id: prlcamvrzvkglWHqR1e7 + orgId: 00o7xut90ucsjAQ7S1d7 + principalId: 0oacamvryxiyMqgiY1e7 + principalType: OAUTH_CLIENT + defaultPercentage: 50 + defaultConcurrencyPercentage: 50 + lastUpdate: '2024-01-12T20:59:18.000Z' + lastUpdatedBy: 00uid52637YwIXkJq1d4 + createdDate: '2024-01-12T20:59:18.000Z' + createdBy: 00uid52637YwIXkJq1d4 + PrincipalRateLimitEntityRequestSSWSToken: + summary: Create a principal rate limit entity request example + value: + principalId: prlh5hd6act3aHDrr1f5 + principalType: SSWS_TOKEN + defaultPercentage: 50 + defaultConcurrencyPercentage: 75 + PrincipalRateLimitEntityResponseSSWSToken: + summary: Create a principal rate limit entity response example + value: + id: 0oacamvryxiyMqgiY1e5 + orgId: org1234 + principalId: prlh5hd6act3aHDrr1f5 + principalType: SSWS_TOKEN + defaultPercentage: 50 + defaultConcurrencyPercentage: 75 + createdDate: '2022-05-19T20:05:32.720Z' + createdBy: 00u7xut94qEWYx5ss1d4 + lastUpdate: '2022-05-20T21:13:07.410Z' + lastUpdatedBy: 00u7xut94qEWYx5ss1d4 + PrincipalRateLimitEntityReplaceRequestSSWSToken: + summary: Replace a principal rate limit entity request + value: + principalId: prlh5hd6act3aHDrr1f5 + principalType: SSWS_TOKEN + defaultPercentage: 50 + defaultConcurrencyPercentage: 75 + PrincipalRateLimitEntityReplaceResponseSSWSToken: + summary: Replace a principal rate limit entity response example + value: + id: 0oacamvryxiyMqgiY1e5 + orgId: org1234 + principalId: prlh5hd6act3aHDrr1f5 + principalType: SSWS_TOKEN + defaultPercentage: 50 + defaultConcurrencyPercentage: 75 + createdDate: '2022-05-19T20:05:32.720Z' + createdBy: 00u7xut94qEWYx5ss1d4 + lastUpdate: '2022-05-20T21:13:07.410Z' + lastUpdatedBy: 00u7xut94qEWYx5ss1d4 + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + principal_rate_limit_entities: + id: okta.principal_rate_limits.principal_rate_limit_entities + name: principal_rate_limit_entities + title: Principal Rate Limit Entities + methods: + list_principal_rate_limit_entities: + operation: + $ref: '#/paths/~1api~1v1~1principal-rate-limits/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_principal_rate_limit_entity: + operation: + $ref: '#/paths/~1api~1v1~1principal-rate-limits/post' + response: + mediaType: application/json + openAPIDocKey: '201' + get_principal_rate_limit_entity: + operation: + $ref: >- + #/paths/~1api~1v1~1principal-rate-limits~1{principalRateLimitId}/get + response: + mediaType: application/json + openAPIDocKey: '200' + replace_principal_rate_limit_entity: + operation: + $ref: >- + #/paths/~1api~1v1~1principal-rate-limits~1{principalRateLimitId}/put + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/principal_rate_limit_entities/methods/list_principal_rate_limit_entities + - $ref: >- + #/components/x-stackQL-resources/principal_rate_limit_entities/methods/get_principal_rate_limit_entity + insert: + - $ref: >- + #/components/x-stackQL-resources/principal_rate_limit_entities/methods/create_principal_rate_limit_entity + update: [] + delete: [] + replace: + - $ref: >- + #/components/x-stackQL-resources/principal_rate_limit_entities/methods/replace_principal_rate_limit_entity +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/privileged_access.yaml b/providers/src/okta/v00.00.00000/services/privileged_access.yaml new file mode 100644 index 00000000..83c14cd3 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/privileged_access.yaml @@ -0,0 +1,605 @@ +openapi: 3.0.3 +info: + title: privileged_access API + description: okta privileged_access API + version: 5.1.0 +paths: + /privileged-access/api/v1/service-accounts: + get: + summary: List all app service accounts + description: Lists all app service accounts + operationId: listAppServiceAccounts + parameters: + - $ref: '#/components/parameters/queryLimit' + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/matchQueryFilter' + responses: + '200': + description: Success + content: + application/json: + examples: + ListAppServiceAccounts: + $ref: '#/components/examples/ListAppServiceAccounts' + schema: + type: array + items: + $ref: '#/components/schemas/AppServiceAccount' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.serviceAccounts.read + tags: + - ServiceAccount + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + post: + summary: Create an app service account + description: Creates a new app service account for managing an app account + operationId: createAppServiceAccount + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AppServiceAccount' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AppServiceAccount' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.serviceAccounts.manage + tags: + - ServiceAccount + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + /privileged-access/api/v1/service-accounts/{id}: + get: + summary: Retrieve an app service account + description: Retrieves an app service account specified by ID + operationId: getAppServiceAccount + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AppServiceAccount' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.serviceAccounts.read + tags: + - ServiceAccount + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + patch: + summary: Update an existing app service account + description: Updates an existing app service account specified by ID + operationId: updateAppServiceAccount + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AppServiceAccountForUpdate' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AppServiceAccount' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.serviceAccounts.manage + tags: + - ServiceAccount + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + delete: + summary: Delete an app service account + description: Deletes an app service account specified by ID + operationId: deleteAppServiceAccount + responses: + '204': + description: No Content + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.serviceAccounts.manage + tags: + - ServiceAccount + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/serviceAccountId' +components: + schemas: + AppServiceAccount: + type: object + properties: + containerGlobalName: + description: The key name of the app in the Okta Integration Network (OIN) + readOnly: true + type: string + example: salesforce + containerInstanceName: + description: The app instance label + readOnly: true + type: string + example: salesforce Prod 5 + containerOrn: + description: >- + The + [ORN](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#okta-resource-name-orn) + of the relevant resource. + + + Use the specific app ORN format + (`orn:{partition}:idp:{yourOrgId}:apps:{appType}:{appId}`) to + identify an Okta app instance in your org. + type: string + example: >- + orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:salesforce:0oa1gjh63g214q0Hq0g4 + created: + type: string + format: date-time + description: Timestamp when the app service account was created + readOnly: true + description: + description: The description of the app service account + format: regex + maxLength: 255 + minLength: 0 + type: string + example: This is for accessing salesforce Prod-5 + id: + description: The UUID of the app service account + format: regex + pattern: >- + (?i)^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$ + readOnly: true + type: string + example: a747a818-a4c4-4446-8a87-704216495a08 + lastUpdated: + type: string + format: date-time + description: Timestamp when the app service account was last updated + readOnly: true + name: + description: The user-defined name for the app service account + format: regex + maxLength: 50 + minLength: 1 + pattern: ^[\w\-_. ]+$ + type: string + example: salesforce Prod-5 account + ownerGroupIds: + description: A list of IDs of the Okta groups who own the app service account + type: array + items: + type: string + minItems: 0 + maxItems: 10 + example: + - 00g57qp78yZT2XBA40g7 + ownerUserIds: + description: A list of IDs of the Okta users who own the app service account + type: array + items: + type: string + minItems: 0 + maxItems: 10 + example: + - 00u11s48P9zGW8yqm0g5 + password: + type: string + writeOnly: true + description: >- + The app service account password. Required for apps that don't have + provisioning enabled or don't support password synchronization. + format: password + status: + $ref: '#/components/schemas/ServiceAccountStatus' + statusDetail: + $ref: '#/components/schemas/ServiceAccountStatusDetail' + username: + type: string + description: >- + The username that serves as the direct link to your managed app + account. Ensure that this value precisely matches the identifier of + the target app account. + minLength: 1 + maxLength: 100 + example: testuser-salesforce-5@example.com + required: + - name + - containerOrn + - username + AppServiceAccountForUpdate: + type: object + properties: + description: + description: The description of the app service account + format: regex + maxLength: 255 + minLength: 0 + type: string + example: This is for accessing salesforce Prod-5 + name: + description: The user-defined name for the app service account + format: regex + maxLength: 50 + minLength: 1 + pattern: ^[\w\-_. ]+$ + type: string + example: salesforce Prod-5 account + ownerGroupIds: + description: A list of IDs of the Okta groups who own the app service account + type: array + items: + type: string + minItems: 0 + maxItems: 10 + example: + - 00g57qp78yZT2XBA40g7 + ownerUserIds: + description: A list of IDs of the Okta users who own the app service account + type: array + items: + type: string + minItems: 0 + maxItems: 10 + example: + - 00u11s48P9zGW8yqm0g5 + ServiceAccountStatus: + description: Describes the current status of an app service account + example: UNSECURED + type: string + enum: + - ALERT + - ERROR + - INFO + - NO_ISSUES + - UNSECURED + x-enumDescriptions: + NO_ISSUES: The account is ready for use in Okta Privileged Access + UNSECURED: >- + The account needs to be assigned to a resource group and a project in + Okta Privileged Access + INFO: >- + An action involving the account is in progress in Okta Privileged + Access + ALERT: The account requires attention from an admin + ERROR: An error is preventing Okta Privileged Access from using the account + readOnly: true + ServiceAccountStatusDetail: + description: Describes the detailed status of an app service account + example: STAGED + type: string + enum: + - CREATION_FAILED + - MISSING_PASSWORD + - PENDING + - ROTATED + - ROTATING + - ROTATION_FAILED + - STAGED + - VAULTED + x-enumDescriptions: + PENDING: The account is being created + CREATION_FAILED: The account can't be created + STAGED: The account is in the Okta Privileged Access resource assignment area + ROTATING: >- + The account is assigned to a project in Okta Privileged Access. + Credentials are currently being synced using Okta Lifecycle + Management. + ROTATED: >- + The account is assigned to a project in Okta Privileged Access. + Password rotations are fulfilled by Okta Lifecycle Management. + ROTATION_FAILED: >- + The account is assigned to a project in Okta Privileged Access. An + error occurred while using Okta Lifecycle Management to rotate the + password. + VAULTED: >- + The account is assigned to a project in Okta Privileged Access. A + manually managed password is assigned to the account. + MISSING_PASSWORD: >- + The account is assigned to a project in Okta Privileged Access. A + password isn't assigned to the account. + readOnly: true + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + ErrorCause: + type: object + properties: + errorSummary: + type: string + responses: + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + parameters: + queryLimit: + name: limit + in: query + schema: + type: integer + minimum: 1 + maximum: 200 + default: 20 + description: A limit on the number of objects to return + queryAfter: + name: after + in: query + schema: + type: string + description: >- + The cursor to use for pagination. It is an opaque string that specifies + your current location in the list and is obtained from the `Link` + response header. See + [Pagination](https://developer.okta.com/docs/api/#pagination). + matchQueryFilter: + name: match + description: >- + Searches for app service accounts where the account name (`name`), + username (`username`), app instance label (`containerInstanceName`), or + OIN app key name (`containerGlobalName`) contains the given value + in: query + required: false + schema: + type: string + minLength: 3 + maxLength: 255 + example: salesforce + serviceAccountId: + name: id + in: path + description: ID of an existing service account + required: true + schema: + type: string + examples: + ListAppServiceAccounts: + value: + - id: a747a818-a4c4-4446-8a87-704216495a08 + name: salesforce Prod-1 account + description: This is for accessing salesforce Prod-1 + username: testuser-salesforce-1@example.com + containerOrn: >- + orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:salesforce:0oa1gjh63g214q0Hq0g4 + containerInstanceName: salesforce-1 + containerGlobalName: salesforce + ownerGroupIds: + - 00g57qp78yZT2XBA40g7 + ownerUserIds: + - 00u11s48P9zGW8yqm0g5 + status: NO_ISSUES + statusDetail: ROTATED + created: '2024-04-04T15:56:05.000Z' + lastUpdated: '2024-04-05T18:15:44.000Z' + - id: a747a818-a4c4-4446-8a87-704216495a09 + name: salesforce Prod-5 account + description: This is for accessing salesforce Prod-5 + username: testuser-salesforce-5@example.com + containerOrn: >- + orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:salesforce:0oa1gjh63g214q0Hq0g4 + containerInstanceName: salesforce-5 + containerGlobalName: salesforce + ownerGroupIds: + - 00g57qp78yZT2XBA40g7 + ownerUserIds: + - 00u11s48P9zGW8yqm0g5 + status: NO_ISSUES + statusDetail: ROTATED + created: '2024-04-04T15:56:05.000Z' + lastUpdated: '2024-04-05T18:15:44.000Z' + summary: List app service accounts + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + x-stackQL-resources: + service_accounts: + id: okta.privileged_access.service_accounts + name: service_accounts + title: Service Accounts + methods: + list_app_service_accounts: + operation: + $ref: '#/paths/~1privileged-access~1api~1v1~1service-accounts/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_app_service_account: + operation: + $ref: '#/paths/~1privileged-access~1api~1v1~1service-accounts/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_app_service_account: + operation: + $ref: '#/paths/~1privileged-access~1api~1v1~1service-accounts~1{id}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + update_app_service_account: + operation: + $ref: '#/paths/~1privileged-access~1api~1v1~1service-accounts~1{id}/patch' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_app_service_account: + operation: + $ref: >- + #/paths/~1privileged-access~1api~1v1~1service-accounts~1{id}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/service_accounts/methods/list_app_service_accounts + - $ref: >- + #/components/x-stackQL-resources/service_accounts/methods/get_app_service_account + insert: + - $ref: >- + #/components/x-stackQL-resources/service_accounts/methods/create_app_service_account + update: + - $ref: >- + #/components/x-stackQL-resources/service_accounts/methods/update_app_service_account + delete: + - $ref: >- + #/components/x-stackQL-resources/service_accounts/methods/delete_app_service_account + replace: [] +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/push_providers.yaml b/providers/src/okta/v00.00.00000/services/push_providers.yaml new file mode 100644 index 00000000..2c6400ab --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/push_providers.yaml @@ -0,0 +1,582 @@ +openapi: 3.0.3 +info: + title: push_providers API + description: okta push_providers API + version: 5.1.0 +paths: + /api/v1/push-providers: + get: + summary: List all push providers + description: Lists all push providers + operationId: listPushProviders + parameters: + - name: type + in: query + description: Filters push providers by `providerType` + schema: + $ref: '#/components/schemas/ProviderType' + responses: + '200': + description: OK + content: + application/json: + example: + value: + - id: ppchvbeucdTgqeiGxR0g4 + providerType: APNS + name: Example Push Provider 1 + lastUpdatedDate: '2022-01-00T00:00:00.000Z' + configuration: + keyId: ABC123DEFG + teamId: DEF123GHIJ + fileName: fileName.p8 + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/push-providers/{pushProviderId} + hints: + allow: + - DELETE + - GET + - PUT + - id: ppctekcmngGaqeiBxB0g4 + providerType: FCM + name: Example Push Provider 2 + lastUpdatedDate: '2022-01-00T00:00:00.000Z' + configuration: + projectId: PROJECT_ID + fileName: fileName.json + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/push-providers/{pushProviderId} + hints: + allow: + - DELETE + - GET + - PUT + schema: + type: array + items: + $ref: '#/components/schemas/PushProvider' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.pushProviders.read + tags: + - PushProvider + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + post: + summary: Create a push provider + description: >- + Creates a new push provider. Each Push Provider must have a unique + `name`. + operationId: createPushProvider + x-codegen-request-body-name: pushProvider + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PushProvider' + examples: + APNs: + $ref: '#/components/examples/PushProviderAPNsRequest' + FCM: + $ref: '#/components/examples/PushProviderFCMRequest' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/PushProvider' + examples: + APNs: + $ref: '#/components/examples/PushProviderAPNsResponse' + FCM: + $ref: '#/components/examples/PushProviderFCMResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.pushProviders.manage + tags: + - PushProvider + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/push-providers/{pushProviderId}: + get: + summary: Retrieve a push provider + description: Retrieves a push provider by `pushProviderId` + operationId: getPushProvider + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/PushProvider' + examples: + APNs: + $ref: '#/components/examples/PushProviderAPNsResponse' + FCM: + $ref: '#/components/examples/PushProviderFCMResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.pushProviders.read + tags: + - PushProvider + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace a push provider + description: Replaces a push provider by `pushProviderId` + operationId: replacePushProvider + x-codegen-request-body-name: pushProvider + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PushProvider' + examples: + APNs: + $ref: '#/components/examples/PushProviderAPNsRequest' + FCM: + $ref: '#/components/examples/PushProviderFCMRequest' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/PushProvider' + examples: + APNs: + $ref: '#/components/examples/PushProviderAPNsResponse' + FCM: + $ref: '#/components/examples/PushProviderFCMResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.pushProviders.manage + tags: + - PushProvider + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + delete: + summary: Delete a push provider + description: >- + Deletes a push provider by `pushProviderId`. If the push provider is + currently being used in the org by a custom authenticator, the delete + will not be allowed. + operationId: deletePushProvider + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '409': + description: Conflict + headers: {} + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Cannot remove push provider in use by a custom app authenticator: + $ref: >- + #/components/examples/ErrorPushProviderUsedByCustomAppAuthenticator + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.pushProviders.manage + tags: + - PushProvider + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathPushProviderId' +components: + schemas: + ProviderType: + type: string + enum: + - APNS + - FCM + PushProvider: + title: PushProvider + type: object + properties: + id: + type: string + readOnly: true + description: Unique key for the Push Provider + lastUpdatedDate: + type: string + readOnly: true + description: Timestamp when the Push Provider was last modified + name: + type: string + description: Display name of the push provider + providerType: + $ref: '#/components/schemas/ProviderType' + _links: + $ref: '#/components/schemas/LinksSelf' + discriminator: + propertyName: providerType + mapping: + APNS: '#/components/schemas/APNSPushProvider' + FCM: '#/components/schemas/FCMPushProvider' + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + ErrorCause: + type: object + properties: + errorSummary: + type: string + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + pathPushProviderId: + in: path + name: pushProviderId + required: true + description: Id of the push provider + schema: + type: string + examples: + PushProviderAPNsRequest: + value: + name: APNs Example + providerType: APNS + configuration: + keyId: KEY_ID + teamId: TEAM_ID + tokenSigningKey: >- + -----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE + KEY-----\n + fileName: fileName.p8 + PushProviderFCMRequest: + value: + name: FCM Example + providerType: FCM + configuration: + serviceAccountJson: + type: service_account + project_id: PROJECT_ID + private_key_id: KEY_ID + private_key: >- + -----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE + KEY-----\n + client_email: SERVICE_ACCOUNT_EMAIL + client_id: CLIENT_ID + auth_uri: https://accounts.google.com/o/oauth2/auth + token_uri: https://accounts.google.com/o/oauth2/token + auth_provider_x509_cert_url: https://www.googleapis.com/oauth2/v1/certs + client_x509_cert_url: >- + https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL + fileName: fileName.json + PushProviderAPNsResponse: + value: + id: ppctekcmngGaqeiBxB0g4 + name: APNs Example + providerType: APNS + lastUpdatedDate: '2022-01-01T00:00:00.000Z' + configuration: + keyId: KEY_ID + teamId: TEAM_ID + fileName: fileName.p8 + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/push-providers/ppctekcmngGaqeiBxB0g4 + hints: + allow: + - DELETE + - GET + - PUT + PushProviderFCMResponse: + value: + id: ppctekcmngGaqeiBxB0g4 + name: FCM Example + providerType: FCM + lastUpdatedDate: '2022-01-01T00:00:00.000Z' + configuration: + projectId: PROJECT_ID + fileName: fileName.p8 + _links: + self: + href: >- + https://your-subdomain.okta.com/api/v1/push-providers/ppctekcmngGaqeiBxB0g4 + hints: + allow: + - DELETE + - GET + - PUT + ErrorPushProviderUsedByCustomAppAuthenticator: + value: + errorCode: E0000187 + errorSummary: >- + Cannot delete push provider because it is being used by a custom app + authenticator. + errorLink: E0000187 + errorId: oaenwA1ra80S9W-pvbh4m6haA + errorCauses: [] + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + push_providers: + id: okta.push_providers.push_providers + name: push_providers + title: Push Providers + methods: + list_push_providers: + operation: + $ref: '#/paths/~1api~1v1~1push-providers/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_push_provider: + operation: + $ref: '#/paths/~1api~1v1~1push-providers/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_push_provider: + operation: + $ref: '#/paths/~1api~1v1~1push-providers~1{pushProviderId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_push_provider: + operation: + $ref: '#/paths/~1api~1v1~1push-providers~1{pushProviderId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_push_provider: + operation: + $ref: '#/paths/~1api~1v1~1push-providers~1{pushProviderId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/push_providers/methods/list_push_providers + - $ref: >- + #/components/x-stackQL-resources/push_providers/methods/get_push_provider + insert: + - $ref: >- + #/components/x-stackQL-resources/push_providers/methods/create_push_provider + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/push_providers/methods/delete_push_provider + replace: + - $ref: >- + #/components/x-stackQL-resources/push_providers/methods/replace_push_provider +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/rate_limit_settings.yaml b/providers/src/okta/v00.00.00000/services/rate_limit_settings.yaml new file mode 100644 index 00000000..f160f835 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/rate_limit_settings.yaml @@ -0,0 +1,509 @@ +openapi: 3.0.3 +info: + title: rate_limit_settings API + description: okta rate_limit_settings API + version: 5.1.0 +paths: + /api/v1/rate-limit-settings/admin-notifications: + get: + summary: Retrieve the rate limit admin notification settings + description: >- + Retrieves the currently configured Rate Limit Admin Notification + Settings + operationId: getRateLimitSettingsAdminNotifications + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitAdminNotifications' + examples: + Enabled: + $ref: '#/components/examples/RateLimitAdminNotificationsEnabled' + Disabled: + $ref: '#/components/examples/RateLimitAdminNotificationsDisabled' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.rateLimits.read + tags: + - RateLimitSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the rate limit admin notification settings + description: >- + Replaces the Rate Limit Admin Notification Settings and returns the + configured properties + operationId: replaceRateLimitSettingsAdminNotifications + x-codegen-request-body-name: RateLimitAdminNotifications + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitAdminNotifications' + examples: + Enabled: + $ref: '#/components/examples/RateLimitAdminNotificationsEnabled' + Disabled: + $ref: '#/components/examples/RateLimitAdminNotificationsDisabled' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitAdminNotifications' + examples: + Enabled: + $ref: '#/components/examples/RateLimitAdminNotificationsEnabled' + Disabled: + $ref: '#/components/examples/RateLimitAdminNotificationsDisabled' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.rateLimits.manage + tags: + - RateLimitSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/rate-limit-settings/per-client: + get: + summary: Retrieve the per-client rate limit settings + description: Retrieves the currently configured Per-Client Rate Limit Settings + operationId: getRateLimitSettingsPerClient + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/PerClientRateLimitSettings' + examples: + EnforceDefault: + $ref: >- + #/components/examples/PerClientRateLimitSettingsEnforceDefault + EnforceDefaultWithOverrides: + $ref: >- + #/components/examples/PerClientRateLimitSettingsEnforceDefaultWithOverrides + PreviewDefaultWithOverrides: + $ref: >- + #/components/examples/PerClientRateLimitSettingsPreviewDefaultWithOverrides + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.rateLimits.read + tags: + - RateLimitSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the per-client rate limit settings + description: >- + Replaces the Per-Client Rate Limit Settings and returns the configured + properties + operationId: replaceRateLimitSettingsPerClient + x-codegen-request-body-name: perClientRateLimitSettings + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PerClientRateLimitSettings' + examples: + EnforceDefault: + $ref: '#/components/examples/PerClientRateLimitSettingsEnforceDefault' + EnforceDefaultWithOverrides: + $ref: >- + #/components/examples/PerClientRateLimitSettingsEnforceDefaultWithOverrides + PreviewDefaultWithOverrides: + $ref: >- + #/components/examples/PerClientRateLimitSettingsPreviewDefaultWithOverrides + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/PerClientRateLimitSettings' + examples: + EnforceDefault: + $ref: >- + #/components/examples/PerClientRateLimitSettingsEnforceDefault + EnforceDefaultWithOverrides: + $ref: >- + #/components/examples/PerClientRateLimitSettingsEnforceDefaultWithOverrides + PreviewDefaultWithOverrides: + $ref: >- + #/components/examples/PerClientRateLimitSettingsPreviewDefaultWithOverrides + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.rateLimits.manage + tags: + - RateLimitSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/rate-limit-settings/warning-threshold: + get: + summary: Retrieve the rate limit warning threshold percentage + description: >- + Retrieves the currently configured threshold for warning notifications + when the API's rate limit is exceeded + operationId: getRateLimitSettingsWarningThreshold + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitWarningThresholdResponse' + examples: + ExampleThreshold: + $ref: '#/components/examples/RateLimitWarningThresholdValidExample' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.rateLimits.read + tags: + - RateLimitSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the rate limit warning threshold percentage + description: >- + Replaces the Rate Limit Warning Threshold Percentage and returns the + configured property + operationId: replaceRateLimitSettingsWarningThreshold + x-codegen-request-body-name: RateLimitWarningThreshold + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitWarningThresholdRequest' + examples: + ExampleThreshold: + $ref: '#/components/examples/RateLimitWarningThresholdValidExample' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitWarningThresholdResponse' + examples: + ExampleThreshold: + $ref: '#/components/examples/RateLimitWarningThresholdValidExample' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.rateLimits.manage + tags: + - RateLimitSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true +components: + schemas: + RateLimitAdminNotifications: + title: RateLimitAdminNotifications + description: '' + type: object + properties: + notificationsEnabled: + type: boolean + required: + - notificationsEnabled + PerClientRateLimitSettings: + title: PerClientRateLimitSettings + description: '' + type: object + properties: + defaultMode: + $ref: '#/components/schemas/PerClientRateLimitMode' + description: >- + The default PerClientRateLimitMode that applies to any use case in + the absence of a more specific override + useCaseModeOverrides: + description: >- + A map of Per-Client Rate Limit Use Case to the applicable + PerClientRateLimitMode. Overrides the `defaultMode` property for the + specified use cases. + type: object + properties: + LOGIN_PAGE: + $ref: '#/components/schemas/PerClientRateLimitMode' + OAUTH2_AUTHORIZE: + $ref: '#/components/schemas/PerClientRateLimitMode' + OIE_APP_INTENT: + $ref: '#/components/schemas/PerClientRateLimitMode' + required: + - defaultMode + RateLimitWarningThresholdResponse: + title: RateLimitWarningThreshold + description: '' + type: object + properties: + warningThreshold: + description: >- + The threshold value (percentage) of a rate limit that, when + exceeded, triggers a warning notification. By default, this value is + 90 for Workforce orgs and 60 for CIAM orgs. + type: integer + minimum: 30 + maximum: 90 + RateLimitWarningThresholdRequest: + title: RateLimitWarningThreshold + description: '' + type: object + properties: + warningThreshold: + description: >- + The threshold value (percentage) of a rate limit that, when + exceeded, triggers a warning notification. By default, this value is + 90 for Workforce orgs and 60 for CIAM orgs. + type: integer + minimum: 30 + maximum: 90 + required: + - warningThreshold + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + PerClientRateLimitMode: + type: string + enum: + - DISABLE + - ENFORCE + - PREVIEW + ErrorCause: + type: object + properties: + errorSummary: + type: string + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + examples: + RateLimitAdminNotificationsEnabled: + value: + notificationsEnabled: true + RateLimitAdminNotificationsDisabled: + value: + notificationsEnabled: false + PerClientRateLimitSettingsEnforceDefault: + value: + defaultMode: ENFORCE + PerClientRateLimitSettingsEnforceDefaultWithOverrides: + value: + defaultMode: ENFORCE + useCaseModeOverrides: + OAUTH2_AUTHORIZE: PREVIEW + OIE_APP_INTENT: DISABLE + PerClientRateLimitSettingsPreviewDefaultWithOverrides: + value: + defaultMode: PREVIEW + useCaseModeOverrides: + LOGIN_PAGE: ENFORCE + RateLimitWarningThresholdValidExample: + value: + warningThreshold: 66 + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + x-stackQL-resources: + admin_notifications: + id: okta.rate_limit_settings.admin_notifications + name: admin_notifications + title: Admin Notifications + methods: + get_rate_limit_settings_admin_notifications: + operation: + $ref: '#/paths/~1api~1v1~1rate-limit-settings~1admin-notifications/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_rate_limit_settings_admin_notifications: + operation: + $ref: '#/paths/~1api~1v1~1rate-limit-settings~1admin-notifications/put' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/admin_notifications/methods/get_rate_limit_settings_admin_notifications + insert: [] + update: [] + delete: [] + replace: + - $ref: >- + #/components/x-stackQL-resources/admin_notifications/methods/replace_rate_limit_settings_admin_notifications + rate_limit_settings_per_client: + id: okta.rate_limit_settings.rate_limit_settings_per_client + name: rate_limit_settings_per_client + title: Rate Limit Settings Per Client + methods: + get_rate_limit_settings_per_client: + operation: + $ref: '#/paths/~1api~1v1~1rate-limit-settings~1per-client/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_rate_limit_settings_per_client: + operation: + $ref: '#/paths/~1api~1v1~1rate-limit-settings~1per-client/put' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/rate_limit_settings_per_client/methods/get_rate_limit_settings_per_client + insert: [] + update: [] + delete: [] + replace: + - $ref: >- + #/components/x-stackQL-resources/rate_limit_settings_per_client/methods/replace_rate_limit_settings_per_client + warning_thresholds: + id: okta.rate_limit_settings.warning_thresholds + name: warning_thresholds + title: Warning Thresholds + methods: + get_rate_limit_settings_warning_threshold: + operation: + $ref: '#/paths/~1api~1v1~1rate-limit-settings~1warning-threshold/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_rate_limit_settings_warning_threshold: + operation: + $ref: '#/paths/~1api~1v1~1rate-limit-settings~1warning-threshold/put' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/warning_thresholds/methods/get_rate_limit_settings_warning_threshold + insert: [] + update: [] + delete: [] + replace: + - $ref: >- + #/components/x-stackQL-resources/warning_thresholds/methods/replace_rate_limit_settings_warning_threshold +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/realm_assignments.yaml b/providers/src/okta/v00.00.00000/services/realm_assignments.yaml new file mode 100644 index 00000000..d2890f2c --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/realm_assignments.yaml @@ -0,0 +1,1000 @@ +openapi: 3.0.3 +info: + title: realm_assignments API + description: okta realm_assignments API + version: 5.1.0 +paths: + /api/v1/realm-assignments: + get: + x-okta-lifecycle: + lifecycle: GA + summary: List all realm assignments + description: Lists all realm assignments + operationId: listRealmAssignments + parameters: + - $ref: '#/components/parameters/queryLimit' + - name: after + in: query + description: >- + The cursor used for pagination. It represents the priority of the + last realm assignment returned in the previous fetch operation. + schema: + type: string + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/RealmAssignment' + examples: + AssignmentLists: + $ref: '#/components/examples/ListRealmAssignmentsResponse' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realmAssignments.read + tags: + - RealmAssignment + post: + x-okta-lifecycle: + lifecycle: GA + summary: Create a realm assignment + description: Creates a new realm assignment + operationId: createRealmAssignment + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CreateRealmAssignmentRequest' + examples: + Create Realm Assignments: + $ref: '#/components/examples/CreateRealmAssignmentRequest' + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/RealmAssignment' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realmAssignments.manage + tags: + - RealmAssignment + /api/v1/realm-assignments/operations: + get: + x-okta-lifecycle: + lifecycle: GA + summary: List all realm assignment operations + description: >- + Lists all realm assignment operations. The upper limit is 200 and + operations are sorted in descending order from most recent to oldest by + ID. + operationId: listRealmAssignmentOperations + parameters: + - $ref: '#/components/parameters/queryLimit' + - $ref: '#/components/parameters/queryAfter' + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/OperationResponse' + examples: + Executions: + value: + - id: rre4mje4ez6B2a7B60g7 + type: realm:assignment + status: COMPLETED + created: '2023-10-25T21:02:54.000Z' + started: '2023-10-25T21:02:54.000Z' + completed: '2023-10-25T21:02:54.000Z' + realmId: 00g1b7rvh0xPLKXFf0g5 + realmName: Realm Name + assignmentOperation: + configuration: + id: 0pr1b7rxZj2ibQzfP0g5 + name: Realm Assignment 1 + conditions: + profileSourceId: 0oa4enoRyjwSCy5hx0g4 + expression: + value: string + actions: + assignUserToRealm: + realmId: 00g1b7rvh0xPLKXFf0g5 + numUserMoved: 50 + _links: + self: + rel: self + href: >- + http://your-subdomain.okta.com/api/v1/operations/rre4mje4ez6B2a7B60g7 + method: GET + - id: rre4mje4ez7B2a7B60g7 + type: realm:assignment + status: COMPLETED + created: '2023-10-25T21:02:54.000Z' + started: '2023-10-25T21:02:54.000Z' + completed: '2023-10-25T21:02:54.000Z' + assignmentOperation: + configuration: + id: ALL + name: All Assignments + numUserMoved: 50 + _links: + self: + rel: self + href: >- + http://your-subdomain.okta.com/api/v1/operations/rre4mje4ez7B2a7B60g7 + method: GET + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realmAssignments.read + tags: + - RealmAssignment + post: + x-okta-lifecycle: + lifecycle: GA + summary: Execute a realm assignment + description: Executes a realm assignment + operationId: executeRealmAssignment + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OperationRequest' + examples: + ExecuteSpecificAssignment: + value: + assignmentId: 0pr1b7rxZj2ibQzfP0g5 + ExecuteAllAssignments: + value: + assignmentId: ALL + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/OperationResponse' + examples: + Execution: + $ref: '#/components/examples/OperationResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realmAssignments.manage + tags: + - RealmAssignment + /api/v1/realm-assignments/{assignmentId}: + get: + x-okta-lifecycle: + lifecycle: GA + summary: Retrieve a realm assignment + description: Retrieves a realm assignment + operationId: getRealmAssignment + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/RealmAssignment' + examples: + RealmAssignment: + $ref: '#/components/examples/GetRealmAssignmentResponse' + CatchAllRealmAssignment: + $ref: '#/components/examples/DefaultRealmAssignment' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realmAssignments.read + tags: + - RealmAssignment + put: + x-okta-lifecycle: + lifecycle: GA + summary: Replace a realm assignment + description: Replaces a realm assignment + operationId: replaceRealmAssignment + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UpdateRealmAssignmentRequest' + examples: + Replace Realm Assignment: + $ref: '#/components/examples/CreateRealmAssignmentRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/RealmAssignment' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realmAssignments.manage + tags: + - RealmAssignment + delete: + x-okta-lifecycle: + lifecycle: GA + summary: Delete a realm assignment + description: Deletes a realm assignment + operationId: deleteRealmAssignment + responses: + '204': + description: No Content + content: {} + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '404': + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realmAssignments.manage + tags: + - RealmAssignment + parameters: + - $ref: '#/components/parameters/assignmentId' + /api/v1/realm-assignments/{assignmentId}/lifecycle/activate: + post: + x-okta-lifecycle: + lifecycle: GA + summary: Activate a realm assignment + description: Activates a realm assignment + operationId: activateRealmAssignment + responses: + '204': + description: No Content + content: {} + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realmAssignments.manage + tags: + - RealmAssignment + parameters: + - $ref: '#/components/parameters/assignmentId' + /api/v1/realm-assignments/{assignmentId}/lifecycle/deactivate: + post: + x-okta-lifecycle: + lifecycle: GA + summary: Deactivate a realm assignment + description: Deactivates a realm assignment + operationId: deactivateRealmAssignment + responses: + '204': + description: No Content + content: {} + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realmAssignments.manage + tags: + - RealmAssignment + parameters: + - $ref: '#/components/parameters/assignmentId' +components: + schemas: + RealmAssignment: + type: object + properties: + actions: + $ref: '#/components/schemas/Actions' + conditions: + $ref: '#/components/schemas/Conditions' + created: + description: Timestamp when the realm assignment was created + type: string + format: date-time + readOnly: true + domains: + type: array + description: >- + Array of allowed domains. No user in this realm can be created or + updated unless they have a username and email from one of these + domains. + + + The following characters aren't allowed in the domain name: + `!$%^&()=*+,:;<>'[]|/?\` + id: + description: Unique ID of the realm assignment + type: string + readOnly: true + isDefault: + description: >- + Indicates the default realm. Existing users will start out in the + default realm and can be moved individually to other realms. + type: boolean + readOnly: true + lastUpdated: + description: Timestamp of when the realm assignment was updated + type: string + format: date-time + readOnly: true + name: + description: Name of the realm + type: string + priority: + type: integer + description: >- + The priority of the realm assignment. The lower the number, the + higher the priority. This helps resolve conflicts between realm + assignments. + + > **Note:** When you create realm assignments in bulk, realm + assignment priorities must be unique. + status: + $ref: '#/components/schemas/LifecycleStatus' + _links: + $ref: '#/components/schemas/LinksSelf' + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + CreateRealmAssignmentRequest: + type: object + properties: + actions: + $ref: '#/components/schemas/Actions' + conditions: + $ref: '#/components/schemas/Conditions' + name: + type: string + description: Name of the realm + priority: + type: integer + description: >- + The priority of the realm assignment. The lower the number, the + higher the priority. This helps resolve conflicts between realm + assignments. + + > **Note:** When you create realm assignments in bulk, realm + assignment priorities must be unique. + OperationResponse: + type: object + properties: + assignmentOperation: + type: object + description: Definition of the realm assignment operation + properties: + configuration: + description: Configuration defintion of the realm + type: object + properties: + actions: + type: object + description: Realm assignment action + properties: + assignUserToRealm: + type: object + description: Action that assigns a user to a realm + properties: + realmId: + description: ID of the realm + type: string + conditions: + $ref: '#/components/schemas/Conditions' + id: + type: string + description: ID of the realm assignment operation + name: + type: string + description: Name of the realm assignment operation + completed: + description: Timestamp when the realm assignment operation completed + type: string + format: date-time + readOnly: true + created: + description: Timestamp when the realm assignment operation was created + type: string + format: date-time + readOnly: true + id: + description: ID of the realm + type: string + readOnly: true + numUserMoved: + description: Number of users moved + type: number + readOnly: true + realmId: + description: ID of the realm + type: string + readOnly: true + realmName: + description: Name of the realm + type: string + readOnly: true + started: + description: Timestamp when the realm assignment operation started + type: string + format: date-time + readOnly: true + status: + description: Current status of the operation + type: string + readOnly: true + enum: + - COMPLETED + - SCHEDULED + - IN_PROGRESS + - FAILED + type: + description: Realm type + type: string + readOnly: true + _links: + $ref: '#/components/schemas/LinksSelf' + OperationRequest: + type: object + properties: + assignmentId: + type: string + description: ID of the realm + UpdateRealmAssignmentRequest: + type: object + properties: + actions: + $ref: '#/components/schemas/Actions' + conditions: + $ref: '#/components/schemas/Conditions' + name: + type: string + priority: + type: integer + description: >- + The priority of the realm assignment. The lower the number, the + higher the priority. This helps resolve conflicts between realm + assignments. + + > **Note:** When you create realm assignments in bulk, realm + assignment priorities must be unique. + Actions: + description: Action to apply to a user + type: object + properties: + assignUserToRealm: + $ref: '#/components/schemas/AssignUserToRealm' + Conditions: + description: Conditions of applying realm assignment + type: object + properties: + expression: + $ref: '#/components/schemas/Expression' + profileSourceId: + description: ID of the profile source + type: string + LifecycleStatus: + type: string + enum: + - ACTIVE + - INACTIVE + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + ErrorCause: + type: object + properties: + errorSummary: + type: string + AssignUserToRealm: + description: Action that assigns a user to a realm + type: object + properties: + realmId: + description: ID of the realm + type: string + Expression: + description: Conditional expression + type: object + properties: + value: + description: Value of the condition expression + type: string + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + queryLimit: + name: limit + in: query + schema: + type: integer + minimum: 1 + maximum: 200 + default: 20 + description: A limit on the number of objects to return + queryAfter: + name: after + in: query + schema: + type: string + description: >- + The cursor to use for pagination. It is an opaque string that specifies + your current location in the list and is obtained from the `Link` + response header. See + [Pagination](https://developer.okta.com/docs/api/#pagination). + assignmentId: + name: assignmentId + description: ID of the realm assignment + in: path + required: true + schema: + type: string + example: rul2jy7jLUlnO3ng00g4 + examples: + ListRealmAssignmentsResponse: + value: + - id: rul2jy7jLUlnO3ng00g4 + status: ACTIVE + name: Realm Assignment 1 + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: false + domains: + - atko.com + - user.com + conditions: + profileSourceId: 0oa4enoRyjwSCy5hx0g4 + expression: + value: user.profile.role ==\"Manager\" + actions: + assignUserToRealm: + realmId: 00g1b7rvh0xPLKXFf0g5 + priority: 0 + _links: + self: + rel: self + href: >- + http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO3ng00g4 + method: GET + - id: rul2jy7jLUlnO5ng00g4 + status: ACTIVE + name: Catch-all + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: true + domains: + - atko.com + - user.com + conditions: + profileSourceId: 0oa4enoRyjwSCy6hx0g4, + expression: + value: string + actions: + assignUserToRealm: + realmId: 00g1b7rvh0xPLKXFf2g5 + priority: 499 + _links: + self: + rel: self + href: >- + http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO5ng00g4 + method: GET + CreateRealmAssignmentRequest: + value: + actions: + assignUserToRealm: + realmId: 00g1b7rvh0xPLKXFf0g5 + conditions: + profileSourceId: 0oa4enoRyjwSCy5hx0g4 + expression: + value: user.profile.role ==\"Manager\" + name: Realm Assignment 1 + priority: 0 + OperationResponse: + value: + id: rre4mje4ez6B2a7B60g7 + type: realm:assignment + status: COMPLETED + created: '2023-10-25T21:02:54.000Z' + started: '2023-10-25T21:02:54.000Z' + completed: '2023-10-25T21:02:54.000Z' + realmId: 00g1b7rvh0xPLKXFf0g5 + realmName: Realm Name + assignmentOperation: + configuration: + id: 0pr1b7rxZj2ibQzfP0g5 + name: Realm Assignment 1 + conditions: + profileSourceId: 0oa4enoRyjwSCy5hx0g4 + expression: + value: string + actions: + assignUserToRealm: + realmId: 00g1b7rvh0xPLKXFf0g5 + numUserMoved: 50 + _links: + self: + rel: self + href: >- + http://your-subdomain.okta.com/api/v1/operations/rre4mje4ez6B2a7B60g7 + method: GET + GetRealmAssignmentResponse: + value: + id: rul2jy7jLUlnO3ng00g4 + status: ACTIVE + name: Realm Assignment 1 + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: false + domains: + - atko.com + - user.com + conditions: + profileSourceId: 0oa4enoRyjwSCy5hx0g4 + expression: + value: string + actions: + assignUserToRealm: + realmId: 00g1b7rvh0xPLKXFf0g5 + priority: 0 + _links: + self: + rel: self + href: >- + http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO3ng00g4 + method: GET + DefaultRealmAssignment: + value: + id: rul2jy7jLUlnO5ng00g4 + status: ACTIVE + name: Catch-all + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: true + conditions: + profileSourceId: 0oa4enoRyjwSCy6hx0g4, + expression: + value: string + actions: + assignUserToRealm: + realmId: 00g1b7rvh0xPLKXFf2g5 + priority: 499 + _links: + self: + rel: self + href: >- + http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO5ng00g4 + method: GET + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + realm_assignments: + id: okta.realm_assignments.realm_assignments + name: realm_assignments + title: Realm Assignments + methods: + list_realm_assignments: + operation: + $ref: '#/paths/~1api~1v1~1realm-assignments/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_realm_assignment: + operation: + $ref: '#/paths/~1api~1v1~1realm-assignments/post' + response: + mediaType: application/json + openAPIDocKey: '201' + execute_realm_assignment: + operation: + $ref: '#/paths/~1api~1v1~1realm-assignments~1operations/post' + response: + mediaType: application/json + openAPIDocKey: '201' + get_realm_assignment: + operation: + $ref: '#/paths/~1api~1v1~1realm-assignments~1{assignmentId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_realm_assignment: + operation: + $ref: '#/paths/~1api~1v1~1realm-assignments~1{assignmentId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_realm_assignment: + operation: + $ref: '#/paths/~1api~1v1~1realm-assignments~1{assignmentId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + activate_realm_assignment: + operation: + $ref: >- + #/paths/~1api~1v1~1realm-assignments~1{assignmentId}~1lifecycle~1activate/post + response: + mediaType: '' + openAPIDocKey: '204' + deactivate_realm_assignment: + operation: + $ref: >- + #/paths/~1api~1v1~1realm-assignments~1{assignmentId}~1lifecycle~1deactivate/post + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/realm_assignments/methods/list_realm_assignments + - $ref: >- + #/components/x-stackQL-resources/realm_assignments/methods/get_realm_assignment + insert: + - $ref: >- + #/components/x-stackQL-resources/realm_assignments/methods/create_realm_assignment + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/realm_assignments/methods/delete_realm_assignment + replace: + - $ref: >- + #/components/x-stackQL-resources/realm_assignments/methods/replace_realm_assignment + realm_assignment_operations: + id: okta.realm_assignments.realm_assignment_operations + name: realm_assignment_operations + title: Realm Assignment Operations + methods: + list_realm_assignment_operations: + operation: + $ref: '#/paths/~1api~1v1~1realm-assignments~1operations/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/realm_assignment_operations/methods/list_realm_assignment_operations + insert: [] + update: [] + delete: [] + replace: [] +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/realms.yaml b/providers/src/okta/v00.00.00000/services/realms.yaml new file mode 100644 index 00000000..6d8edde4 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/realms.yaml @@ -0,0 +1,588 @@ +openapi: 3.0.3 +info: + title: realms API + description: okta realms API + version: 5.1.0 +paths: + /api/v1/realms: + get: + x-okta-lifecycle: + lifecycle: GA + summary: List all realms + description: Lists all Realms + operationId: listRealms + parameters: + - name: limit + in: query + description: >- + Specifies the number of results returned. Defaults to 10 if `search` + is provided. + schema: + type: integer + format: int32 + default: 200 + - $ref: '#/components/parameters/queryAfter' + - name: search + in: query + description: >- + Searches for realms with a supported filtering expression for most + properties. + + + Searches for realms can be filtered by the contains (`co`) operator. + You can only use `co` with the `profile.name` property. See + [Operators](https://developer.okta.com/docs/api/#operators). + schema: + type: string + - name: sortBy + in: query + description: >- + Specifies the field to sort by and can be any single property (for + search queries only) + schema: + type: string + example: profile.name + - name: sortOrder + in: query + description: >- + Specifies the sort order: `asc` or `desc` (for search queries only). + This parameter is ignored if `sortBy` isn't present. + schema: + type: string + default: asc + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/Realm' + examples: + Realm Lists: + $ref: '#/components/examples/ListRealmsResponse' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realms.read + tags: + - Realm + post: + x-okta-lifecycle: + lifecycle: GA + summary: Create a realm + description: Creates a new realm + operationId: createRealm + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CreateRealmRequest' + examples: + Create a realm: + $ref: '#/components/examples/CreateRealmRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Realm' + examples: + Realm Lists: + $ref: '#/components/examples/ListRealmsResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realms.manage + tags: + - Realm + /api/v1/realms/{realmId}: + get: + x-okta-lifecycle: + lifecycle: GA + summary: Retrieve a realm + description: Retrieves a realm + operationId: getRealm + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Realm' + examples: + DefaultRealm: + $ref: '#/components/examples/DefaultRealmResponse' + NonDefaultRealm: + $ref: '#/components/examples/RealmResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realms.read + tags: + - Realm + put: + x-okta-lifecycle: + lifecycle: GA + summary: Replace the realm profile + description: Replaces the realm profile + operationId: replaceRealm + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UpdateRealmRequest' + examples: + Replace a realm: + $ref: '#/components/examples/CreateRealmRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Realm' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realms.manage + tags: + - Realm + delete: + x-okta-lifecycle: + lifecycle: GA + summary: Delete a realm + description: >- + Deletes a realm permanently. This operation can only be performed after + disassociating other entities like users and identity providers from a + realm. + operationId: deleteRealm + responses: + '204': + description: No Content + content: {} + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '404': + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.realms.manage + tags: + - Realm + parameters: + - $ref: '#/components/parameters/pathRealmId' +components: + schemas: + Realm: + type: object + properties: + created: + type: string + format: date-time + description: Timestamp when the realm was created + readOnly: true + id: + type: string + description: Unique ID for the realm + readOnly: true + isDefault: + type: boolean + description: >- + Indicates the default realm. Existing users will start out in the + default realm and can be moved to other realms individually or + through realm assignments. See [Realms Assignments + API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/RealmAssignment/). + readOnly: true + lastUpdated: + type: string + format: date-time + description: Timestamp when the realm was updated + readOnly: true + profile: + $ref: '#/components/schemas/RealmProfile' + _links: + $ref: '#/components/schemas/LinksSelf' + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + CreateRealmRequest: + type: object + properties: + profile: + $ref: '#/components/schemas/RealmProfile' + UpdateRealmRequest: + type: object + properties: + profile: + $ref: '#/components/schemas/RealmProfile' + RealmProfile: + type: object + properties: + domains: + type: array + description: >- + Array of allowed domains. No user in this realm can be created or + updated unless they have a username and email from one of these + domains. + + + The following characters aren't allowed in the domain name: + `!$%^&()=*+,:;<>'[]|/?\` + name: + type: string + description: Name of a realm + realmType: + type: string + description: >- + Used to store partner users. This property must be set to `PARTNER` + to access Okta's external partner portal. + enum: + - PARTNER + - DEFAULT + x-enumDescriptions: + PARTNER: Realm with external partner portal + DEFAULT: Default + required: + - name + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + ErrorCause: + type: object + properties: + errorSummary: + type: string + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + queryAfter: + name: after + in: query + schema: + type: string + description: >- + The cursor to use for pagination. It is an opaque string that specifies + your current location in the list and is obtained from the `Link` + response header. See + [Pagination](https://developer.okta.com/docs/api/#pagination). + pathRealmId: + name: realmId + description: ID of the realm + in: path + required: true + schema: + type: string + example: vvrcFogtKCrK9aYq3fgV + examples: + ListRealmsResponse: + value: + - id: guox9jQ16k9V8IFEL0g3 + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: false + profile: + name: Car Co + realmType: PARTNER + domains: + - atko.com + - user.com + _links: + self: + rel: self + href: >- + http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IFEL0g3 + method: GET + CreateRealmRequest: + value: + profile: + name: Car Co + realmType: PARTNER + domains: + - atko.com + - user.com + DefaultRealmResponse: + value: + id: guox9jQ16k9V8IQWL0g3 + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: true + profile: + name: Default realm + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IQWL0g3 + method: GET + RealmResponse: + value: + id: guox9jQ16k9V8IFEL0g3 + created: '2022-04-04T15:56:05.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + isDefault: false + profile: + name: Car Co + domains: + - atko.com + - user.com + _links: + self: + rel: self + href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IFEL0g3 + method: GET + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + realms: + id: okta.realms.realms + name: realms + title: Realms + methods: + list_realms: + operation: + $ref: '#/paths/~1api~1v1~1realms/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_realm: + operation: + $ref: '#/paths/~1api~1v1~1realms/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_realm: + operation: + $ref: '#/paths/~1api~1v1~1realms~1{realmId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_realm: + operation: + $ref: '#/paths/~1api~1v1~1realms~1{realmId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_realm: + operation: + $ref: '#/paths/~1api~1v1~1realms~1{realmId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: '#/components/x-stackQL-resources/realms/methods/list_realms' + - $ref: '#/components/x-stackQL-resources/realms/methods/get_realm' + insert: + - $ref: '#/components/x-stackQL-resources/realms/methods/create_realm' + update: [] + delete: + - $ref: '#/components/x-stackQL-resources/realms/methods/delete_realm' + replace: + - $ref: '#/components/x-stackQL-resources/realms/methods/replace_realm' +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/risk.yaml b/providers/src/okta/v00.00.00000/services/risk.yaml new file mode 100644 index 00000000..0d889ec5 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/risk.yaml @@ -0,0 +1,678 @@ +openapi: 3.0.3 +info: + title: risk API + description: okta risk API + version: 5.1.0 +paths: + /api/v1/risk/events/ip: + post: + deprecated: true + summary: Send multiple risk events + description: >- + Sends multiple IP risk events to Okta. + + This request is used by a third-party risk provider to send IP risk + events to Okta. The third-party risk provider needs to be registered + with Okta before they can send events to Okta. See [Risk + Providers](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/RiskProvider/). + + This API has a rate limit of 30 requests per minute. You can include + multiple risk events (up to a maximum of 20 events) in a single payload + to reduce the number of API calls. Prioritize sending high risk signals + if you have a burst of signals to send that would exceed the maximum + request limits. + operationId: sendRiskEvents + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/RiskEvent' + examples: + RiskEventsRequestExample: + $ref: '#/components/examples/RiskEventsRequestExample' + required: true + responses: + '202': + description: Accepted + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.riskEvents.manage + tags: + - RiskEvent + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/risk/providers: + get: + deprecated: true + summary: List all risk providers + description: Lists all risk provider objects + operationId: listRiskProviders + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/RiskProvider' + examples: + RiskProviderList: + $ref: '#/components/examples/ListRiskProviderResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.riskProviders.read + tags: + - RiskProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + deprecated: true + summary: Create a risk provider + description: >- + Creates a risk provider object. You can create a maximum of three risk + provider objects. + operationId: createRiskProvider + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RiskProvider' + examples: + RiskProviderRequestExample: + $ref: '#/components/examples/RiskProviderRequest' + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/RiskProvider' + examples: + RiskProviderPostResponseExample: + $ref: '#/components/examples/RiskProviderResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.riskProviders.manage + tags: + - RiskProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/risk/providers/{riskProviderId}: + get: + deprecated: true + summary: Retrieve a risk provider + description: Retrieves a risk provider object by ID + operationId: getRiskProvider + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/RiskProvider' + examples: + RiskProviderGetResponseExample: + $ref: '#/components/examples/RiskProviderResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.riskProviders.read + tags: + - RiskProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + deprecated: true + summary: Replace a risk provider + description: Replaces the properties for a given risk provider object ID + operationId: replaceRiskProvider + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RiskProvider' + examples: + RiskProviderPutRequestExample: + $ref: '#/components/examples/RiskProviderPutRequest' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/RiskProvider' + examples: + RiskProviderPutResponseExample: + $ref: '#/components/examples/RiskProviderPutResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.riskProviders.manage + tags: + - RiskProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + deprecated: true + summary: Delete a risk provider + description: Deletes a risk provider object by its ID + operationId: deleteRiskProvider + responses: + '204': + description: No Content + '403': + description: Forbidden + headers: {} + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.riskProviders.manage + tags: + - RiskProvider + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathRiskProviderId' +components: + schemas: + RiskEvent: + type: object + properties: + expiresAt: + type: string + format: date-time + description: >- + Timestamp at which the event expires (expressed as a UTC time zone + using ISO 8601 format: yyyy-MM-dd`T`HH:mm:ss.SSS`Z`). If this + optional field isn't included, Okta automatically expires the event + 24 hours after the event is consumed. + subjects: + type: array + description: List of risk event subjects + items: + $ref: '#/components/schemas/RiskEventSubject' + timestamp: + type: string + format: date-time + description: >- + Timestamp of when the event is produced (expressed as a UTC time + zone using ISO 8601 format: yyyy-MM-dd`T`HH:mm:ss.SSS`Z`) + required: + - subjects + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + RiskProvider: + type: object + properties: + action: + $ref: '#/components/schemas/RiskProviderAction' + clientId: + type: string + description: >- + The ID of the [OAuth 2.0 service + app](https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/#create-a-service-app-and-grant-scopes) + that's used to send risk events to Okta + example: 00cjkjjkkgjkdkjdkkljjsd + created: + type: string + format: date-time + description: Timestamp when the risk provider object was created + readOnly: true + example: '2021-01-05 22:18:30' + id: + type: string + description: The ID of the risk provider object + readOnly: true + example: 00rp12r4skkjkjgsn + lastUpdated: + type: string + format: date-time + description: Timestamp when the risk provider object was last updated + readOnly: true + example: '2021-01-05 22:18:30' + name: + type: string + description: Name of the risk provider + maxLength: 50 + example: Risk-Partner-X + _links: + $ref: '#/components/schemas/LinksSelf' + required: + - name + - clientId + - action + - id + - _links + RiskEventSubject: + type: object + properties: + ip: + type: string + description: The risk event subject IP address (either an IPv4 or IPv6 address) + message: + type: string + description: Additional reasons for the risk level of the IP + maxLength: 512 + pattern: ^[a-zA-Z0-9 .\-_]*$ + riskLevel: + $ref: '#/components/schemas/RiskEventSubjectRiskLevel' + required: + - ip + - riskLevel + ErrorCause: + type: object + properties: + errorSummary: + type: string + RiskProviderAction: + description: >- + Action taken by Okta during authentication attempts based on the risk + events sent by this provider + default: log_only + type: string + enum: + - enforce_and_log + - log_only + - none + x-enumDescriptions: + log_only: Include risk event information in the System Log + none: No action + enforce_and_log: >- + Use risk event information to evaluate risks during authentication + attempts and include risk event information in the System Log + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + RiskEventSubjectRiskLevel: + description: The risk level associated with the IP + type: string + enum: + - HIGH + - LOW + - MEDIUM + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + pathRiskProviderId: + name: riskProviderId + in: path + schema: + type: string + example: 00rp12r4skkjkjgsn + required: true + description: '`id` of the risk provider object' + examples: + RiskEventsRequestExample: + summary: Risk events payload example + value: + - timestamp: '2021-01-20T00:00:00.001Z' + subjects: + - ip: 6.7.6.7 + riskLevel: MEDIUM + - ip: 1.1.1.1 + riskLevel: HIGH + message: Detected Attack tooling and suspicious activity + - timestamp: '2021-01-20T01:00:00.001Z' + subjects: + - ip: 6.7.6.7 + riskLevel: LOW + - ip: 2.2.2.2 + riskLevel: HIGH + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ListRiskProviderResponse: + summary: List risk provider response example + value: + - id: 00rp12r4skkjkjgsn + action: log_only + name: Risk-Partner-X + clientId: 00ckjsfgjkdkjdkkljjsd + created: '2021-01-05 22:18:30' + lastUpdated: '2021-01-05 22:18:30' + _links: + self: + href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn + hints: + allow: + - GET + - PUT + RiskProviderRequest: + summary: Risk provider payload example + value: + name: Risk-Partner-X + action: log_only + clientId: 00ckjsfgjkdkjdkkljjsd + RiskProviderResponse: + summary: Risk provider response example + value: + id: 00rp12r4skkjkjgsn + action: log_only + name: Risk-Partner-X + clientId: 00ckjsfgjkdkjdkkljjsd + created: '2021-01-05 22:18:30' + lastUpdated: '2021-01-05 22:18:30' + _links: + self: + href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn + hints: + allow: + - GET + - PUT + RiskProviderPutRequest: + summary: Replace risk provider request example + value: + name: Risk-Partner-Y + action: enforce_and_log + clientId: 00ckjsfgjkdkjdkkljjsd + RiskProviderPutResponse: + summary: Replace risk provider response example + value: + id: 00rp12r4skkjkjgsn + action: enforce_and_log + name: Risk-Partner-Y + clientId: 00ckjsfgjkdkjdkkljjsd + created: '2021-01-05 22:18:30' + lastUpdated: '2021-01-05 23:18:30' + _links: + self: + href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn + hints: + allow: + - GET + - PUT + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + risk_events: + id: okta.risk.risk_events + name: risk_events + title: Risk Events + methods: + send_risk_events: + operation: + $ref: '#/paths/~1api~1v1~1risk~1events~1ip/post' + response: + mediaType: '' + openAPIDocKey: '202' + sqlVerbs: + select: [] + insert: [] + update: [] + delete: [] + replace: [] + risk_providers: + id: okta.risk.risk_providers + name: risk_providers + title: Risk Providers + methods: + list_risk_providers: + operation: + $ref: '#/paths/~1api~1v1~1risk~1providers/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_risk_provider: + operation: + $ref: '#/paths/~1api~1v1~1risk~1providers/post' + response: + mediaType: application/json + openAPIDocKey: '201' + get_risk_provider: + operation: + $ref: '#/paths/~1api~1v1~1risk~1providers~1{riskProviderId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_risk_provider: + operation: + $ref: '#/paths/~1api~1v1~1risk~1providers~1{riskProviderId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_risk_provider: + operation: + $ref: '#/paths/~1api~1v1~1risk~1providers~1{riskProviderId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/risk_providers/methods/list_risk_providers + - $ref: >- + #/components/x-stackQL-resources/risk_providers/methods/get_risk_provider + insert: + - $ref: >- + #/components/x-stackQL-resources/risk_providers/methods/create_risk_provider + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/risk_providers/methods/delete_risk_provider + replace: + - $ref: >- + #/components/x-stackQL-resources/risk_providers/methods/replace_risk_provider +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/roles.yaml b/providers/src/okta/v00.00.00000/services/roles.yaml new file mode 100644 index 00000000..a445bc07 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/roles.yaml @@ -0,0 +1,409 @@ +openapi: 3.0.3 +info: + title: roles API + description: okta roles API + version: 5.1.0 +paths: + /api/v1/roles/{roleRef}/subscriptions: + get: + summary: List all subscriptions for a role + description: Lists all subscriptions available to a specified Role + operationId: listSubscriptionsRole + responses: + '200': + description: Success + content: + application/json: + schema: + items: + $ref: '#/components/schemas/Subscription' + type: array + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathRoleRef' + /api/v1/roles/{roleRef}/subscriptions/{notificationType}: + get: + summary: Retrieve a subscription for a role + description: Retrieves a subscription by `notificationType` for a specified Role + operationId: getSubscriptionsNotificationTypeRole + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Subscription' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathRoleRef' + - $ref: '#/components/parameters/pathNotificationType' + /api/v1/roles/{roleRef}/subscriptions/{notificationType}/subscribe: + post: + summary: Subscribe a role to a specific notification type + description: >- + Subscribes a Role to a specified notification type. Changes to Role + subscriptions override the subscription status of any individual users + with the Role. + operationId: subscribeByNotificationTypeRole + responses: + '200': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathRoleRef' + - $ref: '#/components/parameters/pathNotificationType' + /api/v1/roles/{roleRef}/subscriptions/{notificationType}/unsubscribe: + post: + summary: Unsubscribe a role from a specific notification type + description: >- + Unsubscribes a Role from a specified notification type. Changes to Role + subscriptions override the subscription status of any individual users + with the Role. + operationId: unsubscribeByNotificationTypeRole + responses: + '200': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathRoleRef' + - $ref: '#/components/parameters/pathNotificationType' +components: + schemas: + Subscription: + type: object + properties: + channels: + description: |- + An array of sources send notifications to users. + > **Note**: Currently, Okta only allows `email` channels. + items: + type: string + type: array + notificationType: + $ref: '#/components/schemas/NotificationType' + status: + $ref: '#/components/schemas/SubscriptionStatus' + _links: + type: object + description: Discoverable resources related to the subscription + properties: + self: + $ref: '#/components/schemas/HrefObject' + readOnly: true + RoleType: + description: Standard role type + type: string + enum: + - ACCESS_CERTIFICATIONS_ADMIN + - ACCESS_REQUESTS_ADMIN + - API_ACCESS_MANAGEMENT_ADMIN + - API_ADMIN + - APP_ADMIN + - CUSTOM + - GROUP_MEMBERSHIP_ADMIN + - HELP_DESK_ADMIN + - MOBILE_ADMIN + - ORG_ADMIN + - READ_ONLY_ADMIN + - REPORT_ADMIN + - SUPER_ADMIN + - USER_ADMIN + - WORKFLOWS_ADMIN + x-enumDescriptions: + API_ACCESS_MANAGEMENT_ADMIN: Access Management Administrator + API_ADMIN: Access Management Administrator + APP_ADMIN: Application Administrator + CUSTOM: Custom label specified by the client + GROUP_MEMBERSHIP_ADMIN: Group Membership Administrator + HELP_DESK_ADMIN: Help Desk Administrator + MOBILE_ADMIN: Mobile Administrator + ORG_ADMIN: Organizational Administrator + READ_ONLY_ADMIN: Read-Only Administrator + REPORT_ADMIN: Report Administrator + SUPER_ADMIN: Super Administrator + USER_ADMIN: Group Administrator + WORKFLOWS_ADMIN: Workflows Administrator + ACCESS_CERTIFICATIONS_ADMIN: Access Certifications Administrator (predefined resource sets) + ACCESS_REQUESTS_ADMIN: Access Requests Administrator (predefined resource sets) + NotificationType: + description: The type of notification + type: string + enum: + - AD_AGENT + - AGENT_AUTO_UPDATE_NOTIFICATION + - AGENT_AUTO_UPDATE_NOTIFICATION_LDAP + - APP_IMPORT + - CONNECTOR_AGENT + - IWA_AGENT + - LDAP_AGENT + - OKTA_ANNOUNCEMENT + - OKTA_UPDATE + - RATELIMIT_NOTIFICATION + - REPORT_SUSPICIOUS_ACTIVITY + - USER_DEPROVISION + - USER_LOCKED_OUT + x-enumDescriptions: + AD_AGENT: System notification sent when an AD agent disconnects or reconnects + AGENT_AUTO_UPDATE_NOTIFICATION: System notification sent when an agent automatically updates + APP_IMPORT: System notification sent with the status of an app user import + CONNECTOR_AGENT: >- + System notification sent when an on-premises provisioning or Okta + on-prem MFA agent disconnects or reconnects + IWA_AGENT: System notification sent when an IGA agent disconnects or reconnects + LDAP_AGENT: System notification sent when an LDAP agent disconnects or reconnects + OKTA_ANNOUNCEMENT: Okta communication sent for announcements and release notes + OKTA_UPDATE: Okta communication sent for scheduled system updates + RATELIMIT_NOTIFICATION: >- + System notification sent when an org reaches rate limit warning or + violation thresholds + REPORT_SUSPICIOUS_ACTIVITY: System notification sent when a user reports suspicious activity + USER_DEPROVISION: System notification sent when a user is deprovisioned from apps + USER_LOCKED_OUT: >- + System notification sent when a user is locked out from logging in to + Okta + SubscriptionStatus: + description: The status of the subscription + type: string + enum: + - subscribed + - unsubscribed + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + ErrorCause: + type: object + properties: + errorSummary: + type: string + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + parameters: + pathRoleRef: + name: roleRef + in: path + description: >- + A reference to an existing role. Standard roles require a `roleType`, + while Custom Roles require a `roleId`. See [Standard + Roles](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#standard-roles). + required: true + schema: + oneOf: + - title: roleType + type: string + $ref: '#/components/schemas/RoleType' + - title: roleId + type: string + pathNotificationType: + name: notificationType + in: path + required: true + schema: + $ref: '#/components/schemas/NotificationType' + examples: + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + x-stackQL-resources: + subscriptions: + id: okta.roles.subscriptions + name: subscriptions + title: Subscriptions + methods: + list_subscriptions_role: + operation: + $ref: '#/paths/~1api~1v1~1roles~1{roleRef}~1subscriptions/get' + response: + mediaType: application/json + openAPIDocKey: '200' + get_subscriptions_notification_type_role: + operation: + $ref: >- + #/paths/~1api~1v1~1roles~1{roleRef}~1subscriptions~1{notificationType}/get + response: + mediaType: application/json + openAPIDocKey: '200' + subscribe_by_notification_type_role: + operation: + $ref: >- + #/paths/~1api~1v1~1roles~1{roleRef}~1subscriptions~1{notificationType}~1subscribe/post + response: + mediaType: '' + openAPIDocKey: '200' + unsubscribe_by_notification_type_role: + operation: + $ref: >- + #/paths/~1api~1v1~1roles~1{roleRef}~1subscriptions~1{notificationType}~1unsubscribe/post + response: + mediaType: '' + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/subscriptions/methods/list_subscriptions_role + - $ref: >- + #/components/x-stackQL-resources/subscriptions/methods/get_subscriptions_notification_type_role + insert: [] + update: [] + delete: [] + replace: [] +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/security.yaml b/providers/src/okta/v00.00.00000/services/security.yaml new file mode 100644 index 00000000..46376196 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/security.yaml @@ -0,0 +1,107 @@ +openapi: 3.0.3 +info: + title: security API + description: okta security API + version: 5.1.0 +paths: + /security/api/v1/security-events: + post: + summary: Publish a security event token + description: >- + Publishes a Security Event Token (SET) sent by a Security Events + Provider. After the token is verified, Okta ingests the event and + performs any appropriate action. + operationId: publishSecurityEventTokens + x-codegen-request-body-name: Security Event Token + requestBody: + required: true + description: > + The request body is a signed + [SET](https://datatracker.ietf.org/doc/html/rfc8417), which is a type + of JSON Web Token (JWT). + + + For SET JWT header and body descriptions, see [SET JWT + header](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/SSFSecurityEventToken/#tag/SSFSecurityEventToken/schema/SecurityEventTokenRequestJwtHeader) + and [SET JWT body + payload](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/SSFSecurityEventToken/#tag/SSFSecurityEventToken/schema/SecurityEventTokenRequestJwtBody). + content: + application/secevent+jwt: + schema: + type: string + examples: + SET: + value: eyJraWQiOiJzYW1wbGVfa2lkIiwidHlwIjoic2ZXZlbnQra ... mrtmw + responses: + '202': + description: Accepted + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/SecurityEventTokenError' + security: [] + tags: + - SSFSecurityEventToken + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine +components: + schemas: + SecurityEventTokenError: + title: Security Event Token Error + description: Error object thrown when parsing the Security Event Token + type: object + properties: + description: + type: string + description: > + Describes the error + + > **Note:** SET claim fields with underscores (snake case) are + presented in camelcase. For example, `previous_status` appears as + `previousStatus`. + example: >- + Failed claim validation in security event token. + 'events.mediationDeviceComplianceChangeEvent.previousStatus': The + field cannot be left blank + err: + type: string + description: A code that describes the category of the error + example: invalid_request + enum: + - authentication_failed + - invalid_audience + - invalid_issuer + - invalid_key + - invalid_request + x-stackQL-resources: + ssf_security_event_tokens: + id: okta.security.ssf_security_event_tokens + name: ssf_security_event_tokens + title: Ssf Security Event Tokens + methods: + publish_security_event_tokens: + operation: + $ref: '#/paths/~1security~1api~1v1~1security-events/post' + response: + mediaType: '' + openAPIDocKey: '202' + sqlVerbs: + select: [] + insert: [] + update: [] + delete: [] + replace: [] +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/security_events_providers.yaml b/providers/src/okta/v00.00.00000/services/security_events_providers.yaml new file mode 100644 index 00000000..1899a033 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/security_events_providers.yaml @@ -0,0 +1,837 @@ +openapi: 3.0.3 +info: + title: security_events_providers API + description: okta security_events_providers API + version: 5.1.0 +paths: + /api/v1/security-events-providers: + get: + summary: List all security events providers + description: Lists all Security Events Provider instances + operationId: listSecurityEventsProviderInstances + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/SecurityEventsProviderResponse' + examples: + list: + $ref: '#/components/examples/ListOfSecurityEventsProviderInstances' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.securityEventsProviders.read + tags: + - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + post: + summary: Create a security events provider + description: Creates a Security Events Provider instance + operationId: createSecurityEventsProviderInstance + x-codegen-request-body-name: instance + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/SecurityEventsProviderRequest' + examples: + well-known-URL-provided: + $ref: >- + #/components/examples/SecurityEventsProviderRequestWellKnownUrl + issuer-and-JWKS-URL-provided: + $ref: >- + #/components/examples/SecurityEventsProviderRequestIssuerAndJwksUrl + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/SecurityEventsProviderResponse' + examples: + well-known-URL-provided: + $ref: >- + #/components/examples/SecurityEventsProviderResponseWellKnownUrl + issuer-and-JWKS-URL-provided: + $ref: >- + #/components/examples/SecurityEventsProviderResponseIssuerAndJwksUrl + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.securityEventsProviders.manage + tags: + - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/security-events-providers/{securityEventProviderId}: + get: + summary: Retrieve the security events provider + description: Retrieves the Security Events Provider instance specified by `id` + operationId: getSecurityEventsProviderInstance + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/SecurityEventsProviderResponse' + examples: + get: + $ref: >- + #/components/examples/SecurityEventsProviderResponseWellKnownUrl + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.securityEventsProviders.read + tags: + - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace a security events provider + description: Replaces a Security Events Provider instance specified by `id` + operationId: replaceSecurityEventsProviderInstance + x-codegen-request-body-name: instance + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/SecurityEventsProviderRequest' + examples: + well-known-URL-provided: + $ref: >- + #/components/examples/SecurityEventsProviderRequestWellKnownUrl + issuer-and-JWKS-URL-provided: + $ref: >- + #/components/examples/SecurityEventsProviderRequestIssuerAndJwksUrl + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/SecurityEventsProviderResponse' + examples: + well-known-URL-provided: + $ref: >- + #/components/examples/SecurityEventsProviderResponseWellKnownUrl + issuer-and-JWKS-URL-provided: + $ref: >- + #/components/examples/SecurityEventsProviderResponseIssuerAndJwksUrl + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.securityEventsProviders.manage + tags: + - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + delete: + summary: Delete a security events provider + description: Deletes a Security Events Provider instance specified by `id` + operationId: deleteSecurityEventsProviderInstance + responses: + '204': + description: No Content + content: {} + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.securityEventsProviders.manage + tags: + - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathSecurityEventProviderId' + /api/v1/security-events-providers/{securityEventProviderId}/lifecycle/activate: + post: + summary: Activate a security events provider + description: >- + Activates a Security Events Provider instance by setting its status to + `ACTIVE`. + + This operation resumes the flow of events from the Security Events + Provider to Okta. + operationId: activateSecurityEventsProviderInstance + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/SecurityEventsProviderResponse' + examples: + activatedInstance: + $ref: >- + #/components/examples/SecurityEventsProviderResponseWellKnownUrl + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.securityEventsProviders.manage + tags: + - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathSecurityEventProviderId' + /api/v1/security-events-providers/{securityEventProviderId}/lifecycle/deactivate: + post: + summary: Deactivate a security events provider + description: >- + Deactivates a Security Events Provider instance by setting its status to + `INACTIVE`. + + This operation stops the flow of events from the Security Events + Provider to Okta. + operationId: deactivateSecurityEventsProviderInstance + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/SecurityEventsProviderResponse' + examples: + deactivatedInstance: + $ref: >- + #/components/examples/DeactivatedSecurityEventsProviderResponse + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.securityEventsProviders.manage + tags: + - SSFReceiver + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathSecurityEventProviderId' +components: + schemas: + SecurityEventsProviderResponse: + title: Security Events Provider Response + description: The Security Events Provider response + type: object + properties: + id: + description: The unique identifier of this instance + type: string + readOnly: true + example: sse1qg25RpusjUP6m0g5 + name: + description: The name of the Security Events Provider instance + type: string + maxLength: 100 + example: Target SSF Provider + settings: + description: Information about the Security Events Provider for signal ingestion + $ref: '#/components/schemas/SecurityEventsProviderSettingsResponse' + status: + description: Indicates whether the Security Events Provider is active or not + type: string + enum: + - ACTIVE + - INACTIVE + readOnly: true + type: + description: The application type of the Security Events Provider + maxLength: 255 + type: string + example: okta + _links: + $ref: '#/components/schemas/LinksSelfAndLifecycle' + SecurityEventsProviderRequest: + title: Security Events Provider Request + description: >- + The request schema for creating or updating a Security Events Provider. + The `settings` must match one of the schemas. + type: object + properties: + name: + description: The name of the Security Events Provider instance + type: string + maxLength: 100 + example: Target SSF Provider + settings: + type: object + description: Information about the Security Events Provider for signal ingestion + oneOf: + - $ref: '#/components/schemas/SecurityEventsProviderSettingsSSFCompliant' + - $ref: >- + #/components/schemas/SecurityEventsProviderSettingsNonSSFCompliant + type: + description: The application type of the Security Events Provider + maxLength: 255 + type: string + example: okta + required: + - name + - settings + - type + SecurityEventsProviderSettingsResponse: + title: Security Events Provider settings + description: Security Events Provider settings + type: object + properties: + issuer: + type: string + description: Issuer URL + maxLength: 700 + example: example.okta.com + jwks_url: + type: string + format: url + description: The public URL where the JWKS public key is uploaded + maxLength: 1000 + example: https://example.okta.com/oauth2/v1/keys + well_known_url: + type: string + format: url + description: >- + The well-known URL of the Security Events Provider (the SSF + transmitter) + nullable: true + maxLength: 1000 + example: https://example.okta.com/.well-known/ssf-configuration + LinksSelfAndLifecycle: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + SecurityEventsProviderSettingsSSFCompliant: + title: Provider with well-known URL setting + description: Security Events Provider with well-known URL setting + type: object + properties: + well_known_url: + type: string + format: url + description: >- + The published well-known URL of the Security Events Provider (the + SSF transmitter) + maxLength: 1000 + example: https://example.okta.com/.well-known/ssf-configuration + required: + - well_known_url + SecurityEventsProviderSettingsNonSSFCompliant: + title: Provider with issuer and JWKS settings + description: >- + Security Events Provider with issuer and JWKS settings for signal + ingestion + type: object + properties: + issuer: + type: string + description: Issuer URL + maxLength: 700 + example: example.okta.com + jwks_url: + type: string + format: url + description: The public URL where the JWKS public key is uploaded + maxLength: 1000 + example: https://example.okta.com/oauth2/v1/keys + required: + - jwks_url + - issuer + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + HrefObjectActivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to activate the resource + HrefObjectDeactivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to deactivate the resource + ErrorCause: + type: object + properties: + errorSummary: + type: string + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorInvalidToken401: + description: Unauthorized + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + InvalidTokenProvided: + $ref: '#/components/examples/ErrorInvalidTokenProvided' + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + pathSecurityEventProviderId: + name: securityEventProviderId + in: path + schema: + type: string + example: sse1qg25RpusjUP6m0g5 + required: true + description: '`id` of the Security Events Provider instance' + examples: + ListOfSecurityEventsProviderInstances: + summary: List of security events providers + value: + - id: sse1qg25RpusjUP6m0g5 + name: Security Events Provider with well-known URL + type: okta + status: ACTIVE + settings: + well_known_url: https://example.okta.com/.well-known/ssf-configuration + issuer: Issuer + jwks_url: https://example.okta.com/jwks/path + _links: + self: + href: >- + https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5/lifecycle/deactivate + hints: + allow: + - POST + - id: sse1qu4fUtsoD12iF0g5 + name: Security Events Provider with an issuer and a JWKS URL + type: okta + status: ACTIVE + settings: + issuer: Issuer + jwks_url: https://example.okta.com/jwks/path + _links: + self: + href: >- + https://example.okta.com/api/v1/security-events-providers/sse1qu4fUtsoD12iF0g5 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://example.okta.com/api/v1/security-events-providers/sse1qu4fUtsoD12iF0g5/lifecycle/deactivate + hints: + allow: + - POST + SecurityEventsProviderRequestWellKnownUrl: + summary: Provider with well-known URL + value: + name: Security Events Provider with well-known URL + type: okta + settings: + well_known_url: https://example.okta.com/.well-known/ssf-configuration + SecurityEventsProviderRequestIssuerAndJwksUrl: + summary: Provider with issuer and JWKS + value: + name: Security Events Provider with an issuer and a JWKS URL + type: okta + settings: + issuer: Issuer + jwks_url: https://example.okta.com/jwks/path + SecurityEventsProviderResponseWellKnownUrl: + summary: Provider with well-known URL + value: + id: sse1qg25RpusjUP6m0g5 + name: Security Events Provider with well-known URL + type: okta + status: ACTIVE + settings: + well_known_url: https://example.okta.com/.well-known/ssf-configuration + issuer: Issuer + jwks_url: https://example.okta.com/jwks/path + _links: + self: + href: >- + https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5/lifecycle/deactivate + hints: + allow: + - POST + SecurityEventsProviderResponseIssuerAndJwksUrl: + summary: Provider with issuer and JWKS + value: + id: sse1qu4fUtsoD12iF0g5 + name: Security Events Provider with an issuer and a JWKS URL + type: okta + status: ACTIVE + settings: + issuer: Issuer + jwks_url: https://example.okta.com/jwks/path + _links: + self: + href: >- + https://example.okta.com/api/v1/security-events-providers/sse1qu4fUtsoD12iF0g5 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://example.okta.com/api/v1/security-events-providers/sse1qu4fUtsoD12iF0g5/lifecycle/deactivate + hints: + allow: + - POST + DeactivatedSecurityEventsProviderResponse: + summary: Inactive security events provider + value: + id: sse1qg25RpusjUP6m0g5 + name: Security Events Provider with well-known URL + type: okta + status: INACTIVE + settings: + well_known_url: https://example.okta.com/.well-known/ssf-configuration + issuer: Issuer + jwks_url: https://example.okta.com/jwks/path + _links: + self: + href: >- + https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5 + hints: + allow: + - GET + - PUT + - DELETE + activate: + href: >- + https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5/lifecycle/activate + hints: + allow: + - POST + ErrorInvalidTokenProvided: + summary: Invalid Token Provided + value: + errorCode: E0000011 + errorSummary: Invalid token provided + errorLink: E0000011 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + ssf_receivers: + id: okta.security_events_providers.ssf_receivers + name: ssf_receivers + title: Ssf Receivers + methods: + list_security_events_provider_instances: + operation: + $ref: '#/paths/~1api~1v1~1security-events-providers/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_security_events_provider_instance: + operation: + $ref: '#/paths/~1api~1v1~1security-events-providers/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_security_events_provider_instance: + operation: + $ref: >- + #/paths/~1api~1v1~1security-events-providers~1{securityEventProviderId}/get + response: + mediaType: application/json + openAPIDocKey: '200' + replace_security_events_provider_instance: + operation: + $ref: >- + #/paths/~1api~1v1~1security-events-providers~1{securityEventProviderId}/put + response: + mediaType: application/json + openAPIDocKey: '200' + delete_security_events_provider_instance: + operation: + $ref: >- + #/paths/~1api~1v1~1security-events-providers~1{securityEventProviderId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + activate_security_events_provider_instance: + operation: + $ref: >- + #/paths/~1api~1v1~1security-events-providers~1{securityEventProviderId}~1lifecycle~1activate/post + response: + mediaType: application/json + openAPIDocKey: '200' + deactivate_security_events_provider_instance: + operation: + $ref: >- + #/paths/~1api~1v1~1security-events-providers~1{securityEventProviderId}~1lifecycle~1deactivate/post + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/ssf_receivers/methods/list_security_events_provider_instances + - $ref: >- + #/components/x-stackQL-resources/ssf_receivers/methods/get_security_events_provider_instance + insert: + - $ref: >- + #/components/x-stackQL-resources/ssf_receivers/methods/create_security_events_provider_instance + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/ssf_receivers/methods/delete_security_events_provider_instance + replace: + - $ref: >- + #/components/x-stackQL-resources/ssf_receivers/methods/replace_security_events_provider_instance +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/sessions.yaml b/providers/src/okta/v00.00.00000/services/sessions.yaml new file mode 100644 index 00000000..848e3362 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/sessions.yaml @@ -0,0 +1,756 @@ +openapi: 3.0.3 +info: + title: sessions API + description: okta sessions API + version: 5.1.0 +paths: + /api/v1/sessions: + post: + summary: Create a session with session token + description: >- + Creates a new Session for a user with a valid session token. Use this + API if, for example, you want to set the session cookie yourself instead + of allowing Okta to set it, or want to hold the session ID to delete a + session through the API instead of visiting the logout URL. + operationId: createSession + x-codegen-request-body-name: createSessionRequest + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CreateSessionRequest' + examples: + SessionsCreate: + $ref: '#/components/examples/CreateSessionBody' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Session' + examples: + SessionsCreate: + summary: Create a new session with a valid session token + $ref: '#/components/examples/CreateSessionResponse' + '400': + description: Bad Request + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + tags: + - Session + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/sessions/me: + get: + summary: Retrieve the current session + description: >- + Retrieves Session information for the current user. Use this method in a + browser-based application to determine if the user is signed in. + + + > **Note:** This operation requires a session cookie for the user. An + API token isn't allowed for this operation. + operationId: getCurrentSession + parameters: + - in: header + name: Cookie + schema: + description: Session ID (`sid`) or Identity Engine (`idx`) cookie + type: string + example: sid=abcde-123 or idx=abcde-123 + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Session' + examples: + CurrentSessionsRetrieve: + summary: Retrieve current session information + $ref: '#/components/examples/RetrieveCurrentSessionResponse' + '404': + description: Not Found + security: [] + tags: + - Session + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Close the current session + description: >- + Closes the Session for the user who is currently signed in. Use this + method in a browser-based application to sign out a user. + + + > **Note:** This operation requires a session cookie for the user. An + API token isn't allowed for this operation. + operationId: closeCurrentSession + parameters: + - in: header + name: Cookie + schema: + description: Session ID (`sid`) or Identity Engine (`idx`) cookie + type: string + example: sid=abcde-123 or idx=abcde-123 + responses: + '204': + description: No Content + content: {} + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + security: [] + tags: + - Session + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/sessions/me/lifecycle/refresh: + post: + summary: Refresh the current session + description: >- + Refreshes the Session for the current user + + + > **Note:** This operation requires a session cookie for the user. An + API token isn't allowed for this operation. + operationId: refreshCurrentSession + parameters: + - in: header + name: Cookie + schema: + description: Session ID (`sid`) or Identity Engine (`idx`) cookie + type: string + example: sid=abcde-123 or idx=abcde-123 + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Session' + examples: + CurrentSessionsRefresh: + summary: Refersh current session + $ref: '#/components/examples/RefreshCurrentSessionResponse' + '404': + description: Not Found + security: [] + tags: + - Session + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/sessions/{sessionId}: + get: + summary: Retrieve a session + description: >- + Retrieves information about the Session specified by the given session + ID + operationId: getSession + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Session' + examples: + SessionsRetrieve: + summary: Retrieve session information for a single session ID + $ref: '#/components/examples/RetrieveSessionResponse' + '400': + description: Bad Request + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.sessions.read + tags: + - Session + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Revoke a session + description: Revokes the specified Session + operationId: revokeSession + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.sessions.manage + tags: + - Session + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathSessionId' + /api/v1/sessions/{sessionId}/lifecycle/refresh: + post: + summary: Refresh a session + description: >- + Refreshes an existing Session using the `id` for that Session. A + successful response contains the refreshed Session with an updated + `expiresAt` timestamp. + operationId: refreshSession + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Session' + examples: + SessionsRefresh: + summary: Refresh an existing session using the session ID + $ref: '#/components/examples/RefreshSessionResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.sessions.manage + tags: + - Session + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathSessionId' +components: + schemas: + CreateSessionRequest: + type: object + properties: + sessionToken: + type: string + description: The session token obtained during authentication + Session: + type: object + properties: + amr: + type: array + readOnly: true + description: Authentication method reference + items: + $ref: '#/components/schemas/SessionAuthenticationMethod' + createdAt: + type: string + format: date-time + readOnly: true + expiresAt: + type: string + format: date-time + readOnly: true + description: A timestamp when the Session expires + id: + type: string + readOnly: true + description: A unique key for the Session + idp: + $ref: '#/components/schemas/SessionIdentityProvider' + lastFactorVerification: + type: string + format: date-time + readOnly: true + description: A timestamp when the user last performed multifactor authentication + lastPasswordVerification: + type: string + format: date-time + readOnly: true + description: >- + A timestamp when the user last performed the primary or step-up + authentication with a password + login: + type: string + readOnly: true + description: A unique identifier for the user (username) + status: + $ref: '#/components/schemas/SessionStatus' + description: Current Session status + userId: + type: string + readOnly: true + description: A unique key for the user + _links: + $ref: '#/components/schemas/LinksSelf' + SessionAuthenticationMethod: + type: string + enum: + - fpt + - geo + - hwk + - kba + - mca + - mfa + - otp + - pwd + - sc + - sms + - swk + - tel + x-enumDescriptions: + pwd: >- + Password authentication. **Inline hook value:** `PASSWORD` + **Example:** Standard password-based sign-in + swk: >- + Proof-of-possession (PoP) of a software key. **Inline hook value:** + `POP_SOFTWARE_KEY` **Example:** Okta Verify with Push + hwk: >- + Proof-of-possession (PoP) of a hardware key. **Inline hook value:** + `POP_HARDWARE_KEY` **Example:** Yubikey factor + opt: >- + One-time password. **Inline hook value:** `ONE_TIME_PASSWORD`. + **Example:** Okta Verify, Google Authenticator + sms: >- + SMS text message to the user at a registered number. **Inline hook + value:** `SMS_MESSAGE`. **Example:** SMS factor + tel: >- + Telephone call to the user at a registered number. **Inline hook + value:** `TELEPHONE_CALL`. **Example:** Phone call factor + geo: >- + Use of geo-location information. **Inline hook value:** `GEOLOCATION`. + **Example:** IP Trust and Network Zone policy conditions + fpt: >- + Fingerprint biometric authentication. **Inline hook value:** + `BIO_FINGERPRINT`. **Example:** Okta Verify with Touch ID + kba: >- + Knowledge-based authentication. **Inline hook value:** + `KNOWLEDGE_BASED_AUTHENTICATION`. **Example:** Security Question + factor + mfa: >- + Multifactor authentication. **Inline hook value:** + `MULTIFACTOR_AUTHENTICATION`. **Example:** This value is present + whenever any MFA factor verification is performed. + mca: >- + Multiple-channel authentication. **Inline hook value:** + `MULTIPLE_CHANNEL_AUTHENTICATION`. **Example:** Authentication + requires communication over more than one channel, such as Internet + and mobile network + sc: >- + Smart card authentication. **Inline hook value:** `SMART_CARD. + **Example:** User authenticated using a smart card, such as a Personal + Identity Verification (PIV) card or Common Access Card (CAC) + SessionIdentityProvider: + type: object + properties: + id: + type: string + readOnly: true + description: >- + Identity Provider ID. If the `type` is `OKTA`, then the `id` is the + org ID. + type: + $ref: '#/components/schemas/SessionIdentityProviderType' + SessionStatus: + type: string + enum: + - ACTIVE + - MFA_ENROLL + - MFA_REQUIRED + x-enumDescriptions: + ACTIVE: The Session is established and fully validated. + MFA_REQUIRED: The Session is established, but requires second factor verification. + MFA_ENROLL: >- + The Session is established, but the user needs to enroll a second + factor. + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + SessionIdentityProviderType: + type: string + enum: + - ACTIVE_DIRECTORY + - FEDERATION + - LDAP + - OKTA + - SOCIAL + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + ErrorCause: + type: object + properties: + errorSummary: + type: string + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + pathSessionId: + name: sessionId + description: '`id` of the Session' + in: path + required: true + schema: + type: string + example: l7FbDVqS8zHSy65uJD85 + examples: + CreateSessionBody: + summary: Create a new session with a valid session token + value: + sessionToken: 00HiohZYpJgMSHwmL9TQy7RRzuY-q9soKp1SPmYYow + CreateSessionResponse: + summary: Create a new session with a valid session token + value: + amr: + - pwd + createdAt: '2019-08-24T14:15:22Z' + expiresAt: '2019-08-24T14:15:22Z' + id: l7FbDVqS8zHSy65uJD85 + idp: + id: 01a2bcdef3GHIJKLMNOP + type: ACTIVE_DIRECTORY + lastFactorVerification: '2019-08-24T14:15:22Z' + lastPasswordVerification: '2019-08-24T14:15:22Z' + login: user@example.com + status: ACTIVE + userId: 00u0abcdefGHIJKLMNOP + _links: + self: + hints: + allow: + - DELETE + href: https://{yourOktaDomain}/api/v1/sessions/l7FbDVqS8zHSy65uJD85 + RetrieveCurrentSessionResponse: + summary: Retrieve current session + value: + amr: + - pwd + createdAt: '2019-08-24T14:15:22Z' + expiresAt: '2019-08-24T14:15:22Z' + id: l7FbDVqS8zHSy65uJD85 + idp: + id: 01a2bcdef3GHIJKLMNOP + type: ACTIVE_DIRECTORY + lastFactorVerification: '2019-08-24T14:15:22Z' + lastPasswordVerification: '2019-08-24T14:15:22Z' + login: user@example.com + status: ACTIVE + userId: 00u0abcdefGHIJKLMNOP + _links: + self: + hints: + allow: + - GET + - DELETE + href: https://{yourOktaDomain}/api/v1/sessions/me + refresh: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/sessions/me/lifecycle/refresh + user: + hints: + allow: + - GET + href: https://{yourOktaDomain}/api/v1/users/me + name: User Name + RefreshCurrentSessionResponse: + summary: Refresh current session + value: + amr: + - pwd + createdAt: '2019-08-24T14:15:22Z' + expiresAt: '2019-08-24T14:15:22Z' + id: l7FbDVqS8zHSy65uJD85 + idp: + id: 01a2bcdef3GHIJKLMNOP + type: ACTIVE_DIRECTORY + lastFactorVerification: '2019-08-24T14:15:22Z' + lastPasswordVerification: '2019-08-24T14:15:22Z' + login: user@example.com + status: ACTIVE + userId: 00u0abcdefGHIJKLMNOP + _links: + self: + hints: + allow: + - GET + - DELETE + href: https://{yourOktaDomain}/api/v1/sessions/me + refresh: + hints: + allow: + - POST + href: https://{yourOktaDomain}/api/v1/sessions/me/lifecycle/refresh + user: + hints: + allow: + - GET + href: https://{yourOktaDomain}/api/v1/users/me + name: User Name + RetrieveSessionResponse: + summary: Retrieve session information for a single session ID + value: + amr: + - pwd + createdAt: '2019-08-24T14:15:22Z' + expiresAt: '2019-08-24T14:15:22Z' + id: l7FbDVqS8zHSy65uJD85 + idp: + id: 01a2bcdef3GHIJKLMNOP + type: ACTIVE_DIRECTORY + lastFactorVerification: '2019-08-24T14:15:22Z' + lastPasswordVerification: '2019-08-24T14:15:22Z' + login: user@example.com + status: ACTIVE + userId: 00u0abcdefGHIJKLMNOP + _links: + self: + hints: + allow: + - DELETE + href: https://{yourOktaDomain}/api/v1/sessions/l7FbDVqS8zHSy65uJD85 + RefreshSessionResponse: + summary: Refresh an existing session using the session ID + value: + amr: + - pwd + createdAt: '2019-08-25T14:17:22Z' + expiresAt: '2019-08-25T14:17:22Z' + id: l7FbDVqS8zHSy65uJD85 + idp: + id: 01a2bcdef3GHIJKLMNOP + type: ACTIVE_DIRECTORY + lastFactorVerification: '2019-08-24T14:15:22Z' + lastPasswordVerification: '2019-08-24T14:15:22Z' + login: user@example.com + status: ACTIVE + userId: 00u0abcdefGHIJKLMNOP + _links: + self: + hints: + allow: + - DELETE + href: https://{yourOktaDomain}/api/v1/sessions/l7FbDVqS8zHSy65uJD85 + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + sessions: + id: okta.sessions.sessions + name: sessions + title: Sessions + methods: + create_session: + operation: + $ref: '#/paths/~1api~1v1~1sessions/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_current_session: + operation: + $ref: '#/paths/~1api~1v1~1sessions~1me/get' + response: + mediaType: application/json + openAPIDocKey: '200' + close_current_session: + operation: + $ref: '#/paths/~1api~1v1~1sessions~1me/delete' + response: + mediaType: '' + openAPIDocKey: '204' + refresh_current_session: + operation: + $ref: '#/paths/~1api~1v1~1sessions~1me~1lifecycle~1refresh/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_session: + operation: + $ref: '#/paths/~1api~1v1~1sessions~1{sessionId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + revoke_session: + operation: + $ref: '#/paths/~1api~1v1~1sessions~1{sessionId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + refresh_session: + operation: + $ref: '#/paths/~1api~1v1~1sessions~1{sessionId}~1lifecycle~1refresh/post' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/sessions/methods/get_current_session + - $ref: '#/components/x-stackQL-resources/sessions/methods/get_session' + insert: + - $ref: '#/components/x-stackQL-resources/sessions/methods/create_session' + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/sessions/methods/close_current_session + - $ref: '#/components/x-stackQL-resources/sessions/methods/revoke_session' + replace: [] +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/ssf.yaml b/providers/src/okta/v00.00.00000/services/ssf.yaml new file mode 100644 index 00000000..29c05a01 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/ssf.yaml @@ -0,0 +1,825 @@ +openapi: 3.0.3 +info: + title: ssf API + description: okta ssf API + version: 5.1.0 +paths: + /api/v1/ssf/stream: + get: + summary: Retrieve the SSF stream configuration(s) + description: >- + Retrieves either a list of all known SSF Stream configurations or the + individual configuration if specified by ID. + + + As Stream configurations are tied to a Client ID, only the Stream + associated with the Client ID of the request OAuth 2.0 access token can + be viewed. + operationId: getSsfStreams + parameters: + - in: query + name: stream_id + schema: + type: string + example: esc1k235GIIztAuGK0g5 + description: The ID of the specified SSF Stream configuration + responses: + '200': + description: OK + content: + application/json: + schema: + oneOf: + - type: array + title: List of Stream Configurations + items: + $ref: '#/components/schemas/StreamConfiguration' + - $ref: '#/components/schemas/StreamConfiguration' + examples: + listResponse: + $ref: '#/components/examples/listStreamConfigurationExample' + individualStreamResponse: + $ref: '#/components/examples/streamConfigurationExample' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - oauth2: + - ssf.read + tags: + - SSFTransmitter + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + post: + summary: Create an SSF stream + description: >- + Creates an SSF Stream for an event receiver to start receiving security + events in the form of Security Event Tokens (SETs) from Okta. + + + An SSF Stream is associated with the Client ID of the OAuth 2.0 access + token used to create the stream. The Client ID is provided by Okta for + an [OAuth 2.0 app + integration](https://help.okta.com/okta_help.htm?id=ext_Apps_App_Integration_Wizard-oidc). + One SSF Stream is allowed for each Client ID, hence, one SSF Stream is + allowed for each app integration in Okta. + + + A maximum of 10 SSF Stream configurations can be created for one org. + operationId: createSsfStream + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/StreamConfigurationCreateRequest' + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/StreamConfiguration' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '409': + $ref: '#/components/responses/ErrorApiValidationConflict409' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - oauth2: + - ssf.manage + tags: + - SSFTransmitter + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Replace an SSF stream + description: >- + Replaces all properties for an existing SSF Stream configuration. + + + If the `stream_id` isn't provided in the request body, the associated + stream with the Client ID (through the request OAuth 2.0 access token) + is replaced. + operationId: replaceSsfStream + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/StreamConfiguration' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/StreamConfiguration' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - oauth2: + - ssf.manage + tags: + - SSFTransmitter + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + patch: + summary: Update an SSF stream + description: >- + Updates properties for an existing SSF Stream configuration. + + + If the `stream_id` isn't provided in the request body, the associated + stream with the Client ID (through the request OAuth 2.0 access token) + is updated. + operationId: updateSsfStream + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/StreamConfiguration' + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/StreamConfiguration' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - oauth2: + - ssf.manage + tags: + - SSFTransmitter + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + delete: + summary: Delete an SSF stream + description: >- + Deletes the specified SSF Stream. + + + If the `stream_id` is not provided in the query string, the associated + stream with the Client ID (through the request OAuth 2.0 access token) + is deleted. Otherwise, the SSF Stream with the `stream_id` is deleted, + if found. + operationId: deleteSsfStream + parameters: + - in: query + name: stream_id + schema: + type: string + example: esc1k235GIIztAuGK0g5 + description: The ID of the specified SSF Stream configuration + responses: + '204': + description: No Content + content: {} + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - oauth2: + - ssf.manage + tags: + - SSFTransmitter + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/ssf/stream/status: + get: + summary: Retrieve the SSF Stream status + description: >- + Retrieves the status of an SSF Stream. The status indicates whether the + transmitter is able to transmit events over the stream. + operationId: getSsfStreamStatus + parameters: + - in: query + name: stream_id + schema: + type: string + example: esc1k235GIIztAuGK0g5 + description: The ID of the specified SSF Stream configuration + required: true + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/StreamStatus' + examples: + streamStatusEnabledExample: + $ref: '#/components/examples/streamStatusEnabledExample' + streamStatusDisabledExample: + $ref: '#/components/examples/streamStatusDisabledExample' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - oauth2: + - ssf.read + tags: + - SSFTransmitter + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /api/v1/ssf/stream/verification: + post: + summary: Verify an SSF stream + description: >- + Verifies an SSF Stream by publishing a Verification Event requested by a + Security Events Provider. + + + > **Note:** A successful response doesn't indicate that the Verification + Event + was transmitted successfully, only that Okta has transmitted the event or will + at some point in the future. The SSF Receiver is responsible for validating and acknowledging + successful transmission of the request by responding with HTTP Response Status Code 202. + operationId: verifySsfStream + x-codegen-request-body-name: instance + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/StreamVerificationRequest' + required: true + responses: + '204': + description: No Content + content: {} + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - oauth2: + - ssf.manage + tags: + - SSFTransmitter + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine +components: + schemas: + StreamConfiguration: + title: Stream Configuration + type: object + properties: + aud: + oneOf: + - type: string + format: uri + example: https://example.com + - type: array + items: + type: string + format: uri + example: https://example.com + description: >- + The audience used in the SET. This value is set as `aud` in the + claim. + + + A read-only parameter that is set by the transmitter. If this + parameter is included in the request, the value must match the + expected value from the transmitter. + example: https://example.com + delivery: + $ref: '#/components/schemas/StreamConfigurationDelivery' + events_delivered: + type: array + items: + type: string + format: uri + description: >- + The events (mapped by the array of event type URIs) that the + transmitter actually delivers to the SSF Stream. + + + A read-only parameter that is set by the transmitter. If this + parameter is included in the request, the value must match the + expected value from the transmitter. + example: + - >- + https://schemas.openid.net/secevent/caep/event-type/session-revoked + - >- + https://schemas.openid.net/secevent/caep/event-type/credential-change + events_requested: + type: array + maxItems: 50 + items: + type: string + format: uri + maxLength: 256 + description: >- + The events (mapped by the array of event type URIs) that the + receiver wants to receive + example: + - >- + https://schemas.openid.net/secevent/caep/event-type/session-revoked + - >- + https://schemas.openid.net/secevent/caep/event-type/credential-change + events_supported: + type: array + items: + type: string + format: uri + description: >- + An array of event type URIs that the transmitter supports. + + + A read-only parameter that is set by the transmitter. If this + parameter is included in the request, the value must match the + expected value from the transmitter. + example: + - >- + https://schemas.openid.net/secevent/caep/event-type/session-revoked + - >- + https://schemas.openid.net/secevent/caep/event-type/credential-change + format: + type: string + description: The Subject Identifier format expected for any SET transmitted. + enum: + - iss_sub + iss: + type: string + description: >- + The issuer used in Security Event Tokens (SETs). This value is set + as `iss` in the claim. + + + A read-only parameter that is set by the transmitter. If this + parameter is included in the request, the value must match the + expected value from the transmitter. + example: https://{yourOktaDomain} + min_verification_interval: + type: integer + nullable: true + example: 60 + description: >- + The minimum amount of time, in seconds, between two verification + requests. + + + A read-only parameter that is set by the transmitter. If this + parameter is included in the request, the value must match the + expected value from the transmitter. + stream_id: + type: string + description: The ID of the SSF Stream configuration + example: esc1k235GIIztAuGK0g5 + required: + - events_requested + - delivery + StreamConfigurationCreateRequest: + title: Stream Configuration Create Request + type: object + properties: + delivery: + $ref: '#/components/schemas/StreamConfigurationDelivery' + events_requested: + type: array + maxItems: 50 + items: + type: string + format: uri + maxLength: 256 + description: >- + The events (mapped by the array of event type URIs) that the + receiver wants to receive + example: + - >- + https://schemas.openid.net/secevent/caep/event-type/session-revoked + - >- + https://schemas.openid.net/secevent/caep/event-type/credential-change + format: + type: string + description: The Subject Identifier format expected for any SET transmitted. + enum: + - iss_sub + required: + - events_requested + - delivery + StreamStatus: + title: Stream Status + description: Status corresponding to the `stream_id` of the SSF Stream + type: object + properties: + status: + type: string + description: The status of the SSF Stream configuration + enum: + - enabled + - disabled + x-enumDescriptions: + enabled: >- + The transmitter MUST transmit events over the stream according to + the stream’s configured delivery method. + disabled: >- + The transmitter MUST NOT transmit events over the stream and + doesn't hold any events for later transmission. + stream_id: + type: string + description: >- + The ID of the SSF Stream configuration. This corresponds to the + value in the query parameter of the request. + example: esc1k235GIIztAuGK0g5 + StreamVerificationRequest: + title: Stream Verification Request + type: object + properties: + state: + type: string + description: >- + An arbitrary string that Okta as a transmitter must echo back to the + Event Receiver in the Verification Event's payload + example: VGhpcyBpcyBhbiBleGFtcGxlIHN0YXRlIHZhbHVlLgo= + stream_id: + type: string + description: The ID of the SSF Stream Configuration + example: esc1k235GIIztAuGK0g5 + required: + - stream_id + StreamConfigurationDelivery: + title: Stream Configuration Delivery + description: >- + Contains information about the intended SET delivery method by the + receiver + type: object + properties: + authorization_header: + type: string + description: >- + The HTTP Authorization header that is included for each HTTP POST + request + example: '{authorizationHeaderValue}' + nullable: true + maxLength: 8192 + endpoint_url: + type: string + format: uri + description: >- + The target endpoint URL where the transmitter delivers the SET using + HTTP POST requests + example: https://example.com/ + maxLength: 2048 + method: + type: string + description: The delivery method that the transmitter uses for delivering a SET + enum: + - https://schemas.openid.net/secevent/risc/delivery-method/push + - urn:ietf:rfc:8935 + required: + - method + - endpoint_url + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + ErrorCause: + type: object + properties: + errorSummary: + type: string + responses: + ErrorInvalidToken401: + description: Unauthorized + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + InvalidTokenProvided: + $ref: '#/components/examples/ErrorInvalidTokenProvided' + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorApiValidationConflict409: + description: Conflict + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorApiValidationConflict' + examples: + listStreamConfigurationExample: + summary: List of SSF stream configurations example + value: + - aud: https://example.com + delivery: + method: urn:ietf:rfc:8935 + endpoint_url: https://example.com + events_delivered: + - >- + https://schemas.openid.net/secevent/caep/event-type/session-revoked + - >- + https://schemas.openid.net/secevent/caep/event-type/credential-change + events_requested: + - >- + https://schemas.openid.net/secevent/caep/event-type/session-revoked + - >- + https://schemas.openid.net/secevent/caep/event-type/credential-change + events_supported: + - >- + https://schemas.openid.net/secevent/caep/event-type/session-revoked + - >- + https://schemas.openid.net/secevent/caep/event-type/credential-change + format: iss_sub + iss: https://{yourOktaDomain} + min_verification_interval: 0 + stream_id: esc1k235GIIztAuGK0g5 + streamConfigurationExample: + summary: SSF stream configuration example + value: + aud: https://example.com + delivery: + method: urn:ietf:rfc:8935 + endpoint_url: https://example.com + events_delivered: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - >- + https://schemas.openid.net/secevent/caep/event-type/credential-change + events_requested: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - >- + https://schemas.openid.net/secevent/caep/event-type/credential-change + events_supported: + - https://schemas.openid.net/secevent/caep/event-type/session-revoked + - >- + https://schemas.openid.net/secevent/caep/event-type/credential-change + format: iss_sub + iss: https://{yourOktaDomain} + min_verification_interval: 0 + stream_id: esc1k235GIIztAuGK0g5 + streamStatusEnabledExample: + summary: SSF Stream enabled status example + value: + stream_id: esc1k235GIIztAuGK0g5 + status: enabled + streamStatusDisabledExample: + summary: SSF Stream disabled status example + value: + stream_id: esc1k235GIIztAuGK0g5 + status: disabled + ErrorInvalidTokenProvided: + summary: Invalid Token Provided + value: + errorCode: E0000011 + errorSummary: Invalid token provided + errorLink: E0000011 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorApiValidationConflict: + summary: Conflict + value: + errorCode: E0000195 + errorSummary: 'Api validation failed due to conflict: {0}' + errorLink: E0000195 + errorId: sampleMlLvGUj_YD5v15vkYWX + errorCauses: [] + x-stackQL-resources: + ssf_streams: + id: okta.ssf.ssf_streams + name: ssf_streams + title: Ssf Streams + methods: + get_ssf_streams: + operation: + $ref: '#/paths/~1api~1v1~1ssf~1stream/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_ssf_stream: + operation: + $ref: '#/paths/~1api~1v1~1ssf~1stream/post' + response: + mediaType: application/json + openAPIDocKey: '201' + replace_ssf_stream: + operation: + $ref: '#/paths/~1api~1v1~1ssf~1stream/put' + response: + mediaType: application/json + openAPIDocKey: '200' + update_ssf_stream: + operation: + $ref: '#/paths/~1api~1v1~1ssf~1stream/patch' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_ssf_stream: + operation: + $ref: '#/paths/~1api~1v1~1ssf~1stream/delete' + response: + mediaType: '' + openAPIDocKey: '204' + verify_ssf_stream: + operation: + $ref: '#/paths/~1api~1v1~1ssf~1stream~1verification/post' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/ssf_streams/methods/get_ssf_streams + insert: + - $ref: >- + #/components/x-stackQL-resources/ssf_streams/methods/create_ssf_stream + update: + - $ref: >- + #/components/x-stackQL-resources/ssf_streams/methods/update_ssf_stream + delete: + - $ref: >- + #/components/x-stackQL-resources/ssf_streams/methods/delete_ssf_stream + replace: + - $ref: >- + #/components/x-stackQL-resources/ssf_streams/methods/replace_ssf_stream + ssf_stream_status: + id: okta.ssf.ssf_stream_status + name: ssf_stream_status + title: Ssf Stream Status + methods: + get_ssf_stream_status: + operation: + $ref: '#/paths/~1api~1v1~1ssf~1stream~1status/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/ssf_stream_status/methods/get_ssf_stream_status + insert: [] + update: [] + delete: [] + replace: [] +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/templates.yaml b/providers/src/okta/v00.00.00000/services/templates.yaml new file mode 100644 index 00000000..4e188007 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/templates.yaml @@ -0,0 +1,506 @@ +openapi: 3.0.3 +info: + title: templates API + description: okta templates API + version: 5.1.0 +paths: + /api/v1/templates/sms: + get: + summary: List all SMS templates + description: >- + Lists all custom SMS templates. A subset of templates can be returned + that match a template type. + operationId: listSmsTemplates + parameters: + - name: templateType + in: query + schema: + $ref: '#/components/schemas/SmsTemplateType' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/SmsTemplate' + examples: + SMS Template List response: + $ref: '#/components/examples/SMSTemplateListResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.read + tags: + - Template + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create an SMS template + description: Creates a new custom SMS template + operationId: createSmsTemplate + x-codegen-request-body-name: smsTemplate + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SmsTemplate' + examples: + Create an SMS Template request: + $ref: '#/components/examples/CreateOrReplaceSMSTemplateRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/SmsTemplate' + examples: + Create an SMS Template response: + $ref: '#/components/examples/CreateOrReplaceSMSTemplateResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.manage + tags: + - Template + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/templates/sms/{templateId}: + get: + summary: Retrieve an SMS template + description: Retrieves a specific template by `id` + operationId: getSmsTemplate + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/SmsTemplate' + examples: + Get an SMS template response: + $ref: '#/components/examples/CreateOrReplaceSMSTemplateResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.read + tags: + - Template + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Update an SMS template + description: | + Updates only some of the SMS Template properties: + * All properties within the custom SMS Template that have values are updated. + * Any translation that doesn't exist is added. + * Any translation with a null or empty value is removed. + * Any translation with non-empty/null value is updated. + operationId: updateSmsTemplate + x-codegen-request-body-name: smsTemplate + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SmsTemplate' + examples: + Update an SMS Template request: + $ref: '#/components/examples/UpdateSMSTemplateRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/SmsTemplate' + examples: + Update an SMS Template response: + $ref: '#/components/examples/UpdateSMSTemplateResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.manage + tags: + - Template + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace an SMS template + description: | + Replaces the SMS Template + > **Notes:** You can't update the default SMS Template. + operationId: replaceSmsTemplate + x-codegen-request-body-name: smsTemplate + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SmsTemplate' + examples: + Replace an SMS Template request: + $ref: '#/components/examples/CreateOrReplaceSMSTemplateRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/SmsTemplate' + examples: + Replace an SMS Template response: + $ref: '#/components/examples/CreateOrReplaceSMSTemplateResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.manage + tags: + - Template + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete an SMS template + description: Deletes an SMS template + operationId: deleteSmsTemplate + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.templates.manage + tags: + - Template + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathTemplateId' +components: + schemas: + SmsTemplateType: + description: Type of the Template + maxLength: 50 + minLength: 1 + type: string + enum: + - SMS_VERIFY_CODE + SmsTemplate: + type: object + properties: + created: + type: string + format: date-time + readOnly: true + id: + type: string + readOnly: true + lastUpdated: + type: string + format: date-time + readOnly: true + name: + type: string + description: Human-readable name of the Template + maxLength: 50 + minLength: 1 + template: + type: string + description: >- + Text of the Template, including any + [macros](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Template/) + maxLength: 161 + minLength: 1 + translations: + $ref: '#/components/schemas/SmsTemplateTranslations' + type: + $ref: '#/components/schemas/SmsTemplateType' + SmsTemplateTranslations: + description: > + - Template translations are optionally provided when you want to + localize the SMS messages. Translations are provided as an object that + contains `key:value` pairs: the language and the translated Template + text. The key portion is a two-letter country code that conforms to [ISO + 639-1](https://www.loc.gov/standards/iso639-2/php/code_list.php). The + value is the translated SMS Template. + + - Just like with regular SMS Templates, the length of the SMS message + can't exceed 160 characters. + type: object + x-okta-extensible: true + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + ErrorCause: + type: object + properties: + errorSummary: + type: string + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + pathTemplateId: + name: templateId + description: '`id` of the Template' + in: path + required: true + schema: + type: string + example: 6NQUJ5yR3bpgEiYmq8IC + examples: + SMSTemplateListResponse: + value: + - id: 6NQUJ5yR3bpgEiYmq8IC + name: Custom + type: SMS_VERIFY_CODE + template: '${org.name}: your verification code is ${code}' + translations: + es: '${org.name}: el código de verificación es ${code}' + fr: '${org.name}: votre code de vérification est ${code}' + it: '${org.name}: il codice di verifica è ${code}' + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + CreateOrReplaceSMSTemplateRequest: + value: + name: Custom + type: SMS_VERIFY_CODE + template: '${org.name}: your verification code is ${code}' + translations: + es: '${org.name}: el código de verificación es ${code}' + fr: '${org.name}: votre code de vérification est ${code}' + it: '${org.name}: il codice di verifica è ${code}' + CreateOrReplaceSMSTemplateResponse: + value: + id: 6NQUJ5yR3bpgEiYmq8IC + name: Custom + type: SMS_VERIFY_CODE + template: '${org.name}: your verification code is ${code}' + translations: + es: '${org.name}: el código de verificación es ${code}' + fr: '${org.name}: votre code de vérification est ${code}' + it: '${org.name}: il codice di verifica è ${code}' + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + UpdateSMSTemplateRequest: + value: + translations: + de: '${org.name}: ihre bestätigungscode ist ${code}.' + UpdateSMSTemplateResponse: + value: + id: 6NQUJ5yR3bpgEiYmq8IC + name: Custom + type: SMS_VERIFY_CODE + template: '${org.name}: your verification code is ${code}' + translations: + es: '${org.name}: el código de verificación es ${code}' + fr: '${org.name}: votre code de vérification est ${code}' + it: '${org.name}: il codice di verifica è ${code}' + de: '${org.name}: ihre bestätigungscode ist ${code}.' + created: '2024-04-25T17:35:02.000Z' + lastUpdated: '2024-04-25T17:35:02.000Z' + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + sms_templates: + id: okta.templates.sms_templates + name: sms_templates + title: Sms Templates + methods: + list_sms_templates: + operation: + $ref: '#/paths/~1api~1v1~1templates~1sms/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_sms_template: + operation: + $ref: '#/paths/~1api~1v1~1templates~1sms/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_sms_template: + operation: + $ref: '#/paths/~1api~1v1~1templates~1sms~1{templateId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + update_sms_template: + operation: + $ref: '#/paths/~1api~1v1~1templates~1sms~1{templateId}/post' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_sms_template: + operation: + $ref: '#/paths/~1api~1v1~1templates~1sms~1{templateId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_sms_template: + operation: + $ref: '#/paths/~1api~1v1~1templates~1sms~1{templateId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/sms_templates/methods/list_sms_templates + - $ref: >- + #/components/x-stackQL-resources/sms_templates/methods/get_sms_template + insert: + - $ref: >- + #/components/x-stackQL-resources/sms_templates/methods/create_sms_template + update: + - $ref: >- + #/components/x-stackQL-resources/sms_templates/methods/update_sms_template + delete: + - $ref: >- + #/components/x-stackQL-resources/sms_templates/methods/delete_sms_template + replace: + - $ref: >- + #/components/x-stackQL-resources/sms_templates/methods/replace_sms_template +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/threats.yaml b/providers/src/okta/v00.00.00000/services/threats.yaml new file mode 100644 index 00000000..bde27d49 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/threats.yaml @@ -0,0 +1,343 @@ +openapi: 3.0.3 +info: + title: threats API + description: okta threats API + version: 5.1.0 +paths: + /api/v1/threats/configuration: + get: + summary: Retrieve the ThreatInsight configuration + description: Retrieves the ThreatInsight configuration for the org + operationId: getCurrentConfiguration + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ThreatInsightConfiguration' + examples: + ThreatInsightResponseEx: + $ref: '#/components/examples/ThreatInsightResponseExample' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.threatInsights.read + tags: + - ThreatInsight + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Update the ThreatInsight configuration + description: Updates the ThreatInsight configuration for the org + operationId: updateConfiguration + x-codegen-request-body-name: threatInsightConfiguration + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ThreatInsightConfiguration' + examples: + ThreatInsightUpdateEx: + $ref: '#/components/examples/ThreatInsightUpdateRequestExample' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ThreatInsightConfiguration' + examples: + ThreatInsightUpdateEx: + $ref: '#/components/examples/ThreatInsightUpdateResponseExample' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.threatInsights.manage + tags: + - ThreatInsight + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true +components: + schemas: + ThreatInsightConfiguration: + type: object + properties: + action: + type: string + description: >- + Specifies how Okta responds to authentication requests from + suspicious IP addresses + enum: + - none + - audit + - block + x-enumDescriptions: + none: Indicates that ThreatInsight is disabled + audit: Indicates that Okta logs suspicious requests to the System Log + block: >- + Indicates that Okta logs suspicious requests to the System Log and + blocks the requests + example: none + created: + type: string + format: date-time + description: Timestamp when the ThreatInsight Configuration object was created + example: '2020-08-05T22:18:30.629Z' + readOnly: true + excludeZones: + type: array + description: >- + Accepts a list of [Network + Zone](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/NetworkZone/) IDs. + + IPs in the excluded network zones aren't logged or blocked. + + This ensures that traffic from known, trusted IPs isn't accidentally + logged or blocked. + items: + type: string + example: [] + lastUpdated: + type: string + format: date-time + description: >- + Timestamp when the ThreatInsight Configuration object was last + updated + readOnly: true + example: '2020-09-08T20:53:20.882Z' + _links: + $ref: '#/components/schemas/LinksSelf' + required: + - action + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + ErrorCause: + type: object + properties: + errorSummary: + type: string + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + examples: + ThreatInsightResponseExample: + summary: ThreatInsight response + value: + action: none + excludeZones: [] + created: '2020-08-05T22:18:30.629Z' + lastUpdated: '2020-08-05T22:18:30.629Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/threats/configuration + hints: + allow: + - GET + - POST + ThreatInsightUpdateRequestExample: + summary: ThreatInsight update request + value: + action: audit + excludeZones: + - nzo1q7jEOsoCnoKcj0g4 + - nzouagptWUz5DlLfM0g3 + ThreatInsightUpdateResponseExample: + summary: ThreatInsight update response + value: + action: audit + excludeZones: + - nzo1q7jEOsoCnoKcj0g4 + - nzouagptWUz5DlLfM0g3 + created: '2020-08-05T22:18:30.629Z' + lastUpdated: '2020-10-13T21:23:10.178Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/threats/configuration + hints: + allow: + - GET + - POST + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + x-stackQL-resources: + current_configuration: + id: okta.threats.current_configuration + name: current_configuration + title: Current Configuration + methods: + get_current_configuration: + operation: + $ref: '#/paths/~1api~1v1~1threats~1configuration/get' + response: + mediaType: application/json + openAPIDocKey: '200' + update_configuration: + operation: + $ref: '#/paths/~1api~1v1~1threats~1configuration/post' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/current_configuration/methods/get_current_configuration + insert: [] + update: + - $ref: >- + #/components/x-stackQL-resources/current_configuration/methods/update_configuration + delete: [] + replace: [] +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/trustedorigins.yaml b/providers/src/okta/v00.00.00000/services/trustedorigins.yaml new file mode 100644 index 00000000..ac1f1812 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/trustedorigins.yaml @@ -0,0 +1,946 @@ +openapi: 3.0.3 +info: + title: trustedorigins API + description: okta trustedorigins API + version: 5.1.0 +paths: + /api/v1/trustedOrigins: + get: + summary: List all trusted origins + description: Lists all trusted origins + operationId: listTrustedOrigins + parameters: + - name: q + description: A search string that prefix matches against the `name` and `origin` + in: query + schema: + type: string + - name: filter + description: > + [Filter](https://developer.okta.com/docs/api/#filter) trusted + origins with a supported expression for a subset of properties. You + can filter on the following properties: `name`, `origin`, `status`, + and `type` (type of scopes). + in: query + schema: + type: string + examples: + By name: + value: name eq "Example trusted origin" + - name: after + description: After cursor provided by a prior request + in: query + schema: + type: string + - name: limit + description: Specifies the number of results + in: query + schema: + type: integer + format: int32 + default: 20 + maximum: 200 + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/TrustedOrigin' + examples: + TrustedOriginsResponse: + $ref: '#/components/examples/TrustedOriginsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.trustedOrigins.read + tags: + - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a trusted origin + description: Creates a trusted origin + operationId: createTrustedOrigin + x-codegen-request-body-name: trustedOrigin + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/TrustedOriginWrite' + examples: + TrustedOriginBody: + $ref: '#/components/examples/TrustedOriginBody' + TrustedOriginBodyWithIframeEmbedding: + $ref: '#/components/examples/TrustedOriginBodyWithIframeEmbedding' + TrustedOriginBodyWithIframeEmbeddingSignIn: + $ref: >- + #/components/examples/TrustedOriginBodyWithIframeEmbeddingSignIn + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/TrustedOrigin' + examples: + TrustedOriginResponse: + $ref: '#/components/examples/TrustedOriginResponse' + TrustedOriginResponseWithIframeEmbedding: + $ref: >- + #/components/examples/TrustedOriginResponseWithIframeEmbedding + TrustedOriginResponseWithIframeEmbeddingSignIn: + $ref: >- + #/components/examples/TrustedOriginResponseWithIframeEmbeddingSignIn + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.trustedOrigins.manage + tags: + - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/trustedOrigins/{trustedOriginId}: + get: + summary: Retrieve a trusted origin + description: Retrieves a trusted origin + operationId: getTrustedOrigin + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/TrustedOrigin' + examples: + TrustedOriginResponse: + $ref: '#/components/examples/TrustedOriginResponse' + TrustedOriginResponseWithIframeEmbedding: + $ref: >- + #/components/examples/TrustedOriginResponseWithIframeEmbedding + TrustedOriginResponseWithIframeEmbeddingSignIn: + $ref: >- + #/components/examples/TrustedOriginResponseWithIframeEmbeddingSignIn + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.trustedOrigins.read + tags: + - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a trusted origin + description: Replaces a trusted origin + operationId: replaceTrustedOrigin + x-codegen-request-body-name: trustedOrigin + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/TrustedOrigin' + examples: + TrustedOriginPutBody: + $ref: '#/components/examples/TrustedOriginPutBody' + TrustedOriginPutBodyWithIframeEmbedding: + $ref: '#/components/examples/TrustedOriginPutBodyWithIframeEmbedding' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/TrustedOrigin' + examples: + TrustedOriginPutResponse: + $ref: '#/components/examples/TrustedOriginPutResponse' + TrustedOriginPutResponseWithIFrameEmbedding: + $ref: >- + #/components/examples/TrustedOriginPutResponseWithIframeEmbedding + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.trustedOrigins.manage + tags: + - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a trusted origin + description: Deletes a trusted origin + operationId: deleteTrustedOrigin + responses: + '204': + description: Success + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.trustedOrigins.manage + tags: + - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathTrustedOriginId' + /api/v1/trustedOrigins/{trustedOriginId}/lifecycle/activate: + post: + summary: Activate a trusted origin + description: Activates a trusted origin. Sets the `status` to `ACTIVE`. + operationId: activateTrustedOrigin + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/TrustedOrigin' + examples: + TrustedOriginResponse: + $ref: '#/components/examples/TrustedOriginResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.trustedOrigins.manage + tags: + - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathTrustedOriginId' + /api/v1/trustedOrigins/{trustedOriginId}/lifecycle/deactivate: + post: + summary: Deactivate a trusted origin + description: Deactivates a trusted origin. Sets the `status` to `INACTIVE`. + operationId: deactivateTrustedOrigin + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/TrustedOrigin' + examples: + TrustedOriginInactiveResponse: + $ref: '#/components/examples/TrustedOriginInactiveResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.trustedOrigins.manage + tags: + - TrustedOrigin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathTrustedOriginId' +components: + schemas: + TrustedOrigin: + type: object + properties: + created: + description: Timestamp when the trusted origin was created + type: string + format: date-time + readOnly: true + createdBy: + description: The ID of the user who created the trusted origin + type: string + id: + description: Unique identifier for the trusted origin + type: string + readOnly: true + lastUpdated: + description: Timestamp when the trusted origin was last updated + type: string + format: date-time + readOnly: true + lastUpdatedBy: + description: The ID of the user who last updated the trusted origin + type: string + name: + $ref: '#/components/schemas/TrustedOriginName' + origin: + $ref: '#/components/schemas/TrustedOriginOrigin' + scopes: + $ref: '#/components/schemas/TrustedOriginScopes' + status: + $ref: '#/components/schemas/LifecycleStatus' + _links: + $ref: '#/components/schemas/LinksSelfAndLifecycle' + TrustedOriginWrite: + type: object + properties: + name: + $ref: '#/components/schemas/TrustedOriginName' + origin: + $ref: '#/components/schemas/TrustedOriginOrigin' + scopes: + $ref: '#/components/schemas/TrustedOriginScopes' + TrustedOriginName: + maximum: 255 + description: Unique name for the trusted origin + type: string + TrustedOriginOrigin: + maximum: 255 + description: >- + Unique origin URL for the trusted origin. The supported schemes for this + attribute are HTTP, HTTPS, FTP, Ionic 2, and Capacitor. + type: string + TrustedOriginScopes: + maximum: 3 + description: Array of scope types that this trusted origin is used for + items: + $ref: '#/components/schemas/TrustedOriginScope' + type: array + LifecycleStatus: + type: string + enum: + - ACTIVE + - INACTIVE + LinksSelfAndLifecycle: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + TrustedOriginScope: + type: object + properties: + allowedOktaApps: + type: array + description: The allowed Okta apps for the trusted origin scope + items: + $ref: '#/components/schemas/IframeEmbedScopeAllowedApps' + type: + $ref: '#/components/schemas/TrustedOriginScopeType' + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + HrefObjectActivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to activate the resource + HrefObjectDeactivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to deactivate the resource + ErrorCause: + type: object + properties: + errorSummary: + type: string + IframeEmbedScopeAllowedApps: + type: string + enum: + - OKTA_ENDUSER + TrustedOriginScopeType: + description: > + The scope type. Supported values: When you use `IFRAME_EMBED` as the + scope type, leave the `allowedOktaApps` property empty to allow iFrame + embedding of only Okta sign-in pages. Include `OKTA_ENDUSER` as a value + for the `allowedOktaApps` property to allow iFrame embedding of both + Okta sign-in pages and the Okta End-User Dashboard. + type: string + enum: + - CORS + - IFRAME_EMBED + - REDIRECT + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + parameters: + pathTrustedOriginId: + name: trustedOriginId + description: '`id` of the trusted origin' + in: path + required: true + schema: + type: string + example: 7j2PkU1nyNIDe26ZNufR + examples: + TrustedOriginsResponse: + summary: Trusted origins response + value: + - id: tos10hu7rkbtrFt1M0g4 + name: New trusted origin + origin: http://example.com + status: ACTIVE + scopes: + - type: CORS + - type: REDIRECT + created: '2018-01-13T01:11:44.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastedUpdated: '2018-01-13T01:11:44.000Z' + lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3 + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginBody: + summary: Trusted origin request body + value: + name: New trusted origin + origin: http://example.com + scopes: + - type: CORS + - type: REDIRECT + TrustedOriginBodyWithIframeEmbedding: + summary: >- + Trusted origin request body with iFrame embedding (Okta End-User + Dashboard and Okta sign-in page) + description: > + Creates a new trusted origin for iFrame embedding of an Okta resource + within that origin. In this example, the type of Okta resource is both + the Okta End-User Dashboard and the Okta sign-in page. + value: + name: New trusted origin + origin: http://example.com + scopes: + - type: IFRAME_EMBED + allowedOktaApps: + - OKTA_ENDUSER + TrustedOriginBodyWithIframeEmbeddingSignIn: + summary: Trusted origin request body with iFrame embedding (Okta sign-in page) + description: > + Creates a new trusted origin for iFrame embedding of an Okta resource + within that origin. In this example, the Okta resource is the Okta + sign-in page. + value: + name: New trusted origin + origin: http://example.com + scopes: + - type: IFRAME_EMBED + allowedOktaApps: [] + TrustedOriginResponse: + summary: Trusted origin response + value: + id: tos10hu7rkbtrFt1M0g4 + name: New trusted origin + origin: http://example.com + status: ACTIVE + scopes: + - type: CORS + - type: REDIRECT + created: '2018-01-13T01:11:44.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastedUpdated: '2018-01-13T01:11:44.000Z' + lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3 + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginResponseWithIframeEmbedding: + summary: >- + Trusted origin response with iFrame embedding (End-User Dashboard and + Okta sign-in page) + value: + id: tos10hu7rkbtrFt1M0g4 + name: New trusted origin + origin: http://example.com + status: ACTIVE + scopes: + - type: IFRAME_EMBED + allowedOktaApps: + - OKTA_ENDUSER + created: '2018-01-13T01:11:44.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastedUpdated: '2018-01-13T01:11:44.000Z' + lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3 + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginResponseWithIframeEmbeddingSignIn: + summary: Trusted origin response with iFrame embedding (Okta sign-in page) + value: + id: tos10hu7rkbtrFt1M0g4 + name: New trusted origin + origin: http://example.com + status: ACTIVE + scopes: + - type: IFRAME_EMBED + allowedOktaApps: [] + created: '2018-01-13T01:11:44.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastedUpdated: '2018-01-13T01:11:44.000Z' + lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3 + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginPutBody: + summary: Trusted origin request body + value: + value: + id: tosue7JvguwJ7U6kz0g3 + name: Updated Example trusted origin + origin: http://updated.example.com + scopes: + - type: CORS + - type: REDIRECT + status: ACTIVE + created: '2017-12-16T05:01:12.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastUpdated: '2017-12-16T05:01:12.000Z' + lastUpdatedBy: 00ut5t92p6IEOi4bu0g3 + _links: + self: + href: >- + https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginPutBodyWithIframeEmbedding: + summary: Trusted origin request body with iFrame embedding + value: + value: + id: tosue7JvguwJ7U6kz0g3 + name: Updated trusted origin example + origin: http://updated.example.com + scopes: + - type: IFRAME_EMBED + allowedOktaApps: + - OKTA_ENDUSER + status: ACTIVE + created: '2017-12-16T05:01:12.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastUpdated: '2017-12-16T05:01:12.000Z' + lastUpdatedBy: 00ut5t92p6IEOi4bu0g3 + _links: + self: + href: >- + https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginPutResponse: + summary: Trusted origin response body + value: + value: + id: tosue7JvguwJ7U6kz0g3 + name: Updated Example trusted origin + origin: http://updated.example.com + scopes: + - type: CORS + - type: REDIRECT + status: ACTIVE + created: '2017-12-16T05:01:12.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastUpdated: '2017-12-16T05:01:12.000Z' + lastUpdatedBy: 00ut5t92p6IEOi4bu0g3 + _links: + self: + href: >- + https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginPutResponseWithIframeEmbedding: + summary: Trusted origin response body with iFrame embedding + value: + value: + id: tosue7JvguwJ7U6kz0g3 + name: Updated trusted origin example + origin: http://updated.example.com + scopes: + - type: IFRAME_EMBED + allowedOktaApps: + - OKTA_ENDUSER + status: ACTIVE + created: '2017-12-16T05:01:12.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastUpdated: '2017-12-16T05:01:12.000Z' + lastUpdatedBy: 00ut5t92p6IEOi4bu0g3 + _links: + self: + href: >- + https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate + hints: + allow: + - POST + TrustedOriginInactiveResponse: + summary: Trusted origin response + value: + id: tos10hu7rkbtrFt1M0g4 + name: New trusted origin + origin: http://example.com + status: INACTIVE + scopes: + - type: CORS + - type: REDIRECT + created: '2018-01-13T01:11:44.000Z' + createdBy: 00ut5t92p6IEOi4bu0g3 + lastedUpdated: '2018-01-13T01:11:44.000Z' + lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3 + _links: + activate: + href: >- + https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/activate + hints: + allow: + - POST + self: + href: >- + https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4 + hints: + allow: + - GET + - PUT + - DELETE + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + x-stackQL-resources: + trusted_origins: + id: okta.trustedorigins.trusted_origins + name: trusted_origins + title: Trusted Origins + methods: + list_trusted_origins: + operation: + $ref: '#/paths/~1api~1v1~1trustedOrigins/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_trusted_origin: + operation: + $ref: '#/paths/~1api~1v1~1trustedOrigins/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_trusted_origin: + operation: + $ref: '#/paths/~1api~1v1~1trustedOrigins~1{trustedOriginId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_trusted_origin: + operation: + $ref: '#/paths/~1api~1v1~1trustedOrigins~1{trustedOriginId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_trusted_origin: + operation: + $ref: '#/paths/~1api~1v1~1trustedOrigins~1{trustedOriginId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + activate_trusted_origin: + operation: + $ref: >- + #/paths/~1api~1v1~1trustedOrigins~1{trustedOriginId}~1lifecycle~1activate/post + response: + mediaType: application/json + openAPIDocKey: '200' + deactivate_trusted_origin: + operation: + $ref: >- + #/paths/~1api~1v1~1trustedOrigins~1{trustedOriginId}~1lifecycle~1deactivate/post + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/trusted_origins/methods/list_trusted_origins + - $ref: >- + #/components/x-stackQL-resources/trusted_origins/methods/get_trusted_origin + insert: + - $ref: >- + #/components/x-stackQL-resources/trusted_origins/methods/create_trusted_origin + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/trusted_origins/methods/delete_trusted_origin + replace: + - $ref: >- + #/components/x-stackQL-resources/trusted_origins/methods/replace_trusted_origin +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/users.yaml b/providers/src/okta/v00.00.00000/services/users.yaml new file mode 100644 index 00000000..3750f1bd --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/users.yaml @@ -0,0 +1,13389 @@ +openapi: 3.0.3 +info: + title: users API + description: okta users API + version: 5.1.0 +paths: + /api/v1/users: + get: + summary: List all users + description: >- + Lists users in your org, with pagination in most cases. + + + A subset of users can be returned that match a supported filter + expression or search criteria. Different results are returned depending + on specified queries in the request. + + + > **Note:** This operation omits users that have a status of + `DEPROVISIONED` in the response. To return all users, use a filter or + search query instead. + operationId: listUsers + parameters: + - $ref: '#/components/parameters/OktaResponse' + - name: search + in: query + description: >- + Searches for users with a supported filtering expression for most + properties. Okta recommends using this parameter for optimal search + performance. + + + > **Note:** Using an overly complex or long search query can result + in an error. + + + This operation supports + [pagination](https://developer.okta.com/docs/api/#pagination). Use + an ID lookup for records that you update to ensure your results + contain the latest data. Returned users include those with the + `DEPROVISIONED` status. + + + Property names in the search parameter are case sensitive, whereas + operators (`eq`, `sw`, and so on) and string values are case + insensitive. Unlike with user logins, diacritical marks are + significant in search string values: a search for `isaac.brock` + finds `Isaac.Brock`, but doesn't find a property whose value is + `isáàc.bröck`. + + + This operation requires [URL + encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding). + For example, `search=profile.department eq "Engineering"` is encoded + as `search=profile.department%20eq%20%22Engineering%22`. If you use + the special character `"` within a quoted string, it must also be + escaped `\` and encoded. For example, `search=profile.lastName eq + "bob"smith"` is encoded as + `search=profile.lastName%20eq%20%22bob%5C%22smith%22`. See [Special + Characters](https://developer.okta.com/docs/api/#special-characters). + + + This operation searches many properties: + * Any user profile attribute, including custom-defined attributes + * The top-level properties: `id`, `status`, `created`, `activated`, `statusChanged`, and `lastUpdated` + * The [user type](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/#tag/UserType/operation/updateUserType) accessed as `type.id` + + > **Note:** <x-lifecycle class="ea"></x-lifecycle> The ability to + search by user classification is available as an [Early + Access](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/guides/release-lifecycle/#early-access-ea) + feature. The `classification.type` property cannot be used in + conjunction with other search terms. You can search using + `classification.type eq "LITE"` or `classification.type eq + "STANDARD"`. + + + You can also use `sortBy` and `sortOrder` parameters. The `ne` (not + equal) operator isn't supported, but you can obtain the same result + by using `lt ... or ... gt`. For example, to see all users except + those that have a status of `STAGED`, use `(status lt "STAGED" or + status gt "STAGED")`. + + + You can search properties that are arrays. If any element matches + the search term, the entire array (object) is returned. Okta follows + the [SCIM Protocol + Specification](https://tools.ietf.org/html/rfc7644#section-3.4.2.2) + for searching arrays. You can search multiple arrays, multiple + values in an array, as well as using the standard logical and + filtering operators. See + [Filter](https://developer.okta.com/docs/reference/core-okta-api/#filter). + + + Searches for users can be filtered by the following operators: `sw`, + `eq`, and `co`. You can only use `co` with these select user profile + attributes: `profile.firstName`, `profile.lastName`, + `profile.email`, and `profile.login`. See + [Operators](https://developer.okta.com/docs/api/#operators). + schema: + type: string + examples: + searchByStatus: + value: status%20eq%20%22STAGED%22 + summary: Search for a specific status + description: Search for users that have a status of STAGED + searchByLastUpdatedAfterDate: + value: lastUpdated%20gt%20%222014-01-01T00%3A00%3A00.000Z%22 + summary: Search after a specific time + description: >- + Search for users that were last updated after a specific + timestamp + searchById: + value: id%20eq%20%2200u1ero7vZFVEIYLWPBN%22 + summary: Search for a specific ID + description: Search for users with the specified ID (00gak46y5hydV6NdM0g4) + searchByProfileDepartmentCreatedAndStatus: + value: >- + profile.department%20eq%20%22Engineering%22%20and%20%28created%20lt%20%222014-01-01T00%3A00%3A00.000Z%22%20or%20status%20eq%20%22ACTIVE%22%29 + summary: Search with multiple criteria + description: >- + Search for users in the department of Engineering who were + created before 01/01/2014 or have a status of ACTIVE + searchArrayAttributes: + value: profile.arrayAttr%20eq%20%22arrayAttrVal1%22 + summary: Search for property arrays + description: >- + Searches for properties that are arrays. In this example, if a + user has a custom user profile attribute "arrayAttr" that + contains values ["arrayAttrVal1", "arrayAttrVal2"...], then this + user is returned. + searchArrayAttributesLiteUser: + value: classification.type eq "LITE" + summary: Search by classification + description: >- + Searches for users with the classification type LITE. Supported + values: STANDARD or LITE. + - name: filter + in: query + description: >- + Filters users with a supported expression for a subset of + properties. + + + > **Note:** Returned users include those with the `DEPROVISIONED` + status. + + + This requires [URL + encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding). + For example, `filter=lastUpdated gt "2013-06-01T00:00:00.000Z"` is + encoded as + `filter=lastUpdated%20gt%20%222013-06-01T00:00:00.000Z%22`. + Filtering is case-sensitive for property names and query values, + while operators are case-insensitive. + + + Filtering supports the following limited number of properties: + `status`, `lastUpdated`, `id`, `profile.login`, `profile.email`, + `profile.firstName`, and `profile.lastName`. + + + Additionally, filtering supports only the equal `eq` operator from + the standard Okta API filtering semantics, except in the case of the + `lastUpdated` property. This property can also use the inequality + operators (`gt`, `ge`, `lt`, and `le`). For logical operators, only + the logical operators `and` and `or` are supported. The `not` + operator isn't supported. See + [Filter](https://developer.okta.com/docs/api/#filter) and + [Operators](https://developer.okta.com/docs/api/#operators). + schema: + type: string + examples: + filterByStatus: + value: status%20eq%20%22LOCKED_OUT%22 + summary: Filter by status + description: Filter users with a status of LOCKED_OUT + filterByLogin: + value: profile.login%20eq%20%22login%40example.com%22 + summary: Filter by login + description: Filter users with a specified login + filterByDateRange: + value: >- + lastUpdated%20gt%20%222013-06-01T00%3A00%3A00.000Z%22%20and%20lastUpdated%20lt%20%222014-01-01T00%3A00%3A00.000Z%22 + summary: Filter by date range + description: Filter users updated after 06/01/2013 but before 01/01/2014 + filterByTypeAndProfileLastUpdatedAfterDate: + value: >- + lastUpdated%20gt%20%222013-06-01T00%3A00%3A00.000Z%22%20and%20%28status%20eq%20%22LOCKED_OUT%22%20or%20status%20eq%20%22RECOVERY%22%29 + summary: Filter by multiple criteria + description: >- + Filter users updated after 06/01/2013 but with a status of + LOCKED_OUT or RECOVERY + - name: q + in: query + description: >- + Finds users who match the specified query. This doesn't support + pagination. + + + > **Note:** For optimal performance, use the `search` parameter + instead. + + + Use the `q` parameter for simple queries, such as a lookup of users + by name when creating a people picker. + + + The value of `q` is matched against `firstName`, `lastName`, or + `email`. This performs a `startsWith` match, but this is an + implementation detail and can change without notice. You don't need + to specify `firstName`, `lastName`, or `email`. + + + > **Note:** Using the `q` parameter in a request omits users that + have a status of `DEPROVISIONED`. To return all users, use a filter + or search query instead. + schema: + type: string + - $ref: '#/components/parameters/queryAfter' + - name: limit + in: query + description: >- + Specifies the number of results returned. Defaults to 10 if `q` is + provided. + schema: + type: integer + format: int32 + default: 200 + - name: sortBy + in: query + description: >- + Specifies field to sort by (for search queries only). This can be + any single property, for example `sortBy=profile.lastName`. Users + with the same value for the `sortBy` property will be ordered by + `id`. + schema: + type: string + - name: sortOrder + in: query + description: >- + Specifies the sort order: `asc` or `desc` (for search queries only). + Sorting is done in ASCII sort order (that is, by ASCII character + value), but isn't case sensitive. `sortOrder` is ignored if `sortBy` + isn't present. + schema: + type: string + - name: expand + in: query + description: >- + <x-lifecycle-container><x-lifecycle + class="ea"></x-lifecycle></x-lifecycle-container>A parameter to + include metadata in the `_embedded` property. Supported value: + `classification`. + required: false + schema: + type: string + example: classification + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/User' + examples: + UserList: + $ref: '#/components/examples/ListRealmAwareUsersResponse' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a user + description: >- + Creates a new user in your Okta org with or without credentials.<br> + + > **Legal Disclaimer** + + > + + > After a user is added to the Okta directory, they receive an + activation email. As part of signing up for this service, + + > you agreed not to use Okta's service/product to spam and/or send + unsolicited messages. + + > Please refrain from adding unrelated accounts to the directory as Okta + is not responsible for, and disclaims any and all + + > liability associated with, the activation email's content. You, and + you alone, bear responsibility for the emails sent to any recipients. + + + All responses return the created user. Activation of a user is an + asynchronous operation. The system performs group reconciliation during + activation and assigns the user to all apps via direct or indirect + relationships (group memberships). + + * The user's `transitioningToStatus` property is `ACTIVE` during + activation to indicate that the user hasn't completed the asynchronous + operation. + + * The user's `status` is `ACTIVE` when the activation process is + complete. + + + The user is emailed a one-time activation token if activated without a + password. + + + > **Note:** If the user is assigned to an app that is configured for + provisioning, the activation process triggers downstream provisioning to + the app. It is possible for a user to sign in before these apps have + been successfully provisioned for the user. + + + > **Important:** Do not generate or send a one-time activation token + when activating users with an assigned password. Users should sign in + with their assigned password. + + + For more information about the various scenarios of creating a user + listed in the examples, see the [User creation + scenarios](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#user-creation-scenarios) + section. + operationId: createUser + parameters: + - name: activate + in: query + description: >- + Executes an [activation + lifecycle](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser) + operation when creating the user + schema: + type: boolean + default: true + - name: provider + in: query + description: >- + Indicates whether to create a user with a specified authentication + provider + schema: + type: boolean + default: false + - name: nextLogin + in: query + description: >- + With `activate=true`, if `nextLogin=changePassword`, a user is + created, activated, and the password is set to `EXPIRED`. The user + must change it the next time they sign in. + schema: + $ref: '#/components/schemas/UserNextLogin' + x-okta-added-version: 0.14.0 + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CreateUserRequest' + examples: + Create user without credentials: + $ref: '#/components/examples/create-user-without-credentials-request' + Create user with recovery question: + $ref: >- + #/components/examples/create-user-with-recovery-question-request + Create user with password: + $ref: '#/components/examples/create-user-with-password-request' + Create user with imported hashed password: + $ref: >- + #/components/examples/create-user-with-imported-hashed-password-request + Create user with password import inline hook: + $ref: >- + #/components/examples/create-user-with-password-import-inline-hook-request + Create user with password and recovery question: + $ref: >- + #/components/examples/create-user-with-password-and-recovery-question-request + Create user with authentication provider: + $ref: >- + #/components/examples/create-user-with-authentication-provider-request + Create user in group: + $ref: '#/components/examples/create-user-in-group-request' + Create user with non-default user type: + $ref: >- + #/components/examples/create-user-with-non-default-user-type-request + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/User' + examples: + Create user without credentials: + $ref: >- + #/components/examples/create-user-without-credentials-response + Create user with recovery question: + $ref: >- + #/components/examples/create-user-with-recovery-question-response + Create user with password: + $ref: '#/components/examples/create-user-with-password-response' + Create user with imported hashed password: + $ref: >- + #/components/examples/create-user-with-imported-hashed-password-response + Create user with password import inline hook: + $ref: >- + #/components/examples/create-user-with-password-import-inline-hook-response + Create user with password and recovery question: + $ref: >- + #/components/examples/create-user-with-password-and-recovery-question-response + Create user with authentication provider: + $ref: >- + #/components/examples/create-user-with-authentication-provider-response + Create user in group: + $ref: '#/components/examples/create-user-in-group-response' + Create user with non-default user type: + $ref: >- + #/components/examples/create-user-with-non-default-user-type-response + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Create user with too many groups specified: + $ref: >- + #/components/examples/ErrorCreateUserWithTooManyManyGroupsResponse + Create user with expired password and activate set to `false`: + $ref: >- + #/components/examples/ErrorCreateUserWithExpiredPasswordWithoutActivation + Create user with expired password and `null` password: + $ref: >- + #/components/examples/ErrorCreateUserWithExpiredPasswordWithNullPassword + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/me/lifecycle/delete_sessions: + post: + summary: End a current user session + description: >- + Ends Okta sessions for the currently signed in user. By default, the + current session remains active. Use this method in a browser-based app. + + > **Note:** This operation requires a session cookie for the user. The + API token isn't allowed for this operation. + operationId: endUserSessions + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/KeepCurrent' + responses: + '200': + description: OK + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: [] + tags: + - UserSessions + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + /api/v1/users/{id}: + get: + summary: Retrieve a user + description: >- + Retrieves a user from your Okta org. + + + You can substitute `me` for the `id` to fetch the current user linked to + an API token or session cookie. + * The request returns the user linked to the API token that is specified in the Authorization header, not the user linked to the active session. Details of the admin user who granted the API token is returned. + * When the end user has an active Okta session, it is typically a CORS request from the browser. Therefore, it's possible to retrieve the current user without the Authorization header. + + When fetching a user by `login` or `login shortname`, [URL + encode](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding) + the request parameter to ensure that special characters are escaped + properly. Logins with a `/` character can only be fetched by `id` due to + URL issues with escaping the `/` character. If you don't know a user's + ID, you can use the [List all + users](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers) + endpoint to find it. + + + > **Note:** Some browsers block third-party cookies by default, which + disrupts Okta functionality in certain flows. See [Mitigate the impact + of third-party cookie + deprecation](https://help.okta.com/okta_help.htm?type=oie&id=ext-third-party-cookies). + operationId: getUser + parameters: + - $ref: '#/components/parameters/OktaResponse' + - $ref: '#/components/parameters/queryUserExpand' + responses: + '200': + description: Success + headers: + Etag: + description: >- + An HTTP entity tag (`ETag`) is an identifier for a specific + version of a resource. See [Conditional Requests and Entity + Tags]https://developer.okta.com/docs/api#conditional-requests-and-entity-tags. + schema: + type: string + example: W/"1234567890abcdef" + content: + application/json: + schema: + $ref: '#/components/schemas/UserGetSingleton' + examples: + GetUserExample: + $ref: '#/components/examples/user-example' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '404': + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Update a user + description: >- + Updates a user's profile or credentials with partial update semantics. + + + > **Important:** Use the `POST` method for partial updates. Unspecified + properties are set to null with `PUT`. + + + `profile` and `credentials` can be updated independently or together + with a single request. + + > **Note**: Currently, the user type of a user can only be changed via a + full replacement PUT operation. If the request parameters of a partial + update include the type element from the user object, + + the value must match the existing type of the user. Only admins are + permitted to change the user type of a user; end users are not allowed + to change their own user type. + + + > **Note**: To update a current user's profile with partial semantics, + the `/api/v1/users/me` endpoint can be invoked. + + > + + > A user can only update profile properties for which the user has write + access. Within the profile, if the user tries to update the primary or + the secondary email IDs, verification emails are sent to those email + IDs, and the fields are updated only upon verification. + + + If you are using this endpoint to set a password, it sets a password + without validating existing user credentials. This is an administrative + operation. For operations that validate credentials, refer to the [Reset + password](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/resetPassword), + [Start forgot password + flow](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/forgotPassword), + and [Update + password](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/changePassword) + endpoints. + operationId: updateUser + parameters: + - name: strict + in: query + schema: + type: boolean + description: If true, validates against minimum age and history password policy + - name: If-Match + in: header + required: false + description: >- + The ETag value of the user's expected current state. This becomes a + conditional request used for concurrency control. See [Conditional + Requests and Entity Tags]https://developer.okta.com/docs/api#conditional-requests-and-entity-tags. + schema: + type: string + example: W/"1234567890abcdef" + x-codegen-request-body-name: user + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UpdateUserRequest' + examples: + Update user Profile: + $ref: '#/components/examples/update-user-profile-request' + Update user password: + $ref: '#/components/examples/update-user-set-password-request' + Set recovery question and answer: + $ref: >- + #/components/examples/update-user-set-recovery-question-and-answer + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/User' + examples: + Update user Response: + $ref: '#/components/examples/user-example' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '404': + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a user + description: >- + Replaces a user's profile, credentials, or both using strict-update + semantics. + + + All profile properties must be specified when updating a user's profile + with a `PUT` method. Any property not specified in the request is + deleted. + + > **Important:** Don't use a `PUT` method for partial updates. + operationId: replaceUser + parameters: + - name: strict + in: query + description: If `true`, validates against minimum age and history password policy + schema: + type: boolean + x-okta-added-version: 1.10.0 + - name: If-Match + in: header + required: false + description: >- + The ETag value of the user's expected current state. This becomes a + conditional request used for concurrency control. See [Conditional + Requests and Entity Tags]https://developer.okta.com/docs/api#conditional-requests-and-entity-tags. + schema: + type: string + example: W/"1234567890abcdef" + x-codegen-request-body-name: user + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UpdateUserRequest' + examples: + Replace user Request: + $ref: '#/components/examples/replace-user-request' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/User' + examples: + Replace user Response: + $ref: '#/components/examples/user-example' + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '404': + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a user + description: >- + Deletes a user permanently. This operation can only be performed on + users that have a `DEPROVISIONED` status. + + + > **Warning:** This action can't be recovered! + + + This operation on a user that hasn't been deactivated causes that user + to be deactivated. A second delete operation is required to delete the + user. + + + > **Note:** You can also perform user deletion asynchronously. To invoke + asynchronous user deletion, pass an HTTP header `Prefer: respond-async` + with the request. + + + This header is also supported by user deactivation, which is performed + if the delete endpoint is invoked on a user that hasn't been + deactivated. + operationId: deleteUser + parameters: + - name: sendEmail + in: query + description: Sends a deactivation email to the admin if `true` + schema: + type: boolean + default: false + x-okta-added-version: 1.5.0 + - name: Prefer + in: header + required: false + schema: + type: string + enum: + - respond-async + responses: + '204': + description: No Content + content: {} + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '404': + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathId' + /api/v1/users/{id}/appLinks: + get: + summary: List all assigned app links + description: >- + Lists all app links for all direct or indirect (through group + membership) assigned apps. + + + > **Note:** To list all apps in an org, use the [List all applications + endpoint in the Applications + API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/listApplications). + operationId: listAppLinks + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/AssignedAppLink' + examples: + List App Links: + $ref: '#/components/examples/ListAppLinks' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserResources + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathId' + /api/v1/users/{id}/blocks: + get: + summary: List all user blocks + description: >- + Lists information about how the user is blocked from accessing their + account + operationId: listUserBlocks + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/UserBlock' + examples: + BlocksUnknownDevices: + $ref: '#/components/examples/ListUserBlocksUnknownDevicesResponse' + BlocksAnyDevices: + $ref: '#/components/examples/ListUserBlocksAnyDevicesResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - User + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathId' + /api/v1/users/{id}/groups: + get: + summary: List all groups + description: >- + Lists all groups of which the user is a member. + + > **Note:** To list all groups in your org, use the [List all groups + endpoints in the Groups + API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups). + operationId: listUserGroups + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/Group' + examples: + List user groups: + $ref: '#/components/examples/ListUserGroups' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserResources + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathId' + /api/v1/users/{id}/idps: + get: + summary: List all IdPs for user + description: Lists the identity providers (IdPs) associated with the user + operationId: listUserIdentityProviders + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/IdentityProvider' + examples: + MultipleIdPsResponse: + $ref: '#/components/examples/MultipleIdPsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - IdentityProviderUsers + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathId' + /api/v1/users/{id}/lifecycle/activate: + post: + summary: Activate a user + description: >- + Activates a user. + + + Perform this operation only on users with a `STAGED` or `DEPROVISIONED` + status. Activation of a user is an asynchronous operation. + + * The user has the `transitioningToStatus` property with an `ACTIVE` + value during activation. This indicates that the user hasn't completed + the asynchronous operation. + + * The user has an `ACTIVE` status when the activation process completes. + + + Users who don't have a password must complete the welcome flow by + visiting the activation link to complete the transition to `ACTIVE` + status. + + + > **Note:** If you want to send a branded user activation email, change + the subdomain of your request to the custom domain that's associated + with the brand. + + > For example, change `subdomain.okta.com` to `custom.domain.one`. See + [Multibrand and custom + domains](https://developer.okta.com/docs/concepts/brands/#multibrand-and-custom-domains). + + + > **Note:** If you have optional password enabled, visiting the + activation link is optional for users who aren't required to enroll a + password. + + > See [Create user with optional + password](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-with-optional-password). + + + > **Legal disclaimer** + + > After a user is added to the Okta directory, they receive an + activation email. As part of signing up for this service, + + > you agreed not to use Okta's service/product to spam and/or send + unsolicited messages. + + > Please refrain from adding unrelated accounts to the directory as Okta + is not responsible for, and disclaims any and all + + > liability associated with, the activation email's content. You, and + you alone, bear responsibility for the emails sent to any recipients. + operationId: activateUser + parameters: + - name: sendEmail + in: query + description: Sends an activation email to the user if `true` + required: false + schema: + type: boolean + default: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserActivationToken' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserLifecycle + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathId' + /api/v1/users/{id}/lifecycle/deactivate: + post: + summary: Deactivate a user + description: >- + Deactivates a user. + + + Perform this operation only on users that do not have a `DEPROVISIONED` + status. + + * The user's `transitioningToStatus` property is `DEPROVISIONED` during + deactivation to indicate that the user hasn't completed the asynchronous + operation. + + * The user's status is `DEPROVISIONED` when the deactivation process is + complete. + + + > **Important:** Deactivating a user is a **destructive** operation. The + user is deprovisioned from all assigned apps, which might destroy their + data such as email or files. + + **This action cannot be recovered!** + + + You can also perform user deactivation asynchronously. To invoke + asynchronous user deactivation, pass an HTTP header `Prefer: + respond-async` with the request. + operationId: deactivateUser + parameters: + - name: sendEmail + in: query + description: Sends a deactivation email to the admin if `true` + schema: + type: boolean + default: false + x-okta-added-version: 1.5.0 + - name: Prefer + in: header + required: false + schema: + type: string + enum: + - respond-async + description: Request asynchronous processing + responses: + '200': + description: OK + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserLifecycle + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathId' + /api/v1/users/{id}/lifecycle/expire_password: + post: + summary: Expire the password + description: >- + Expires the password. This operation transitions the user status to + `PASSWORD_EXPIRED` so that the user must change their password the next + time that they sign in. + + <br> + + If you have integrated Okta with your on-premises Active Directory (AD), + then setting a user's password as expired in Okta also expires the + password in AD. + + When the user tries to sign in to Okta, delegated authentication finds + the password-expired status in AD, + + and the user is presented with the password-expired page where they can + change their password. + + + > **Note:** The Okta account management policy doesn't support the + `/users/{id}/lifecycle/expire_password` endpoint. See [Configure an Okta + account management + policy](https://developer.okta.com/docs/guides/okta-account-management-policy/main/). + operationId: expirePassword + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/User' + examples: + Expire password response: + $ref: '#/components/examples/ExpirePwdResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserCred + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathId' + /api/v1/users/{id}/lifecycle/expire_password_with_temp_password: + post: + summary: Expire the password with a temporary password + description: >- + Expires the password and resets the user's password to a temporary + password. This operation transitions the user status to + `PASSWORD_EXPIRED` so that the user must change their password the next + time that they sign in. + + The user's password is reset to a temporary password that's returned, + and then the user's password is expired. + + If `revokeSessions` is included in the request with a value of `true`, + the user's current outstanding sessions are revoked and require + re-authentication. + + <br> + + If you have integrated Okta with your on-premises Active Directory (AD), + then setting a user's password as expired in Okta also expires the + password in AD. + + When the user tries to sign in to Okta, delegated authentication finds + the password-expired status in AD, + + and the user is presented with the password-expired page where they can + change their password. + operationId: expirePasswordWithTempPassword + parameters: + - name: revokeSessions + in: query + description: Revokes the user's existing sessions if `true` + required: false + schema: + type: boolean + default: false + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/User' + examples: + Expire password with temp password response: + $ref: '#/components/examples/ExpirePwdWithTempPwdResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserCred + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathId' + /api/v1/users/{id}/lifecycle/reactivate: + post: + summary: Reactivate a user + description: >- + Reactivates a user. + + + Perform this operation only on users with a `PROVISIONED` or `RECOVERY` + [status](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers!c=200&path=status&t=response). + + This operation restarts the activation workflow if for some reason the + user activation wasn't completed when using the `activationToken` from + [Activate + User](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser). + + + Users that don't have a password must complete the flow by completing + the [Reset + password](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/resetPassword) + flow and MFA enrollment steps to transition the user to `ACTIVE` status. + + + If `sendEmail` is `false`, returns an activation link for the user to + set up their account. The activation token can be used to create a + custom activation link. + operationId: reactivateUser + parameters: + - name: sendEmail + in: query + description: Sends an activation email to the user if `true` + schema: + type: boolean + default: false + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserActivationToken' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserLifecycle + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathId' + /api/v1/users/{id}/lifecycle/reset_factors: + post: + summary: Reset the factors + description: >- + Resets all factors for the specified user. All MFA factor enrollments + return to the unenrolled state. The user's status remains `ACTIVE`. This + link is present only if the user is currently enrolled in one or more + MFA factors. + operationId: resetFactors + responses: + '200': + description: OK + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserLifecycle + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathId' + /api/v1/users/{id}/lifecycle/reset_password: + post: + summary: Reset a password + description: >- + Resets a password. Generates a one-time token (OTT) that you can use to + reset a user's password. You can automatically email the OTT link to the + user or return the OTT to the API caller and distribute using a custom + flow. + + + This operation transitions the user to the `RECOVERY` status. The user + is then not able to sign in or initiate a forgot password flow until + they complete the reset flow. + + + This operation provides an option to delete all the user's sessions. + However, if the request is made in the context of a session owned by the + specified user, that session isn't cleared. + + > **Note:** You can also use this API to convert a user with the Okta + credential provider to use a federated provider. After this conversion, + the user can't directly sign in with a password. + + > To convert a federated user back to an Okta user, use the default API + call. + + + If an email address is associated with multiple users, keep in mind the + following to ensure a successful password recovery lookup: + * Okta no longer includes deactivated users in the lookup. + * The lookup searches sign-in IDs first, then primary email addresses, and then secondary email addresses. + If `sendEmail` is `false`, returns a link for the user to reset their password. + operationId: resetPassword + parameters: + - name: sendEmail + in: query + required: true + schema: + type: boolean + - name: revokeSessions + description: >- + Revokes all user sessions, except for the current session, if set to + `true` + in: query + required: false + schema: + type: boolean + default: false + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ResetPasswordToken' + examples: + Reset password without sending email response: + $ref: '#/components/examples/ResetPwdWithoutSendingEmailResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserCred + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathId' + /api/v1/users/{id}/lifecycle/suspend: + post: + summary: Suspend a user + description: >- + Suspends a user. Perform this operation only on users with an `ACTIVE` + status. The user has a `SUSPENDED` status when the process completes. + + + Suspended users can't sign in to Okta. They can only be unsuspended or + deactivated. Their group and app assignments are retained. + operationId: suspendUser + responses: + '200': + description: OK + content: {} + '400': + $ref: '#/components/responses/ErrorMissingRequiredParameter400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserLifecycle + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathId' + /api/v1/users/{id}/lifecycle/unlock: + post: + summary: Unlock a user + description: >- + Unlocks a user with a `LOCKED_OUT` status or unlocks a user with an + `ACTIVE` status that's blocked from unknown devices. Unlocked users have + an `ACTIVE` status and can sign in with their current password. + + > **Note:** This operation works with Okta-sourced users. It doesn't + support directory-sourced accounts such as Active Directory. + operationId: unlockUser + responses: + '200': + description: Success + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserLifecycle + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathId' + /api/v1/users/{id}/lifecycle/unsuspend: + post: + summary: Unsuspend a user + description: >- + Unsuspends a user and returns them to the `ACTIVE` state. This operation + can only be performed on users that have a `SUSPENDED` status. + operationId: unsuspendUser + responses: + '200': + description: Success + content: {} + '400': + $ref: '#/components/responses/ErrorMissingRequiredParameter400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserLifecycle + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathId' + /api/v1/users/{userIdOrLogin}/linkedObjects/{primaryRelationshipName}/{primaryUserId}: + put: + summary: Assign a linked object value for primary + description: >- + Assigns the first user as the `associated` and the second user as the + `primary` for the specified relationship. + + + If the first user is already associated with a different `primary` for + this relationship, the previous link is removed. A linked object + relationship can specify only one primary user for an associated user. + operationId: assignLinkedObjectValueForPrimary + responses: + '204': + description: Success + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - oauth2: + - okta.users.manage + tags: + - UserLinkedObject + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserIdOrLogin' + - $ref: '#/components/parameters/pathPrimaryRelationshipName' + - $ref: '#/components/parameters/pathPrimaryUserId' + /api/v1/users/{userIdOrLogin}/linkedObjects/{relationshipName}: + get: + summary: List the primary or all of the associated linked object values + description: >- + Lists either the `self` link for the primary user or all associated + users in the relationship specified by `relationshipName`. If the + specified user isn't associated in any relationship, an empty array is + returned. + + + Use `me` instead of `id` to specify the current session user. + operationId: listLinkedObjectsForUser + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/ResponseLinks' + examples: + GetPrimaryLinkedObjectResponse: + $ref: '#/components/examples/GetPrimaryLinkedObjectResponse' + GetAssociatedLinkedObjectResponse: + $ref: '#/components/examples/GetAssociatedLinkedObjectsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserLinkedObject + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a linked object value + description: >- + Deletes any existing relationship between the `associated` and `primary` + user. For the `associated` user, this is specified by the ID. The + `primary` name specifies the relationship. + + + The operation is successful if the relationship is deleted. The + operation is also successful if the specified user isn't in the + `associated` relationship for any instance of the specified `primary` + and thus, no relationship is found. + operationId: deleteLinkedObjectForUser + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserLinkedObject + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserIdOrLogin' + - $ref: '#/components/parameters/pathRelationshipName' + /api/v1/users/{userId}/authenticator-enrollments: + get: + summary: List all authenticator enrollments + description: Lists all authenticator enrollments of the specified user + operationId: listAuthenticatorEnrollments + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AuthenticatorEnrollment' + examples: + AuthenticatorEnrollmentsListAllEx: + $ref: '#/components/examples/AuthenticatorEnrollmentResponseListAll' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserAuthenticatorEnrollments + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathUserId' + /api/v1/users/{userId}/authenticator-enrollments/phone: + post: + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + summary: Create an auto-activated Phone authenticator enrollment + description: Creates a Phone authenticator enrollment that's automatically activated + operationId: createAuthenticatorEnrollment + parameters: + - $ref: '#/components/parameters/pathUserId' + x-codegen-request-body-name: authenticator + requestBody: + $ref: '#/components/requestBodies/PhoneAuthenticatorEnrollmentRequestBody' + responses: + '200': + $ref: '#/components/responses/PhoneAuthenticatorCreateEnrollmentResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserAuthenticatorEnrollments + parameters: + - $ref: '#/components/parameters/pathUserId' + /api/v1/users/{userId}/authenticator-enrollments/tac: + post: + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + x-okta-iam-permissions: + - okta.users.credentials.manageTemporaryAccessCode + summary: Create an auto-activated TAC authenticator enrollment + description: >- + Creates an auto-activated Temporary access code (TAC) authenticator + enrollment + operationId: createTacAuthenticatorEnrollment + parameters: + - $ref: '#/components/parameters/pathUserId' + x-codegen-request-body-name: authenticator + requestBody: + $ref: '#/components/requestBodies/TacAuthenticatorEnrollmentRequestBody' + responses: + '200': + $ref: '#/components/responses/TacAuthenticatorCreateEnrollmentResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserAuthenticatorEnrollments + parameters: + - $ref: '#/components/parameters/pathUserId' + /api/v1/users/{userId}/authenticator-enrollments/{enrollmentId}: + get: + summary: Retrieve an authenticator enrollment + description: Retrieves a user's authenticator enrollment by `enrollmentId` + operationId: getAuthenticatorEnrollment + responses: + '200': + $ref: '#/components/responses/AuthenticatorEnrollmentResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserAuthenticatorEnrollments + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + delete: + summary: Delete an authenticator enrollment + description: >- + Deletes an existing enrollment for the specified user. The user can + enroll the authenticator again. + operationId: deleteAuthenticatorEnrollment + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserAuthenticatorEnrollments + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathEnrollmentId' + /api/v1/users/{userId}/classification: + get: + summary: Retrieve a user's classification + description: Retrieves a user's classification + operationId: getUserClassification + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserClassification' + examples: + Get classification of user: + $ref: '#/components/examples/Get-User-Classification-Example' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserClassification + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + put: + summary: Replace the user's classification + description: Replaces the user's classification + operationId: replaceUserClassification + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ReplaceUserClassification' + examples: + Set user to LITE: + $ref: '#/components/examples/Set-User-Classification-Example' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserClassification' + examples: + Get classification of user: + $ref: '#/components/examples/Get-User-Classification-Example' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserClassification + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: EA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathUserId' + /api/v1/users/{userId}/clients: + get: + summary: List all clients + description: >- + Lists all client resources for which the specified user has grants or + tokens. + + + > **Note:** To list all client resources for which a specified + authorization server has tokens, use the [List all client resources for + an authorization server in the Authorization Servers + API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/AuthorizationServerClients/#tag/AuthorizationServerClients/operation/listOAuth2ClientsForAuthorizationServer). + operationId: listUserClients + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/OAuth2Client' + examples: + List user clients: + $ref: '#/components/examples/ListUserClients' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserResources + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + /api/v1/users/{userId}/clients/{clientId}/grants: + get: + summary: List all grants for a client + description: Lists all grants for a specified user and client + operationId: listGrantsForUserAndClient + parameters: + - name: expand + in: query + description: >- + Valid value: `scope`. If specified, scope details are included in + the `_embedded` attribute. + schema: + type: string + - name: after + in: query + description: >- + The cursor to use for pagination. It is an opaque string that + specifies your current location in the list and is obtained from the + `Link` response header. See + [Pagination](https://developer.okta.com/docs/api/#pagination). + schema: + type: string + - name: limit + in: query + description: Specifies the number of tokens to return + schema: + type: integer + format: int32 + minimum: 1 + maximum: 200 + default: 20 + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserGrant + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Revoke all grants for a client + description: Revokes all grants for the specified user and client + operationId: revokeGrantsForUserAndClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserGrant + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathClientId' + /api/v1/users/{userId}/clients/{clientId}/tokens: + get: + summary: List all refresh tokens for a client + description: Lists all refresh tokens issued for the specified user and client + operationId: listRefreshTokensForUserAndClient + parameters: + - name: expand + in: query + description: >- + Valid value: `scope`. If specified, scope details are included in + the `_embedded` attribute. + schema: + type: string + example: scope + - name: after + in: query + description: >- + The cursor to use for pagination. It is an opaque string that + specifies your current location in the list and is obtained from the + `Link` response header. See + [Pagination](https://developer.okta.com/docs/api/#pagination). + schema: + type: string + - name: limit + in: query + description: Specifies the number of tokens to return + schema: + type: integer + format: int32 + minimum: 1 + maximum: 200 + default: 20 + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/OAuth2RefreshToken' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserOAuth + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Revoke all refresh tokens for a client + description: Revokes all refresh tokens issued for the specified user and client + operationId: revokeTokensForUserAndClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserOAuth + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathClientId' + /api/v1/users/{userId}/clients/{clientId}/tokens/{tokenId}: + get: + summary: Retrieve a refresh token for a client + description: Retrieves a refresh token issued for the specified user and client + operationId: getRefreshTokenForUserAndClient + parameters: + - name: expand + in: query + description: >- + Valid value: `scope`. If specified, scope details are included in + the `_embedded` attribute. + schema: + type: string + example: scope + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2RefreshToken' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserOAuth + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Revoke a token for a client + description: Revokes the specified refresh and access tokens + operationId: revokeTokenForUserAndClient + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserOAuth + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathClientId' + - $ref: '#/components/parameters/pathTokenId' + /api/v1/users/{userId}/credentials/change_password: + post: + summary: Update password + description: >- + Updates a user's password by validating the user's current password. + + + This operation provides an option to delete all the sessions of the + specified user. However, if the request is made in the context of a + session owned by the specified user, that session isn't cleared. + + + You can only perform this operation on users in `STAGED`, `ACTIVE`, + `PASSWORD_EXPIRED`, or `RECOVERY` status that have a valid [password + credential](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/password&t=request). + + + The user transitions to `ACTIVE` status when successfully invoked in + `RECOVERY` status. + + + > **Note:** The Okta account management policy doesn't support the + `/users/{userId}/credentials/change_password` endpoint. See [Configure + an Okta account management + policy](https://developer.okta.com/docs/guides/okta-account-management-policy/main/). + operationId: changePassword + parameters: + - name: strict + in: query + description: If true, validates against the password minimum age policy + schema: + type: boolean + default: false + x-okta-added-version: 1.10.0 + x-codegen-request-body-name: changePasswordRequest + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ChangePasswordRequest' + examples: + Change password request: + $ref: '#/components/examples/ChangePwdRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserCredentials' + examples: + Change password response: + $ref: '#/components/examples/ChangePwdResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserCred + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + /api/v1/users/{userId}/credentials/change_recovery_question: + post: + summary: Update recovery question + description: >- + Updates a user's recovery question and answer credential by validating + the user's current password. + + You can only perform this operation on users in `STAGED`, `ACTIVE`, or + `RECOVERY` status that have a valid [password + credential](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/password&t=request). + operationId: changeRecoveryQuestion + x-codegen-request-body-name: userCredentials + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UserCredentials' + examples: + Update recovery question request: + $ref: '#/components/examples/UpdateRecQuestionRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserCredentials' + examples: + Update recovery question response: + $ref: '#/components/examples/UpdateRecQuestionResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserCred + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + /api/v1/users/{userId}/credentials/forgot_password: + post: + summary: Start forgot password flow + description: >- + Starts the forgot password flow. + + + Generates a one-time token (OTT) that you can use to reset a user's + password. + + + The user must validate their security question's answer when visiting + the reset link. Perform this operation only on users with an `ACTIVE` + status and + + a valid [recovery question + credential](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/recovery_question&t=request). + + + > **Note:** If you have migrated to Identity Engine, you can allow users + to recover passwords with any enrolled MFA authenticator. See + [Self-service account + recovery](https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/configure-sspr.htm?cshid=ext-config-sspr). + + + If an email address is associated with multiple users, keep in mind the + following to ensure a successful password recovery lookup: + * Okta no longer includes deactivated users in the lookup. + * The lookup searches sign-in IDs first, then primary email addresses, and then secondary email addresses. + + If `sendEmail` is `false`, returns a link for the user to reset their + password. This operation doesn't affect the status of the user. + operationId: forgotPassword + parameters: + - name: sendEmail + in: query + description: Sends a forgot password email to the user if `true` + required: false + schema: + type: boolean + default: true + responses: + '200': + description: Reset URL + content: + application/json: + schema: + $ref: '#/components/schemas/ForgotPasswordResponse' + examples: + Forgot password response: + $ref: '#/components/examples/ForgotPwdResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserCred + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + /api/v1/users/{userId}/credentials/forgot_password_recovery_question: + post: + summary: Reset password with recovery question + description: >- + Resets the user's password to the specified password if the provided + answer to the recovery question is correct. + + You must include the recovery question answer with the submission. + operationId: forgotPasswordSetNewPassword + parameters: + - name: sendEmail + in: query + required: false + schema: + type: boolean + default: true + x-codegen-request-body-name: userCredentials + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UserCredentials' + examples: + Forgot password recovery question request: + $ref: '#/components/examples/ForgotPwdRecoveryQuestionRequest' + required: true + responses: + '200': + description: Credentials + content: + application/json: + schema: + $ref: '#/components/schemas/UserCredentials' + examples: + Forgot password recovery question response: + $ref: '#/components/examples/ForgotPwdRecoveryQuestionResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserCred + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + /api/v1/users/{userId}/devices: + get: + summary: List all devices + description: >- + Lists all devices enrolled by a user. + + + > **Note:** To list all devices registered to an org, use the [List all + devices endpoint in the Devices + API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Device/#tag/Device/operation/listDevices). + operationId: listUserDevices + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/UserDevice' + examples: + APIUsersListDevicesResponseExample: + summary: List all devices for a specific user + $ref: '#/components/examples/APIUserListDevicesResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserResources + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathUserId' + /api/v1/users/{userId}/factors: + get: + summary: List all enrolled factors + description: >- + Lists all enrolled factors for the specified user that are included in + the highest priority [authenticator enrollment + policy](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/) + that applies to the user. + + + Only enrolled factors that are `REQUIRED` or `OPTIONAL` in the highest + priority authenticator enrollment policy can be returned. + + + > **Note:** When admins use this endpoint for other users, the + authenticator enrollment policy that's evaluated can vary depending on + how client-specific conditions are configured in the rules of an + authenticator enrollment policy. The client-specific conditions of the + admin's client are used during policy evaluation instead of the + client-specific conditions of the user. This can affect which + authenticator enrollment policy is evaluated and which factors are + returned. + + > + + > For example, an admin in Europe lists all enrolled factors for a user + in North America. The network zone of the admin's client (in Europe) is + used during policy evaluation instead of the network zone of the user + (in North America). + operationId: listFactors + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/UserFactor' + examples: + ListFactorsResponse: + $ref: '#/components/examples/ListFactorsResults' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Enroll a factor + description: >- + Enrolls a supported factor for the specified user + + + > **Notes:** + + > * All responses return the enrolled factor with a status of either + `PENDING_ACTIVATION` or `ACTIVE`. + + > * You can't use the Factors API to enroll Okta Fastpass + (`signed_nonce`) for a user. See [Configure Okta + Fastpass](https://help.okta.com/okta_help.htm?type=oie&id=ext-fp-configure). + + + #### Additional SMS/Call factor information + + + * **Rate limits**: Okta may return a `429 Too Many Requests` status code + if you attempt to resend an SMS or a voice call challenge (OTP) within + the same time window. The current [rate + limit](https://developer.okta.com/docs/reference/rate-limits/) is one + SMS/CALL challenge per phone number every 30 seconds. + + + * **Existing phone numbers**: Okta may return a `400 Bad Request` status + code if a user attempts to enroll with a different phone number when the + user has an existing mobile phone or has an existing phone with voice + call capability. A user can enroll only one mobile phone for `sms` and + enroll only one voice call capable phone for `call` factor. + + + #### Additional WebAuthn factor information + + + * For detailed information on the WebAuthn standard, including an + up-to-date list of supported browsers, see + [webauthn.me](https://a0.to/webauthnme-okta-docs). + + + * When you enroll a WebAuthn factor, the `activation` object in + `_embedded` contains properties used to help the client to create a new + WebAuthn credential for use with Okta. See the [WebAuthn spec for + PublicKeyCredentialCreationOptions](https://www.w3.org/TR/webauthn/#dictionary-makecredentialoptions). + + + #### Additional Custom TOTP factor information + + + * The enrollment process involves passing both the `factorProfileId` and + `sharedSecret` properties for a token. + + + * A factor profile represents a particular configuration of the Custom + TOTP factor. It includes certain properties that match the hardware + token that end users possess, such as the HMAC algorithm, passcode + length, and time interval. There can be multiple Custom TOTP factor + profiles per org, but users can only enroll in one Custom TOTP factor. + Admins can [create Custom TOTP factor + profiles](https://help.okta.com/okta_help.htm?id=ext-mfa-totp) in the + Admin Console. Then, copy the `factorProfileId` from the Admin Console + into the API request. + + + * <x-lifecycle class="oie"></x-lifecycle> + + For Custom TOTP enrollment, Okta automaticaly enrolls a user with a + `token:software:totp` factor and the `push` factor if the user isn't + currently enrolled with these factors. + operationId: enrollFactor + parameters: + - name: updatePhone + description: >- + If `true`, indicates that you are replacing the currently registered + phone number for the specified user. This parameter is ignored if + the existing phone number is used by an activated factor. + in: query + schema: + type: boolean + default: false + - name: templateId + in: query + description: >- + ID of an existing custom SMS template. See the [SMS Templates + API]https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Template/. This parameter is only used by `sms` factors. If + the provided ID doesn't exist, the default template is used instead. + schema: + type: string + example: cstk2flOtuCMDJK4b0g3 + - name: tokenLifetimeSeconds + description: Defines how long the token remains valid + in: query + schema: + type: integer + format: int32 + minimum: 1 + maximum: 86400 + default: 300 + x-okta-added-version: 1.3.0 + - name: activate + description: >- + If `true`, the factor is immediately activated as part of the + enrollment. An activation process isn't required. Currently + auto-activation is supported by `sms`, `call`, `email` and + `token:hotp` (Custom TOTP) factors. + in: query + schema: + type: boolean + default: false + x-okta-added-version: 1.3.0 + - name: Accept-Language + description: >- + An ISO 639-1 two-letter language code that defines a localized + message to send. This parameter is only used by `sms` factors. If a + localized message doesn't exist or the `templateId` is incorrect, + the default template is used instead. + in: header + schema: + type: string + example: fr + x-codegen-request-body-name: body + requestBody: + description: Factor + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactor' + examples: + question: + $ref: '#/components/examples/EnrollFactorQuestionRequest' + sms: + $ref: '#/components/examples/EnrollFactorSmsRequest' + call: + $ref: '#/components/examples/EnrollFactorCallRequest' + token:software:totp: + $ref: '#/components/examples/EnrollFactorOVTotpRequest' + push: + $ref: '#/components/examples/EnrollFactorOVPushRequest' + google: + $ref: '#/components/examples/EnrollFactorGoogleRequest' + rsa_securId: + $ref: '#/components/examples/EnrollFactorRsaSecurIdRequest' + symantec_vip: + $ref: '#/components/examples/EnrollFactorSymantecVipRequest' + yubikey: + $ref: '#/components/examples/EnrollFactorYubikeyRequest' + email: + $ref: '#/components/examples/EnrollFactorEmailRequest' + u2f: + $ref: '#/components/examples/EnrollFactorU2fRequest' + webAuthn: + $ref: '#/components/examples/EnrollFactorWebauthnRequest' + customTotp: + $ref: '#/components/examples/EnrollFactorCustomTotpRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactor' + examples: + question: + $ref: '#/components/examples/EnrollFactorQuestionResponse' + sms: + $ref: '#/components/examples/EnrollFactorSmsResponse' + call: + $ref: '#/components/examples/EnrollFactorCallResponse' + token:software:totp: + $ref: '#/components/examples/EnrollFactorOVTotpResponse' + push: + $ref: '#/components/examples/EnrollFactorOVPushResponse' + google: + $ref: '#/components/examples/EnrollFactorGoogleResponse' + rsa_securId: + $ref: '#/components/examples/EnrollFactorRsaSecurIdResponse' + symantec_vip: + $ref: '#/components/examples/EnrollFactorSymantecVipResponse' + yubikey: + $ref: '#/components/examples/EnrollFactorYubikeyResponse' + email: + $ref: '#/components/examples/EnrollFactorEmailResponse' + u2f: + $ref: '#/components/examples/EnrollFactorU2fResponse' + webAuthn: + $ref: '#/components/examples/EnrollFactorWebauthnResponse' + customTotp: + $ref: '#/components/examples/EnrollFactorCustomTotpResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + /api/v1/users/{userId}/factors/catalog: + get: + summary: List all supported factors + description: >- + Lists all the supported factors that can be enrolled for the specified + user that are included in the highest priority [authenticator enrollment + policy](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/) + that applies to the user. + + + Only factors that are `REQUIRED` or `OPTIONAL` in the highest priority + authenticator enrollment policy can be returned. + + + > **Note:** When admins use this endpoint for other users, the + authenticator enrollment policy that's evaluated can vary depending on + how client-specific conditions are configured in the rules of an + authenticator enrollment policy. The client-specific conditions of the + admin's client are used during policy evaluation instead of the + client-specific conditions of the user. This can affect which + authenticator enrollment policy is evaluated and which factors are + returned. + + > + + > For example, an admin in Europe lists all supported factors for a user + in North America. The network zone of the admin's client (in Europe) is + used during policy evaluation instead of the network zone of the user + (in North America). + operationId: listSupportedFactors + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/UserFactorSupported' + examples: + List of supported factors: + $ref: '#/components/examples/SupportedFactorResults' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + /api/v1/users/{userId}/factors/questions: + get: + x-okta-no-scope-required: true + summary: List all supported security questions + description: Lists all available security questions for the specified user + operationId: listSupportedSecurityQuestions + responses: + '200': + description: Success + content: + application/json: + example: + - question: disliked_food + questionText: What is the food you least liked as a child? + - question: name_of_first_plush_toy + questionText: What is the name of your first stuffed animal? + - question: first_award + questionText: What did you earn your first medal or award for? + schema: + type: array + items: + $ref: '#/components/schemas/UserFactorSecurityQuestionProfile' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + tags: + - UserFactor + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + /api/v1/users/{userId}/factors/{factorId}: + get: + summary: Retrieve a factor + description: Retrieves an existing factor for the specified user + operationId: getFactor + responses: + '200': + $ref: '#/components/responses/GetFactorResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unenroll a factor + description: >- + Unenrolls an existing factor for the specified user. You can't unenroll + a factor from a deactivated user. Unenrolling a factor allows the user + to enroll a new factor. + + + > **Note:** If you unenroll the `push` or the `signed_nonce` factors, + Okta also unenrolls any other `totp`, `signed_nonce`, or Okta Verify + `push` factors associated with the user. + operationId: unenrollFactor + parameters: + - name: removeRecoveryEnrollment + description: >- + If `true`, removes the phone number as both a recovery method and a + factor. This parameter is only used for the `sms` and `call` + factors. + in: query + schema: + type: boolean + default: false + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathFactorId' + /api/v1/users/{userId}/factors/{factorId}/lifecycle/activate: + post: + summary: Activate a factor + description: >- + Activates a factor. Some factors (`call`, `email`, `push`, `sms`, + `token:software:totp`, `u2f`, and `webauthn`) require activation to + complete the enrollment process. + + + Okta enforces a rate limit of five activation attempts within five + minutes. After a user exceeds the rate limit, Okta returns an error + message. + + + > **Notes:** + + > * If the user exceeds their SMS, call, or email factor activation rate + limit, then an [OTP resend + request]https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/ isn't allowed + for the same factor. + + > * You can't use the Factors API to activate Okta Fastpass + (`signed_nonce`) for a user. See [Configure Okta + Fastpass](https://help.okta.com/okta_help.htm?type=oie&id=ext-fp-configure). + operationId: activateFactor + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactorActivateRequest' + examples: + token:software:totp: + $ref: '#/components/examples/FactorPasscodeRequest' + sms: + $ref: '#/components/examples/FactorPasscodeRequest' + call: + $ref: '#/components/examples/FactorPasscodeRequest' + email: + $ref: '#/components/examples/FactorPasscodeRequest' + u2f: + $ref: '#/components/examples/ActivateFactorU2fRequest' + webauthn: + $ref: '#/components/examples/ActivateFactorWebauthnRequest' + required: false + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactorActivateResponse' + examples: + token:software:totp: + $ref: '#/components/examples/ActivateFactorTotpResponse' + sms: + $ref: '#/components/examples/ActivateFactorSmsResponse' + call: + $ref: '#/components/examples/ActivateFactorCallResponse' + push: + $ref: '#/components/examples/ActivateFactorPushResponse' + email: + $ref: '#/components/examples/ActivateFactorEmailResponse' + u2f: + $ref: '#/components/examples/ActivateFactorU2fResponse' + webauthn: + $ref: '#/components/examples/ActivateFactorWebauthnResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathFactorId' + /api/v1/users/{userId}/factors/{factorId}/resend: + post: + summary: Resend a factor enrollment + description: >- + Resends an `sms`, `call`, or `email` factor challenge as part of an + enrollment flow. + + + For `call` and `sms` factors, Okta enforces a rate limit of one OTP + challenge per device every 30 seconds. You can configure your `sms` and + `call` factors to use a third-party telephony provider. See the + [Telephony inline hook + reference](https://developer.okta.com/docs/reference/telephony-hook/). + Okta alternates between SMS providers with every resend request to + ensure delivery of SMS and Call OTPs across different carriers. + + + > **Note:** Resend operations aren't allowed after a factor exceeds the + activation rate limit. See [Activate a + factor]https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/. + operationId: resendEnrollFactor + parameters: + - name: templateId + in: query + description: >- + ID of an existing custom SMS template. See the [SMS Templates + API]https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Template/. This parameter is only used by `sms` factors. + schema: + example: cstk2flOtuCMDJK4b0g3 + type: string + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/ResendUserFactor' + examples: + sms: + value: + factorType: sms + provider: OKTA + profile: + phoneNumber: +1-555-415-1337 + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/ResendUserFactor' + examples: + sms: + $ref: '#/components/examples/EnrollFactorSmsResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathFactorId' + /api/v1/users/{userId}/factors/{factorId}/transactions/{transactionId}: + get: + summary: Retrieve a factor transaction status + description: |- + Retrieves the status of a `push` factor verification transaction + + > **Note:** + > The response body for a number matching push challenge to an Okta Verify `push` factor enrollment is different from the response body of a standard push challenge. + > The number matching push challenge [response body](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/getFactorTransactionStatus!c=200&path=1/_embedded&t=response) contains the correct answer for the challenge. + > Use [Verify a factor](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/verifyFactor) to configure which challenge is sent. + operationId: getFactorTransactionStatus + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactorPushTransaction' + examples: + WAITING (with number matching challenge): + $ref: >- + #/components/examples/UserFactorVerifyPushTransactionWaitingNMC + WAITING: + $ref: '#/components/examples/UserFactorVerifyPushTransactionWaiting' + SUCCESS: + $ref: >- + #/components/examples/UserFactorVerifyPushTransactionApproved + REJECTED: + $ref: >- + #/components/examples/UserFactorVerifyPushTransactionRejected + TIMEOUT: + $ref: '#/components/examples/UserFactorVerifyPushTransactionTimeout' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathFactorId' + - $ref: '#/components/parameters/pathTransactionId' + /api/v1/users/{userId}/factors/{factorId}/verify: + post: + summary: Verify a factor + description: >- + Verifies an OTP for a factor. Some factors (`call`, `email`, `push`, + `sms`, `u2f`, and `webauthn`) must first issue a challenge before you + can verify the factor. Do this by making a request without a body. After + a challenge is issued, make another request to verify the factor. + + + > **Notes:** + + > - You can send standard push challenges or number matching push + challenges to Okta Verify `push` factor enrollments. Use a [request + body](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/verifyFactor!path=2/useNumberMatchingChallenge&t=request) + for number matching push challenges. + + > - To verify a `push` factor, use the **poll** link returned when you + issue the challenge. See [Retrieve a factor transaction + status](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/getFactorTransactionStatus). + operationId: verifyFactor + parameters: + - name: templateId + description: >- + ID of an existing custom SMS template. See the [SMS Templates + API]https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Template/. This parameter is only used by `sms` factors. + in: query + schema: + type: string + example: cstk2flOtuCMDJK4b0g3 + - name: tokenLifetimeSeconds + description: Defines how long the token remains valid + in: query + schema: + type: integer + format: int32 + minimum: 1 + maximum: 86400 + default: 300 + x-okta-added-version: 1.3.0 + - name: X-Forwarded-For + description: Public IP address for the user agent + in: header + schema: + type: string + x-okta-added-version: 1.11.0 + - name: User-Agent + description: >- + Type of user agent detected when the request is made. Required to + verify `push` factors. + in: header + schema: + type: string + x-okta-added-version: 1.11.0 + - name: Accept-Language + description: >- + An ISO 639-1 two-letter language code that defines a localized + message to send. This parameter is only used by `sms` factors. If a + localized message doesn't exist or the `templateId` is incorrect, + the default template is used instead. + in: header + schema: + type: string + example: fr + x-codegen-request-body-name: body + requestBody: + description: >- + Verifies an OTP for a factor. Some factors (`call`, `email`, `push`, + `sms`, `u2f`, and `webauthn`) must first issue a challenge before you + can verify the factor. Do this by making a request without a body. + After a challenge is issued, make another request to verify the + factor. + + + > **Note:** + + > Unlike standard push challenges that don't require a request body, a + number matching + [`push`](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/verifyFactor!path=2/useNumberMatchingChallenge&t=request) + challenge requires a request body. `useNumberMatchingChallenge` must + be set to `true`. + + > When a number matching challenge is issued for an Okta Verify `push` + factor enrollment, a `correctAnswer` challenge object is returned in + the + [`_embedded`](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/verifyFactor!c=200&path=_embedded&t=response) + object. + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactorVerifyRequest' + examples: + sms verify: + $ref: '#/components/examples/FactorPasscodeRequest' + call verify: + $ref: '#/components/examples/FactorPasscodeRequest' + push challenge with number matching: + $ref: '#/components/examples/NumberMatchingChallengeRequest' + email verify: + $ref: '#/components/examples/FactorPasscodeRequest' + u2f verify: + $ref: '#/components/examples/UserFactorVerifyU2fRequest' + webAuthn verify: + $ref: '#/components/examples/UserFactorVerifyWebauthnRequest' + security question verify: + $ref: '#/components/examples/UserFactorVerifySecurityQuestionRequest' + totp verify: + $ref: '#/components/examples/FactorPasscodeRequest' + token verify: + $ref: '#/components/examples/FactorPasscodeRequest' + yubikey verify: + $ref: '#/components/examples/FactorPasscodeRequest' + required: false + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactorVerifyResponse' + examples: + sms challenge: + $ref: '#/components/examples/UserFactorChallengeSmsResponse' + sms verify: + $ref: '#/components/examples/UserFactorVerifySuccessSmsResponse' + call challenge: + $ref: '#/components/examples/UserFactorChallengeCallResponse' + call verify: + $ref: '#/components/examples/UserFactorVerifyCallSuccessResponse' + email challenge: + $ref: '#/components/examples/UserFactorChallengeEmailResponse' + email verify: + $ref: '#/components/examples/UserFactorVerifyEmailSuccessResponse' + u2f challenge: + $ref: '#/components/examples/UserFactorChallengeU2fResponse' + u2f verify: + $ref: '#/components/examples/UserFactorVerifyU2fResponse' + webAuthn challenge: + $ref: '#/components/examples/UserFactorChallengeWebauthnResponse' + webAuthn verify: + $ref: '#/components/examples/UserFactorVerifyWebauthnResponse' + security question verify: + $ref: '#/components/examples/UserFactorVerifySuccessSqResponse' + totp verify: + $ref: '#/components/examples/UserFactorVerifySuccessTotpResponse' + token verify: + $ref: '#/components/examples/UserFactorVerifySuccessTokenResponse' + yubikey verify: + $ref: '#/components/examples/UserFactorVerifySuccessYubikeyResponse' + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactorVerifyResponseWaiting' + examples: + push challenge with number matching: + $ref: >- + #/components/examples/UserFactorChallengePushResponseWithNumberMatchingChallenge + push challenge: + $ref: '#/components/examples/UserFactorChallengePushResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserFactor + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathFactorId' + /api/v1/users/{userId}/grants: + get: + summary: List all user grants + description: Lists all grants for the specified user + operationId: listUserGrants + parameters: + - name: scopeId + in: query + description: The scope ID to filter on + schema: + type: string + - name: expand + in: query + description: >- + Valid value: `scope`. If specified, scope details are included in + the `_embedded` attribute. + schema: + type: string + example: scope + - name: after + in: query + description: >- + The cursor to use for pagination. It is an opaque string that + specifies your current location in the list and is obtained from the + `Link` response header. See + [Pagination](https://developer.okta.com/docs/api/#pagination). + schema: + type: string + - name: limit + in: query + description: Specifies the number of grants to return + schema: + type: integer + format: int32 + minimum: 1 + maximum: 200 + default: 20 + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserGrant + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Revoke all user grants + description: Revokes all grants for a specified user + operationId: revokeUserGrants + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserGrant + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + /api/v1/users/{userId}/grants/{grantId}: + get: + summary: Retrieve a user grant + description: Retrieves a grant for the specified user + operationId: getUserGrant + parameters: + - name: expand + in: query + description: >- + Valid value: `scope`. If specified, scope details are included in + the `_embedded` attribute. + schema: + type: string + example: scope + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OAuth2ScopeConsentGrant' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - UserGrant + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Revoke a user grant + description: Revokes one grant for a specified user + operationId: revokeUserGrant + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserGrant + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathGrantId' + /api/v1/users/{userId}/risk: + get: + summary: Retrieve the user's risk + description: Retrieves the user risk object for a user ID + operationId: getUserRisk + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/UserRiskGetResponse' + examples: + UserRiskResponseExample: + $ref: '#/components/examples/UserRiskResponse' + UserRiskNoneResponseExample: + $ref: '#/components/examples/UserRiskNoneResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.userRisk.read + tags: + - UserRisk + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + put: + summary: Upsert the user's risk + description: Upserts (creates or updates) the user risk object for a user ID + operationId: upsertUserRisk + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UserRiskRequest' + examples: + RiskProviderRequestExample: + $ref: '#/components/examples/UserRiskRequest' + required: true + responses: + '200': + description: Updated the user's risk + content: + application/json: + schema: + $ref: '#/components/schemas/UserRiskPutResponse' + examples: + UserRiskResponseExample: + $ref: '#/components/examples/UserRiskResponse' + '201': + description: Created the user's risk + content: + application/json: + schema: + $ref: '#/components/schemas/UserRiskPutResponse' + examples: + UserRiskResponseExample: + $ref: '#/components/examples/UserRiskResponse' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.userRisk.manage + tags: + - UserRisk + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathUserId' + /api/v1/users/{userId}/roles: + get: + summary: List all user role assignments + description: Lists all roles assigned to a user (identified by `userId`) + operationId: listAssignedRolesForUser + parameters: + - $ref: '#/components/parameters/pathQueryRoleExpand' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/StandardRolesListResponse' + Custom Roles: + $ref: '#/components/examples/StandardAndCustomRolesListResponse' + IAM-based Standard Roles: + $ref: '#/components/examples/IAMStandardRolesListResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleAssignmentAUser + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Assign a user role + description: >- + Assigns a [standard + role](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#standard-roles) to a user. + + + You can also assign a custom role to a user, but the preferred method to + assign a custom role to a user is to create a binding between the custom + role, the resource set, and the user. See [Create a role resource set + binding](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/RoleDResourceSetBinding/#tag/RoleDResourceSetBinding/operation/createResourceSetBinding). + + + > **Notes:** + + > * The request payload is different for standard and custom role + assignments. + + > * For IAM-based standard role assignments, use the request payload for + standard roles. However, the response payload for IAM-based role + assignments is similar to the custom role's assignment response. + operationId: assignRoleToUser + parameters: + - name: disableNotifications + description: Setting this to `true` grants the user third-party admin status + in: query + schema: + type: boolean + default: false + x-codegen-request-body-name: assignRoleRequest + requestBody: + content: + application/json: + schema: + type: object + oneOf: + - $ref: '#/components/schemas/StandardRoleAssignmentSchema' + - $ref: '#/components/schemas/CustomRoleAssignmentSchema' + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + type: object + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/StandardRoleResponseUser' + Custom Roles: + $ref: '#/components/examples/CustomRoleResponseUser' + IAM-based Standard Roles: + $ref: '#/components/examples/IAMStandardRoleResponseUser' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleAssignmentAUser + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + /api/v1/users/{userId}/roles/{roleAssignmentId}: + get: + summary: Retrieve a user role assignment + description: >- + Retrieves a role assigned to a user (identified by `userId`). The + `roleAssignmentId` parameter is the unique identifier for either a + standard role assignment object or a custom role resource set binding + object. + operationId: getUserAssignedRole + responses: + '200': + description: Success + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' + examples: + Standard Roles: + $ref: '#/components/examples/StandardRoleResponseUser' + Custom Roles: + $ref: '#/components/examples/CustomRoleResponseUser' + IAM-based Standard Roles: + $ref: '#/components/examples/IAMStandardRoleResponseUser' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleAssignmentAUser + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign a user role + description: >- + Unassigns a role assignment (identified by `roleAssignmentId`) from a + user (identified by `userId`) + operationId: unassignRoleFromUser + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleAssignmentAUser + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + /api/v1/users/{userId}/roles/{roleAssignmentId}/governance: + get: + summary: Retrieve all user role governance sources + description: >- + Retrieves the governance sources of a role (identified by + `roleAssignmentId`) that's assigned to a user (identified by `userId`) + operationId: getUserAssignedRoleGovernance + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/RoleGovernance' + examples: + Example Response: + $ref: '#/components/examples/GetUseRoleGovernanceResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleAssignmentAUser + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + /api/v1/users/{userId}/roles/{roleAssignmentId}/governance/{grantId}: + get: + summary: Retrieve a user role governance source + description: >- + Retrieves a governance source (identified by `grantId`) for a role + (identified by `roleAssignmentId`) that's assigned to a user (identified + by `userId`) + operationId: getRoleAssignmentGovernanceGrant + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/RoleGovernanceSource' + examples: + Example Response: + $ref: >- + #/components/examples/GetRoleAssignmentGovernanceGrantResponse + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleAssignmentAUser + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathGrantId' + /api/v1/users/{userId}/roles/{roleAssignmentId}/governance/{grantId}/resources: + get: + summary: Retrieve the user role governance source resources + description: >- + Retrieves the resources of a governance source (identified by `grantId`) + for a role (identified by `roleAssignmentId`) that's assigned to a user + (identified by `userId`) + operationId: getRoleAssignmentGovernanceGrantResources + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/RoleGovernanceResources' + examples: + Example Response: + $ref: >- + #/components/examples/GetRoleAssignmentGovernanceGrantResources + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleAssignmentAUser + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathGrantId' + /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/catalog/apps: + get: + summary: List all admin role app targets + description: >- + Lists all app targets for an `APP_ADMIN` role assigned to a user. The + response is a list that includes OIN-cataloged apps or app instances. + The response payload for an app instance contains the `id` property, but + an OIN-cataloged app payload doesn't. + operationId: listApplicationTargetsForApplicationAdministratorRoleForUser + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/CatalogApplication' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Assign all apps as target to admin role + description: Assigns all apps as target to an `APP_ADMIN` role + operationId: assignAllAppsAsTargetToRoleForUser + responses: + '200': + description: Success + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}: + put: + summary: Assign an admin role app target + description: > + Assigns an OIN app target for an `APP_ADMIN` role assignment to an admin + user. When you assign the first app target, you reduce the scope of the + role assignment. + + The role no longer applies to all app targets, but applies only to the + specified target. + + + Assigning an OIN app target overrides any existing app instance targets + of the OIN app. + + For example, if a user was assigned to administer a specific Facebook + instance, a successful request to add an OIN app target with `facebook` + for `appName` makes that user the admin for all Facebook instances. + operationId: assignAppTargetToAdminRoleForUser + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign an admin role app target + description: > + Unassigns an OIN app target from an `APP_ADMIN` role assignment to an + admin user. + + + > **Note:** You can't remove the last OIN app target from a role + assignment since this causes an exception. + + > If you need a role assignment that applies to all apps, delete the + `APP_ADMIN` role assignment to the user and recreate a new one. + operationId: unassignAppTargetFromAppAdminRoleForUser + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathAppName' + /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}/{appId}: + put: + summary: Assign an admin role app instance target + description: > + Assigns an app instance target to an `APP_ADMIN` role assignment to an + admin user. When you assign the first OIN app or app instance target, + you reduce the scope of the role assignment. + + The role no longer applies to all app targets, but applies only to the + specified target. + + + > **Note:** You can target a mixture of both OIN app and app instance + targets, but can't assign permissions to manage all instances of an OIN + app and then assign a subset of permission to the same OIN app. + + > For example, you can't specify that an admin has access to manage all + instances of the Salesforce app and then also manage specific + configurations of the Salesforce app. + operationId: assignAppInstanceTargetToAppAdminRoleForUser + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign an admin role app instance target + description: >- + Unassigns an app instance target from an `APP_ADMIN` role assignment to + an admin user. + + + > **Note:** You can't remove the last app instance target from a role + assignment since this causes an exception. + + > If you need a role assignment that applies to all apps, delete the + `APP_ADMIN` role assignment and recreate a new one. + operationId: unassignAppInstanceTargetFromAdminRoleForUser + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathAppName' + - $ref: '#/components/parameters/pathAppId' + /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/groups: + get: + summary: List all admin role group targets + description: > + Lists all group targets for a `USER_ADMIN`, `HELP_DESK_ADMIN`, or + `GROUP_MEMBERSHIP_ADMIN` role assignment to an admin user. + + If the role isn't scoped to specific group targets, an empty array `[]` + is returned. + operationId: listGroupTargetsForRole + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/Group' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/groups/{groupId}: + put: + summary: Assign an admin role group target + description: > + Assigns a group target for a `USER_ADMIN`, `HELP_DESK_ADMIN`, or + `GROUP_MEMBERSHIP_ADMIN` role assignment to an admin user. + + When you assign the first group target, you reduce the scope of the role + assignment. The role no longer applies to all targets but applies only + to the specified target. + operationId: assignGroupTargetToUserRole + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Unassign an admin role group target + description: > + Unassigns a group target from a `USER_ADMIN`, `HELP_DESK_ADMIN`, or + `GROUP_MEMBERSHIP_ADMIN` role assignment to an admin user. + + + > **Note:** You can't remove the last group target from a role + assignment since this causes an exception. + + > If you need a role assignment that applies to all groups, delete the + role assignment to the user and recreate a new one. + operationId: unassignGroupTargetFromUserAdminRole + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleAssignmentId' + - $ref: '#/components/parameters/pathGroupId' + /api/v1/users/{userId}/roles/{roleIdOrEncodedRoleId}/targets: + get: + summary: Retrieve a role target by assignment type + description: > + Retrieves all role targets for an `APP_ADMIN`, `USER_ADMIN`, + `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to an + admin user by user or group assignment type. + + If the role isn't scoped to specific group targets or any app targets, + an empty array `[]` is returned. + operationId: getRoleTargetsByUserIdAndRoleId + parameters: + - $ref: '#/components/parameters/assignmentType' + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/RoleTarget' + examples: + Group Target: + $ref: '#/components/examples/RoleTargetGroupResponse' + App Target: + $ref: '#/components/examples/RoleTargetAppResponse' + App Instance Target: + $ref: '#/components/examples/RoleTargetAppInstanceResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - RoleBTargetAdmin + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathRoleIdOrEncodedRoleId' + /api/v1/users/{userId}/sessions: + delete: + summary: Revoke all user sessions + description: >- + Revokes all active identity provider sessions of the user. This forces + the user to authenticate on the next operation. Optionally revokes + OpenID Connect and OAuth refresh and access tokens issued to the user. + + + You can also clear the user's remembered factors for all devices using + the `forgetDevices` parameter. See + [forgetDevices](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserSessions/#tag/UserSessions/operation/revokeUserSessions!in=query&path=forgetDevices&t=request). + + > **Note:** This operation doesn't clear the sessions created for web or + native apps. + operationId: revokeUserSessions + parameters: + - name: oauthTokens + in: query + description: Revokes issued OpenID Connect and OAuth refresh and access tokens + schema: + type: boolean + default: false + - name: forgetDevices + in: query + description: |- + Clears the user's remembered factors for all devices. + > **Note:** This parameter defaults to false in Classic Engine. + schema: + type: boolean + default: true + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - UserSessions + x-okta-lifecycle: + isCorsEnabled: true + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + /api/v1/users/{userId}/subscriptions: + get: + summary: List all subscriptions for a user + description: >- + Lists all subscriptions available to a specified user. Returns an + `AccessDeniedException` message if requests are made for another user. + operationId: listSubscriptionsUser + parameters: + - in: path + name: userId + required: true + schema: + type: string + description: The unique ID of the user + responses: + '200': + description: Success + content: + application/json: + schema: + items: + $ref: '#/components/schemas/Subscription' + type: array + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + /api/v1/users/{userId}/subscriptions/{notificationType}: + get: + summary: Retrieve a subscription for a user + description: >- + Retrieves a subscription by `notificationType` for a specified user. + Returns an `AccessDeniedException` message if requests are made for + another user. + operationId: getSubscriptionsNotificationTypeUser + parameters: + - in: path + name: userId + required: true + schema: + type: string + description: The unique ID of the user + - $ref: '#/components/parameters/pathNotificationType' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/Subscription' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathNotificationType' + /api/v1/users/{userId}/subscriptions/{notificationType}/subscribe: + post: + summary: Subscribe a user to a specific notification type + description: >- + Subscribes the current user to a specified notification type. Returns an + `AccessDeniedException` message if requests are made for another user. + operationId: subscribeByNotificationTypeUser + parameters: + - in: path + name: userId + required: true + schema: + type: string + description: The unique ID of the user + - $ref: '#/components/parameters/pathNotificationType' + responses: + '200': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathNotificationType' + /api/v1/users/{userId}/subscriptions/{notificationType}/unsubscribe: + post: + summary: Unsubscribe a user from a specific notification type + description: >- + Unsubscribes the current user from a specified notification type. + Returns an `AccessDeniedException` message if requests are made for + another user. + operationId: unsubscribeByNotificationTypeUser + parameters: + - in: path + name: userId + required: true + schema: + type: string + description: The unique ID of the user + - $ref: '#/components/parameters/pathNotificationType' + responses: + '200': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + description: Not Found + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - Subscription + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/pathNotificationType' +components: + schemas: + User: + type: object + properties: + activated: + type: string + description: The timestamp when the user status transitioned to `ACTIVE` + format: date-time + readOnly: true + nullable: true + created: + type: string + description: The timestamp when the user was created + format: date-time + readOnly: true + credentials: + $ref: '#/components/schemas/UserCredentials' + id: + type: string + description: The unique key for the user + readOnly: true + lastLogin: + type: string + description: The timestamp of the last login + format: date-time + readOnly: true + nullable: true + lastUpdated: + type: string + description: The timestamp when the user was last updated + format: date-time + readOnly: true + passwordChanged: + type: string + description: The timestamp when the user's password was last updated + format: date-time + readOnly: true + nullable: true + profile: + $ref: '#/components/schemas/UserProfile' + realmId: + type: string + description: >- + The ID of the realm in which the user is residing. See + [Realms](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Realm/). + example: guo1bfiNtSnZYILxO0g4 + readOnly: true + status: + $ref: '#/components/schemas/UserStatus' + statusChanged: + type: string + description: The timestamp when the status of the user last changed + format: date-time + readOnly: true + nullable: true + transitioningToStatus: + type: string + description: >- + The target status of an in-progress asynchronous status transition. + This property is only returned if the user's state is transitioning. + readOnly: true + nullable: true + enum: + - ACTIVE + - DEPROVISIONED + - PROVISIONED + type: + type: object + description: >- + The user type that determines the schema for the user's profile. The + `type` property is a map that identifies the [User + Types](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/#tag/UserType). + + + Currently it contains a single element, `id`. It can be specified + when creating a new user, and ca be updated by an admin on a full + replace of an existing user (but not a partial update). + properties: + id: + type: string + description: The ID of the user type + _embedded: + type: object + description: >- + Embedded resources related to the user using the [JSON Hypertext + Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification + additionalProperties: + type: object + properties: {} + readOnly: true + _links: + description: >- + Specifies link relations (see [Web + Linking](https://datatracker.ietf.org/doc/html/rfc8288) available + for the current status of a user. + + The links object is used for dynamic discovery of related resources, + lifecycle operations, and credential operations. The links object is + read-only. + + + For an individual user result, the links object contains a full set + of link relations available for that user as determined by your + policies. + + For a collection of users, the links object contains only the `self` + link. Operations that return a collection of users include [List all + users](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers) + and [List all group member + users](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroupUsers). + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + self: + description: URL to the individual user + allOf: + - $ref: '#/components/schemas/HrefObject' + activate: + description: URL to activate the user + allOf: + - $ref: '#/components/schemas/HrefObject' + resetPassword: + description: URL to reset the user's password + allOf: + - $ref: '#/components/schemas/HrefObject' + resetFactors: + description: URL to reset the user's factors + allOf: + - $ref: '#/components/schemas/HrefObject' + expirePassword: + description: URL to expire the user's password + allOf: + - $ref: '#/components/schemas/HrefObject' + forgotPassword: + description: URL to initiate a forgot password operation + allOf: + - $ref: '#/components/schemas/HrefObject' + changeRecoveryQuestion: + description: URL to change the user's recovery question + allOf: + - $ref: '#/components/schemas/HrefObject' + deactivate: + description: URL to deactivate a user + allOf: + - $ref: '#/components/schemas/HrefObject' + reactivate: + description: URL to reactivate the user + allOf: + - $ref: '#/components/schemas/HrefObject' + changePassword: + description: URL to change the user's password + allOf: + - $ref: '#/components/schemas/HrefObject' + schema: + description: URL to the user's profile schema + allOf: + - $ref: '#/components/schemas/HrefObject' + suspend: + description: URL to suspend the user + allOf: + - $ref: '#/components/schemas/HrefObject' + unsuspend: + description: URL to unsuspend the user + allOf: + - $ref: '#/components/schemas/HrefObject' + unlock: + description: URL to unlock the locked-out user + allOf: + - $ref: '#/components/schemas/HrefObject' + type: + description: URL to the user type + allOf: + - $ref: '#/components/schemas/HrefObject' + - readOnly: true + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + UserNextLogin: + type: string + enum: + - changePassword + CreateUserRequest: + type: object + properties: + credentials: + $ref: '#/components/schemas/UserCredentialsWritable' + groupIds: + type: array + description: >- + The list of group IDs of groups that the user is added to at the + time of creation + items: + type: string + profile: + $ref: '#/components/schemas/UserProfile' + realmId: + type: string + description: >- + The ID of the realm in which the user is residing. See + [Realms](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Realm/). + example: guo1bfiNtSnZYILxO0g4 + type: + type: object + description: >- + The ID of the user type. Add this value if you want to create a user + with a non-default [User + Type](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/). + + The user type determines which + [schema](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/) + applies to that user. After a user has been created, the user can + + only be assigned a different user type by an administrator through a + full replacement (`PUT`) operation. + properties: + id: + type: string + description: The ID of the user type + required: + - profile + KeepCurrent: + type: object + properties: + keepCurrent: + description: Skip deleting the user's current session when set to `true` + type: boolean + default: true + UserGetSingleton: + allOf: + - $ref: '#/components/schemas/User' + - type: object + properties: + _embedded: + type: object + description: >- + The embedded resources related to the object if the `expand` + query parameter is specified + properties: + blocks: + type: array + description: A list of access block details for the user account + items: + $ref: '#/components/schemas/UserBlock' + UpdateUserRequest: + type: object + properties: + credentials: + $ref: '#/components/schemas/UserCredentials' + profile: + $ref: '#/components/schemas/UserProfile' + realmId: + type: string + description: >- + The ID of the realm in which the user is residing. See + [Realms](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Realm/). + example: guo1bfiNtSnZYILxO0g4 + AssignedAppLink: + type: object + properties: + appAssignmentId: + type: string + readOnly: true + appInstanceId: + type: string + readOnly: true + appName: + type: string + readOnly: true + credentialsSetup: + type: boolean + readOnly: true + hidden: + type: boolean + readOnly: true + id: + type: string + readOnly: true + label: + type: string + readOnly: true + linkUrl: + type: string + readOnly: true + logoUrl: + type: string + readOnly: true + sortOrder: + type: integer + readOnly: true + UserBlock: + description: >- + Describes how the account is blocked from access. If `appliesTo` is + `ANY_DEVICES`, then the account is blocked for all devices. If + `appliesTo` is `UNKNOWN_DEVICES`, then the account is only blocked for + unknown devices. + type: object + properties: + appliesTo: + type: string + readOnly: true + description: The devices that the block applies to + enum: + - ANY_DEVICES + - UNKNOWN_DEVICES + x-enumDescriptions: + ANY_DEVICES: The account is blocked for all devices + UNKNOWN_DEVICES: The account is only blocked for unknown devices + type: + type: string + readOnly: true + description: Type of access block + enum: + - DEVICE_BASED + Group: + type: object + properties: + created: + type: string + format: date-time + readOnly: true + description: Timestamp when the group was created + id: + type: string + readOnly: true + example: 0gabcd1234 + description: Unique ID for the group + lastMembershipUpdated: + type: string + format: date-time + readOnly: true + description: Timestamp when the groups memberships were last updated + lastUpdated: + type: string + format: date-time + readOnly: true + description: Timestamp when the group's profile was last updated + objectClass: + type: array + readOnly: true + description: Determines the group's `profile` + items: + type: string + profile: + $ref: '#/components/schemas/GroupProfile' + type: + $ref: '#/components/schemas/GroupType' + _embedded: + type: object + description: Embedded resources related to the group + additionalProperties: + type: object + properties: {} + readOnly: true + _links: + description: >- + [Discoverable + resources](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!c=200&path=_links&t=response) + related to the group + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + apps: + $ref: '#/components/schemas/HrefObject' + logo: + type: array + items: + $ref: '#/components/schemas/HrefObject' + source: + $ref: '#/components/schemas/HrefObject' + users: + $ref: '#/components/schemas/HrefObject' + type: object + IdentityProvider: + type: object + properties: + created: + $ref: '#/components/schemas/Created' + id: + type: string + readOnly: true + description: Unique key for the IdP + example: 0oaWma58liwx40w6boYD + issuerMode: + $ref: '#/components/schemas/IdentityProviderIssuerMode' + lastUpdated: + $ref: '#/components/schemas/LastUpdated' + name: + type: string + maxLength: 100 + description: Unique name for the IdP + example: Sample IdP + policy: + $ref: '#/components/schemas/IdentityProviderPolicy' + properties: + $ref: '#/components/schemas/IdentityProviderProperties' + protocol: + description: >- + IdP-specific protocol settings for endpoints, bindings, and + algorithms used to connect with the IdP and validate messages + oneOf: + - $ref: '#/components/schemas/ProtocolSaml' + - $ref: '#/components/schemas/ProtocolOAuth' + - $ref: '#/components/schemas/ProtocolOidc' + - $ref: '#/components/schemas/ProtocolMtls' + - $ref: '#/components/schemas/ProtocolIdVerification' + status: + $ref: '#/components/schemas/LifecycleStatus' + type: + $ref: '#/components/schemas/IdentityProviderType' + _links: + type: object + additionalProperties: true + allOf: + - $ref: '#/components/schemas/LinksSelf' + - properties: + acs: + description: SAML 2.0 Assertion Consumer Service URL for the Okta SP + allOf: + - $ref: '#/components/schemas/HrefObject' + authorize: + description: >- + OAuth 2.0 authorization endpoint for the IdP OAuth 2.0 + Authorization Code flow + allOf: + - $ref: '#/components/schemas/HrefObject' + clientRedirectUri: + description: Redirect URI for the OAuth 2.0 Authorization Code flow + allOf: + - $ref: '#/components/schemas/HrefObject' + metadata: + description: >- + Federation metadata document for the IdP (for example: SAML + 2.0 Metadata) + allOf: + - $ref: '#/components/schemas/HrefObject' + users: + description: IdP users + allOf: + - $ref: '#/components/schemas/HrefObject' + deactivate: + description: Deactivate IdP + allOf: + - $ref: '#/components/schemas/HrefObject' + activate: + description: Activate IdP + allOf: + - $ref: '#/components/schemas/HrefObject' + keys: + description: IdP keys + allOf: + - $ref: '#/components/schemas/HrefObject' + type: object + UserActivationToken: + type: object + properties: + activationToken: + type: string + readOnly: true + example: XE6wE17zmphl3KqAPFxO + description: >- + Token received as part of an activation user request. If a password + was set before the user was activated, then user must sign in with + their password or the `activationToken` and not the activation link. + More information about using the `activationToken` + + to login can be found in the [Authentication + API](https://developer.okta.com/docs/reference/api/authn/#primary-authentication-with-activation-token). + activationUrl: + type: string + readOnly: true + example: https://{yourOktaDomain}/welcome/XE6wE17zmphl3KqAPFxO + description: >- + If `sendEmail` is `false`, returns an activation link for the user + to set up their account. The activation token can be used to create + a custom activation link. + ResetPasswordToken: + type: object + properties: + resetPasswordUrl: + type: string + readOnly: true + example: https://{yourOktaDomain}/signin/reset-password/XE6wE17zmphl3KqAPFxO + ResponseLinks: + description: Link objects + type: object + properties: + _links: + $ref: '#/components/schemas/LinksSelf' + AuthenticatorEnrollment: + type: object + properties: + created: + type: string + description: Timestamp when the authenticator enrollment was created + format: date-time + id: + description: The unique identifier of the authenticator enrollment + type: string + key: + description: A human-readable string that identifies the authenticator + type: string + lastUpdated: + type: string + description: Timestamp when the authenticator enrollment was last updated + format: date-time + name: + description: The authenticator display name + type: string + profile: + $ref: '#/components/schemas/AuthenticatorProfile' + status: + type: string + description: Status of the enrollment + type: + $ref: '#/components/schemas/AuthenticatorType' + _links: + $ref: '#/components/schemas/AuthenticatorEnrollmentLinks' + UserClassification: + type: object + properties: + lastUpdated: + type: string + description: The timestamp when the user classification was last updated + format: date-time + readOnly: true + type: + $ref: '#/components/schemas/ClassificationType' + ReplaceUserClassification: + type: object + properties: + type: + $ref: '#/components/schemas/ClassificationType' + OAuth2Client: + type: object + properties: + client_id: + description: Unique key for the client application. The `client_id` is immutable. + type: string + readOnly: true + example: 0oabskvc6442nkvQO0h7 + client_name: + description: Human-readable string name of the client application + type: string + readOnly: true + example: My App + client_uri: + type: string + readOnly: true + example: https://www.example.com + logo_uri: + description: >- + URL string that references a logo for the client consent dialog (not + the sign-in dialog) + type: string + readOnly: true + example: https://www.example.com/logo.png + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + grants: + description: Link to the grant resources + allOf: + - $ref: '#/components/schemas/GrantResourcesHrefObject' + tokens: + description: Link to the token resources + allOf: + - $ref: '#/components/schemas/TokenResourcesHrefObject' + OAuth2ScopeConsentGrant: + description: Grant object that represents an app consent scope grant + type: object + properties: + clientId: + type: string + description: Client ID of the app integration + readOnly: true + example: oag3ih1zrm1cBFOiq0h6 + created: + $ref: '#/components/schemas/createdProperty' + createdBy: + $ref: '#/components/schemas/OAuth2Actor' + id: + type: string + description: ID of the Grant object + readOnly: true + example: oag3ih1zrm1cBFOiq0h6 + issuer: + type: string + description: >- + The issuer of your org authorization server. This is typically your + Okta domain. + example: https://my_test_okta_org.oktapreview.com + lastUpdated: + $ref: '#/components/schemas/lastUpdatedProperty' + scopeId: + type: string + description: >- + The name of the [Okta + scope](https://developer.okta.com/docs/api/oauth2/#oauth-20-scopes) + for which consent is granted + example: okta.users.read + source: + $ref: '#/components/schemas/OAuth2ScopeConsentGrantSource' + status: + $ref: '#/components/schemas/GrantOrTokenStatus' + userId: + type: string + description: User ID that granted consent (if `source` is `END_USER`) + readOnly: true + example: 00u5t60iloOHN9pBi0h7 + _embedded: + type: object + description: Embedded resources related to the Grant + properties: + scope: + type: object + properties: + id: + type: string + description: The name of the Okta scope for which consent is granted + example: okta.users.read + readOnly: true + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + app: + description: Link to the app resource + allOf: + - $ref: '#/components/schemas/AppResourceHrefObject' + client: + description: Link to the client resource + allOf: + - $ref: '#/components/schemas/AppResourceHrefObject' + scope: + description: Link to the scope resource + allOf: + - $ref: '#/components/schemas/ScopeResourceHrefObject' + user: + description: Link to the user resource + allOf: + - $ref: '#/components/schemas/UserResourceHrefObject' + authorizationServer: + description: Link to the authorization server resource + allOf: + - $ref: >- + #/components/schemas/AuthorizationServerResourceHrefObject + - readOnly: true + required: + - issuer + - scopeId + OAuth2RefreshToken: + type: object + properties: + clientId: + type: string + description: Client ID + created: + $ref: '#/components/schemas/createdProperty' + expiresAt: + type: string + description: Expiration time of the OAuth 2.0 Token + format: date-time + readOnly: true + id: + type: string + description: ID of the Token object + readOnly: true + example: oar579Mcp7OUsNTlo0g3 + issuer: + type: string + description: The complete URL of the authorization server that issued the Token + example: https://{yourOktaDomain}/oauth2/ausain6z9zIedDCxB0h7 + lastUpdated: + $ref: '#/components/schemas/lastUpdatedProperty' + scopes: + type: array + description: The scope names attached to the Token + items: + type: string + example: offline_access + status: + $ref: '#/components/schemas/GrantOrTokenStatus' + userId: + type: string + description: The ID of the user associated with the Token + example: 00u5t60iloOHN9pBi0h7 + _embedded: + type: object + description: >- + The embedded resources related to the object if the `expand` query + parameter is specified + properties: + scopes: + type: array + description: The scope objects attached to the Token + items: + $ref: '#/components/schemas/OAuth2RefreshTokenScope' + readOnly: true + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + app: + description: Link to the app resource + allOf: + - $ref: '#/components/schemas/AppResourceHrefObject' + revoke: + description: Link to revoke the refresh Token + allOf: + - $ref: '#/components/schemas/RevokeRefreshTokenHrefObject' + - properties: + hints: + properties: + allow: + items: + enum: + - DELETE + default: DELETE + type: object + type: object + client: + description: Link to the client resource + allOf: + - $ref: '#/components/schemas/AppResourceHrefObject' + user: + description: Link to the user resource + allOf: + - $ref: '#/components/schemas/UserResourceHrefObject' + authorizationServer: + description: Link to the Token authorization server resource + allOf: + - $ref: >- + #/components/schemas/AuthorizationServerResourceHrefObject + ChangePasswordRequest: + type: object + properties: + newPassword: + $ref: '#/components/schemas/PasswordCredential' + oldPassword: + $ref: '#/components/schemas/PasswordCredential' + revokeSessions: + type: boolean + description: >- + When set to `true`, revokes all user sessions, except for the + current session + default: false + UserCredentials: + description: >- + Specifies primary authentication and recovery credentials for a user. + Credential types and requirements vary depending on the provider and + security policy of the org. + type: object + properties: + password: + $ref: '#/components/schemas/PasswordCredential' + provider: + $ref: '#/components/schemas/AuthenticationProvider' + recovery_question: + $ref: '#/components/schemas/RecoveryQuestionCredential' + ForgotPasswordResponse: + type: object + properties: + resetPasswordUrl: + type: string + readOnly: true + UserDevice: + type: object + properties: + created: + type: string + format: date-time + description: Timestamp when the device was created + readOnly: true + device: + type: object + $ref: '#/components/schemas/Device' + deviceUserId: + type: string + description: Unique key for the user device link + UserFactor: + type: object + properties: + created: + description: Timestamp when the factor was enrolled + type: string + format: date-time + example: '2022-08-25T00:31:00.000Z' + readOnly: true + factorType: + $ref: '#/components/schemas/UserFactorType' + id: + description: ID of the factor + type: string + example: caf8m6jbcvUH8mAep1d7 + readOnly: true + lastUpdated: + description: Timestamp when the factor was last updated + type: string + format: date-time + example: '2022-08-25T00:31:00.000Z' + readOnly: true + profile: + type: object + description: Specific attributes related to the factor + provider: + description: >- + Provider for the factor. Each provider can support a subset of + factor types. + type: string + status: + $ref: '#/components/schemas/UserFactorStatus' + vendorName: + description: >- + Name of the factor vendor. This is usually the same as the provider + except for On-Prem MFA, which depends on admin settings. + type: string + example: OKTA + readOnly: true + _embedded: + type: object + additionalProperties: + type: object + properties: {} + readOnly: true + _links: + $ref: '#/components/schemas/UserFactorLinks' + discriminator: + propertyName: factorType + mapping: + call: '#/components/schemas/UserFactorCall' + email: '#/components/schemas/UserFactorEmail' + push: '#/components/schemas/UserFactorPush' + question: '#/components/schemas/UserFactorSecurityQuestion' + sms: '#/components/schemas/UserFactorSMS' + token: '#/components/schemas/UserFactorToken' + token:hardware: '#/components/schemas/UserFactorTokenHardware' + token:hotp: '#/components/schemas/UserFactorTokenHOTP' + token:software:totp: '#/components/schemas/UserFactorTokenSoftwareTOTP' + u2f: '#/components/schemas/UserFactorU2F' + web: '#/components/schemas/UserFactorWeb' + webauthn: '#/components/schemas/UserFactorWebAuthn' + UserFactorSupported: + type: object + properties: + enrollment: + type: string + description: Indicates if the factor is required for the specified user + example: OPTIONAL + enum: + - OPTIONAL + - REQUIRED + factorType: + $ref: '#/components/schemas/UserFactorType' + provider: + $ref: '#/components/schemas/UserFactorProvider' + status: + $ref: '#/components/schemas/UserFactorStatus' + vendorName: + description: >- + Name of the factor vendor. This is usually the same as the provider + except for On-Prem MFA, which depends on admin settings. + type: string + example: OKTA + readOnly: true + _embedded: + type: object + description: Embedded resources related to the factor + additionalProperties: + type: object + properties: {} + readOnly: true + _links: + $ref: '#/components/schemas/UserFactorLinks' + UserFactorSecurityQuestionProfile: + type: object + properties: + answer: + description: Answer to the question + minLength: 4 + type: string + writeOnly: true + question: + description: Unique key for the question + example: disliked_food + enum: + - disliked_food + - name_of_first_plush_toy + - first_award + - favorite_security_question + - favorite_toy + - first_computer_game + - favorite_movie_quote + - first_sports_team_mascot + - first_music_purchase + - favorite_art_piece + - grandmother_favorite_desert + - first_thing_cooked + - childhood_dream_job + - first_kiss_location + - place_where_significant_other_was_met + - favorite_vacation_location + - new_years_two_thousand + - favorite_speaker_actor + - favorite_book_movie_character + - favorite_sports_player + type: string + questionText: + description: Human-readable text that's displayed to the user + example: What is the food you least liked as a child? + type: string + readOnly: true + UserFactorActivateRequest: + oneOf: + - title: call + description: Attempts to activate a `call` factor with the specified passcode + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + type: object + - title: email + description: Attempts to activate an `email` factor with the specified passcode + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + type: object + - title: push + type: object + nullable: true + description: >- + Sends an asynchronous push notification to the device for approval + by the user. You must poll the transaction to determine the state of + the verification. See [Retrieve a factor transaction + status](./#tag/UserFactor/operation/getFactorTransactionStatus). + + + Activations have a short lifetime of several minutes and return a + `TIMEOUT` if not completed before the timestamp specified in the + `expiresAt` param. Use the published activate link to restart the + activation process if the activation expires. + properties: + useNumberMatchingChallenge: + $ref: '#/components/schemas/useNumberMatchingChallenge' + - title: sms + description: Attempts to activate an `sms` factor with the specified passcode + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + type: object + - title: token:software:totp + description: >- + Attempts to activate a `token:software:totp` factor with the + specified passcode + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + type: object + - title: u2f + description: >- + Activates a `u2f` factor with the specified client and registration + information from the U2F token + properties: + clientData: + type: string + description: Base64-encoded client data from the U2F token + example: >- + eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6IlhxR0h0RTBoUkxuVEoxYUF5U1oyIiwib3JpZ2luIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MzAwMCIsImNpZF9wdWJrZXkiOiJ1bnVzZWQifQ + registrationData: + type: string + description: Base64-encoded registration data from the U2F token + example: >- + BQTEMUyOM8h1TiZG4DL-RdMr-tYgTYSf62Y52AmwEFTiSYWIRVO5L-MwWdRJOthmV3J3JrqpmGfmFb820-awx1YIQFlTvkMhxItHlpkzahEqicpw7SIH9yMfTn2kaDcC6JaLKPfV5ds0vzuxF1JJj3gCM01bRC-HWI4nCVgc-zaaoRgwggEcMIHDoAMCAQICCwD52fCSMoNczORdMAoGCCqGSM49BAMCMBUxEzARBgNVBAMTClUyRiBJc3N1ZXIwGhcLMDAwMTAxMDAwMFoXCzAwMDEwMTAwMDBaMBUxEzARBgNVBAMTClUyRiBEZXZpY2UwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQFKJupuUgPQcRHUphaW5JPfLvkkwlEwlHKk_ntSp7MS4aTHJyGnpziqncrjiTC_oUVtb-wN-y_t_IMIjueGkhxMAoGCCqGSM49BAMCA0gAMEUCIQDBo6aOLxanIUYnBX9iu3KMngPnobpi0EZSTkVtLC8_cwIgC1945RGqGBKfbyNtkhMifZK05n7fU-gW37Bdnci5D94wRQIhAJv3VvclbRkHAQhaUR8rr8qFTg9iF-GtHoXU95vWaQdyAiAbEr-440U4dQAZF-Sj8G2fxgh5DkgkkWpyUHZhz7N9ew + type: object + - title: webauthn + description: >- + Activates a `webauthn` factor with the specified attestation and + registration information from the WebAuthn authenticator + properties: + attestation: + type: string + description: Base64-encoded attestation from the WebAuthn authenticator + example: >- + o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEgwRgIhAMvf2+dzXlHZN1um38Y8aFzrKvX0k5dt/hnDu9lahbR4AiEAuwtMg3IoaElWMp00QrP/+3Po/6LwXfmYQVfsnsQ+da1oYXV0aERhdGFYxkgb9OHGifjS2dG03qLRqvXrDIRyfGAuc+GzF1z20/eVRV2wvl6tzgACNbzGCmSLCyXx8FUDAEIBvWNHOcE3QDUkDP/HB1kRbrIOoZ1dR874ZaGbMuvaSVHVWN2kfNiO4D+HlAzUEFaqlNi5FPqKw+mF8f0XwdpEBlClAQIDJiABIVgg0a6oo3W0JdYPu6+eBrbr0WyB3uJLI3ODVgDfQnpgafgiWCB4fFo/5iiVrFhB8pNH2tbBtKewyAHuDkRolcCnVaCcmQ== + clientData: + type: string + description: Base64-encoded client data from the WebAuthn authenticator + example: >- + eyJjaGFsbGVuZ2UiOiJVSk5wYW9sVWt0dF9vcEZPNXJMYyIsIm9yaWdpbiI6Imh0dHBzOi8vcmFpbi5va3RhMS5jb20iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0 + type: object + type: object + UserFactorActivateResponse: + type: object + properties: + factorType: + description: Type of the factor + type: string + enum: + - call + - email + - sms + - push + - token:software:totp + - u2f + - webauthn + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksUser' + - $ref: '#/components/schemas/LinksVerify' + discriminator: + propertyName: factorType + mapping: + call: '#/components/schemas/UserFactorCall' + email: '#/components/schemas/UserFactorEmail' + sms: '#/components/schemas/UserFactorSMS' + push: '#/components/schemas/UserFactorPush' + token:software:totp: '#/components/schemas/UserFactorTokenSoftwareTOTP' + u2f: '#/components/schemas/UserFactorU2F' + webauthn: '#/components/schemas/UserFactorWebAuthn' + ResendUserFactor: + type: object + properties: + factorType: + description: Type of the factor + type: string + enum: + - call + - email + - sms + discriminator: + propertyName: factorType + mapping: + call: '#/components/schemas/UserFactorCall' + email: '#/components/schemas/UserFactorEmail' + sms: '#/components/schemas/UserFactorSMS' + UserFactorPushTransaction: + type: object + properties: + factorResult: + description: Result of the verification transaction + type: string + enum: + - WAITING (with number matching challenge) + - WAITING + - SUCCESS + - REJECTED + - TIMEOUT + discriminator: + propertyName: factorResult + mapping: + WAITING: '#/components/schemas/UserFactorPushTransactionWaitingNoNMC' + WAITING (with number matching challenge): '#/components/schemas/UserFactorPushTransactionWaitingNMC' + SUCCESS: '#/components/schemas/UserFactorPushTransaction' + REJECTED: '#/components/schemas/UserFactorPushTransactionRejected' + TIMEOUT: '#/components/schemas/UserFactorPushTransactionTimeout' + UserFactorVerifyRequest: + oneOf: + - title: call + description: >- + Verifies an OTP sent by a `call` factor challenge. If you omit + `passCode` in the request, a new OTP is sent to the phone. + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + type: object + - title: sms + description: >- + Verifies an OTP sent by an `sms` factor challenge. If you omit + `passCode` in the request, a new OTP is sent to the phone. + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + type: object + - title: push + type: object + nullable: true + description: >- + Sends an asynchronous push notification to the device for approval + by the user. A successful request returns an HTTP 201 response, + unlike other factors. You must poll the transaction to determine the + state of the verification. See [Retrieve a factor transaction + status](./#tag/UserFactor/operation/getFactorTransactionStatus). + properties: + useNumberMatchingChallenge: + $ref: '#/components/schemas/useNumberMatchingChallenge' + - title: email + description: >- + Verifies an OTP sent by an `email` factor challenge. If you omit + `passCode` in the request, a new OTP is sent to the phone. + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + type: object + - title: question + description: Verifies an answer to a `question` factor + properties: + answer: + description: Answer to the question + minLength: 4 + type: string + writeOnly: true + type: object + - title: token:software:totp + description: Verifies an OTP for a `token:software:totp` factor + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + type: object + - title: token:hotp + description: Verifies an OTP for a `token:hotp` factor + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + type: object + - title: token:hardware + description: Verifies an OTP for a `token:hardware` factor + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + type: object + - title: token + description: Verifies an OTP for a `token` factor + properties: + passCode: + $ref: '#/components/schemas/UserFactorPassCode' + type: object + - title: u2f + description: >- + Verifies a `u2f` factor challenge by posting a signed assertion + using the challenge `nonce` + properties: + clientData: + type: string + description: Base64-encoded client data from the U2F token + example: >- + eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6IlhxR0h0RTBoUkxuVEoxYUF5U1oyIiwib3JpZ2luIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MzAwMCIsImNpZF9wdWJrZXkiOiJ1bnVzZWQifQ + signatureData: + description: Base64-encoded signature data from the U2F token + type: object + - title: webauthn + description: >- + Verifies a `webauthn` factor challenge by posting a signed assertion + using the challenge `nonce` + properties: + authenticatorData: + description: >- + Base64-encoded authenticator data from the WebAuthn + authenticator + type: string + clientData: + type: string + description: Base64-encoded client data from the WebAuthn authenticator + example: >- + eyJjaGFsbGVuZ2UiOiJVSk5wYW9sVWt0dF9vcEZPNXJMYyIsIm9yaWdpbiI6Imh0dHBzOi8vcmFpbi5va3RhMS5jb20iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0 + signatureData: + type: string + description: Base64-encoded signature data from the WebAuthn authenticator + type: object + UserFactorVerifyResponse: + type: object + properties: + expiresAt: + description: Timestamp when the verification expires + type: string + format: date-time + example: '2022-08-25T00:31:00.000Z' + readOnly: true + factorMessage: + description: Optional display message for factor verification + type: string + readOnly: true + nullable: true + factorResult: + $ref: '#/components/schemas/UserFactorVerifyResult' + readOnly: true + profile: + type: object + additionalProperties: + type: object + properties: {} + readOnly: true + _embedded: + allOf: + - additionalProperties: + type: object + nullable: true + readOnly: true + _links: + $ref: '#/components/schemas/UserFactorLinks' + UserFactorVerifyResponseWaiting: + type: object + properties: + expiresAt: + description: Timestamp when the verification expires + type: string + format: date-time + example: '2022-08-25T00:31:00.000Z' + readOnly: true + factorMessage: + description: Optional display message for factor verification + type: string + readOnly: true + nullable: true + factorResult: + $ref: '#/components/schemas/UserFactorVerifyResultWaiting' + readOnly: true + profile: + type: object + additionalProperties: + type: object + properties: {} + readOnly: true + _embedded: + allOf: + - $ref: '#/components/schemas/NumberFactorChallengeEmbeddedLinks' + - additionalProperties: + type: object + nullable: true + readOnly: true + _links: + $ref: '#/components/schemas/UserFactorLinks' + UserRiskGetResponse: + type: object + properties: + riskLevel: + $ref: '#/components/schemas/UserRiskLevelAll' + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksUserRef' + discriminator: + propertyName: riskLevel + mapping: + HIGH: '#/components/schemas/UserRiskLevelExists' + MEDIUM: '#/components/schemas/UserRiskLevelExists' + LOW: '#/components/schemas/UserRiskLevelExists' + NONE: '#/components/schemas/UserRiskLevelNone' + UserRiskRequest: + type: object + properties: + riskLevel: + type: string + description: The risk level associated with the user + enum: + - HIGH + - LOW + UserRiskPutResponse: + type: object + properties: + reason: + $ref: '#/components/schemas/UserRiskReason' + riskLevel: + $ref: '#/components/schemas/UserRiskLevelPut' + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksUserRef' + StandardRole: + title: Standard Role Assignment + type: object + properties: + assignmentType: + $ref: '#/components/schemas/RoleAssignmentType' + created: + type: string + description: Timestamp when the object was created + format: date-time + readOnly: true + id: + type: string + description: Role assignment ID + readOnly: true + label: + type: string + description: Label for the role assignment + readOnly: true + lastUpdated: + type: string + description: Timestamp when the object was last updated + format: date-time + readOnly: true + status: + allOf: + - $ref: '#/components/schemas/LifecycleStatus' + - description: Status of the role assignment + type: + $ref: '#/components/schemas/RoleType' + _embedded: + type: object + description: Optional embedded resources for the role assignment + properties: + targets: + type: object + description: Targets configured for the role assignment + properties: + groups: + type: array + description: Group targets + items: + $ref: '#/components/schemas/Group' + catalog: + description: App targets + properties: + apps: + type: array + items: + $ref: '#/components/schemas/CatalogApplication' + type: object + _links: + $ref: '#/components/schemas/LinksAssignee' + CustomRole: + title: Custom role assignment + type: object + properties: + assignmentType: + $ref: '#/components/schemas/RoleAssignmentType' + created: + type: string + description: Timestamp when the object was created + format: date-time + readOnly: true + id: + type: string + description: Binding object ID + readOnly: true + label: + type: string + description: Label for the custom role assignment + readOnly: true + lastUpdated: + type: string + description: Timestamp when the object was last updated + format: date-time + readOnly: true + resource-set: + type: string + description: Resource set ID + readOnly: true + role: + type: string + description: Custom role ID + readOnly: true + status: + allOf: + - $ref: '#/components/schemas/LifecycleStatus' + - description: Status of the custom role assignment + type: + type: string + description: CUSTOM for a custom role + enum: + - CUSTOM + _links: + $ref: '#/components/schemas/LinksCustomRoleResponse' + StandardRoleAssignmentSchema: + title: Standard Role + type: object + properties: + type: + type: string + description: >- + Specify the standard or IAM-based role type. See [standard + roles](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#standard-roles). + CustomRoleAssignmentSchema: + title: Custom Role + type: object + properties: + resource-set: + type: string + description: Resource set ID + role: + type: string + description: Custom role ID + type: + type: string + description: The type of role. Specify `CUSTOM` for a custom role. + enum: + - CUSTOM + RoleGovernance: + description: List of all user role governance sources + type: object + properties: + grants: + type: array + items: + $ref: '#/components/schemas/RoleGovernanceSource' + _links: + $ref: '#/components/schemas/LinksGovernanceSources' + RoleGovernanceSource: + description: User role governance source + type: object + properties: + bundleId: + type: string + readOnly: true + description: '`id` of the entitlement bundle' + expirationDate: + type: string + format: date-time + readOnly: true + description: The expiration date of the entitlement bundle + grantId: + type: string + readOnly: true + description: '`id` of the grant' + type: + $ref: '#/components/schemas/GovernanceSourceType' + _links: + allOf: + - $ref: '#/components/schemas/LinksGovernanceResources' + - $ref: '#/components/schemas/LinksSelf' + required: + - type + - grantId + - resources + RoleGovernanceResources: + description: The resources of a grant + type: object + properties: + resources: + type: array + items: + $ref: '#/components/schemas/RoleGovernanceResource' + _links: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksNext' + CatalogApplication: + description: An app in the OIN catalog + type: object + properties: + category: + type: string + description: Category for the app in the OIN catalog + example: SOCIAL + readOnly: true + description: + type: string + description: Description of the app in the OIN catalog + readOnly: true + displayName: + type: string + description: OIN catalog app display name + readOnly: true + features: + type: array + readOnly: true + description: >- + Features supported by the app. See app + [features](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/listApplications!c=200&path=0/features&t=response). + items: + type: string + id: + type: string + readOnly: true + description: >- + ID of the app instance. Okta returns this property only for apps not + in the OIN catalog. + lastUpdated: + type: string + description: Timestamp when the object was last updated + format: date-time + readOnly: true + example: '2024-09-19T23:37:37.000Z' + name: + type: string + description: >- + App key name. For OIN catalog apps, this is a unique key for the app + definition. + signOnModes: + type: array + description: >- + Authentication mode for the app. See app + [signOnMode](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/listApplications!c=200&path=0/signOnMode&t=response). + items: + type: string + status: + $ref: '#/components/schemas/CatalogApplicationStatus' + verificationStatus: + type: string + description: OIN verification status of the catalog app + example: OKTA_VERIFIED + website: + type: string + description: Website of the OIN catalog app + _links: + type: object + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using + the [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification + readOnly: true + properties: + logo: + type: array + description: List of app logo resources + items: + $ref: '#/components/schemas/HrefObjectLogoLink' + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + RoleTarget: + type: object + properties: + assignmentType: + type: string + readOnly: true + example: GROUP + description: The assignment type of how the user receives this target + expiration: + type: string + format: date-time + example: '2023-08-25T12:00:00.000Z' + readOnly: true + description: >- + The expiry time stamp of the associated target. It's only included + in the response if the associated target will expire. + orn: + type: string + readOnly: true + example: orn:okta:directory:00o5v1t2W4OSF9r4N0g4:groups:00g5vhi3rEJMOog1S0g4 + description: >- + The [Okta Resource Name + (ORN)](https://support.okta.com/help/s/article/understanding-okta-resource-name-orn) + of the app target or group target + _links: + $ref: '#/components/schemas/LinksSelf' + Subscription: + type: object + properties: + channels: + description: |- + An array of sources send notifications to users. + > **Note**: Currently, Okta only allows `email` channels. + items: + type: string + type: array + notificationType: + $ref: '#/components/schemas/NotificationType' + status: + $ref: '#/components/schemas/SubscriptionStatus' + _links: + type: object + description: Discoverable resources related to the subscription + properties: + self: + $ref: '#/components/schemas/HrefObject' + readOnly: true + UserProfile: + additionalProperties: true + description: >- + Specifies the default and custom profile properties for a user. + + + The default user profile is based on the [System for Cross-domain + Identity Management: Core + Schema](https://datatracker.ietf.org/doc/html/rfc7643). + + + The only permitted customizations of the default profile are to update + permissions, change whether the `firstName` and `lastName` properties + are nullable, and specify a + [pattern](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation) + for `login`. You can use the Profile Editor in the Admin Console or the + [Schemas + API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) + to make schema modifications. + + + You can extend user profiles with custom properties. You must first add + the custom property to the user profile schema before you reference it. + + You can use the Profile Editor in the Admin Console or the [Schemas + API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) + to manage schema extensions. + + + Custom attributes can contain HTML tags. It's the client's + responsibility to escape or encode this data before displaying it. Use + [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) + to prevent cross-site scripting. + type: object + properties: + city: + type: string + description: The city or locality of the user's address (`locality`) + maxLength: 128 + nullable: true + costCenter: + type: string + description: Name of the cost center assigned to a user + nullable: true + countryCode: + description: >- + The country name component of the user's address (`country`). For + validation, see [ISO 3166-1 alpha 2 "short" code + format](https://datatracker.ietf.org/doc/html/draft-ietf-scim-core-schema-22#ref-ISO3166). + type: string + maxLength: 2 + nullable: true + department: + type: string + description: Name of the user's department + displayName: + type: string + description: Name of the user suitable for display to end users + nullable: true + division: + type: string + description: Name of the user's division + nullable: true + email: + type: string + description: >- + The primary email address of the user. For validation, see [RFC 5322 + Section + 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). + format: email + minLength: 5 + maxLength: 100 + employeeNumber: + description: The organization or company assigned unique identifier for the user + type: string + firstName: + type: string + description: Given name of the user (`givenName`) + minLength: 1 + maxLength: 50 + nullable: true + honorificPrefix: + type: string + description: Honorific prefix(es) of the user, or title in most Western languages + nullable: true + honorificSuffix: + type: string + description: Honorific suffix(es) of the user + nullable: true + lastName: + type: string + description: The family name of the user (`familyName`) + minLength: 1 + maxLength: 50 + nullable: true + locale: + type: string + description: >- + The user's default location for purposes of localizing items such as + currency, date time format, numerical representations, and so on. + + A locale value is a concatenation of the ISO 639-1 two-letter + language code, an underscore, and the ISO 3166-1 two-letter country + code. For example, en_US specifies the language English and country + US. This value is `en_US` by default. + login: + type: string + description: >- + The unique identifier for the user (`username`). For validation, see + [Login pattern + validation](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation). + + + Every user within your Okta org must have a unique identifier for a + login. This constraint applies to all users you import from other + systems or applications such as Active Directory. Your organization + is the top-level namespace to mix and match logins from all your + connected applications or directories. Careful consideration of + naming conventions for your login identifier will make it easier to + onboard new applications in the future. + + + Logins are not considered unique if they differ only in case and/or + diacritical marks. If one of your users has a login of + Isaac.Brock@example.com, there cannot be another user whose login is + isaac.brock@example.com, nor isáàc.bröck@example.com. + + + Okta has a default ambiguous name resolution policy for usernames + that include @-signs. (By default, usernames must be formatted as + email addresses and thus always include @-signs. You can remove that + restriction using either the Admin Console or the [Schemas + API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/). + Users can sign in with their non-qualified short name (for example: + isaac.brock with username isaac.brock@example.com) as long as the + short name is still unique within the organization. + + maxLength: 100 + minLength: 5 + manager: + type: string + description: The `displayName` of the user's manager + nullable: true + managerId: + type: string + description: The `id` of the user's manager + nullable: true + middleName: + type: string + description: The middle name of the user + nullable: true + mobilePhone: + type: string + description: The mobile phone number of the user + maxLength: 100 + minLength: 0 + nullable: true + nickName: + type: string + description: The casual way to address the user in real life + nullable: true + organization: + type: string + description: Name of the the user's organization + nullable: true + postalAddress: + type: string + description: Mailing address component of the user's address + maxLength: 4096 + nullable: true + preferredLanguage: + type: string + description: >- + The user's preferred written or spoken language. For validation, see + [RFC 7231 Section + 5.3.5](https://datatracker.ietf.org/doc/html/rfc7231#section-5.3.5). + nullable: true + primaryPhone: + type: string + description: The primary phone number of the user such as a home number + maxLength: 100 + minLength: 0 + nullable: true + profileUrl: + type: string + description: >- + The URL of the user's online profile. For example, a web page. See + [URL](https://datatracker.ietf.org/doc/html/rfc1808). + nullable: true + secondEmail: + type: string + format: email + description: >- + The secondary email address of the user typically used for account + recovery. For validation, see [RFC 5322 Section + 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). + minLength: 5 + maxLength: 100 + nullable: true + state: + type: string + description: The state or region component of the user's address (`region`) + maxLength: 128 + nullable: true + streetAddress: + type: string + description: The full street address component of the user's address + maxLength: 1024 + nullable: true + timezone: + type: string + description: The user's time zone + nullable: true + title: + type: string + description: The user's title, such as Vice President + nullable: true + userType: + type: string + description: >- + The property used to describe the organization-to-user relationship, + such as employee or contractor + nullable: true + zipCode: + type: string + description: >- + The ZIP code or postal code component of the user's address + (`postalCode`) + maxLength: 50 + nullable: true + UserStatus: + description: >- + The current status of the user. + + + The status of a user changes in response to explicit events, such as + admin-driven lifecycle changes, user login, or self-service password + recovery. Okta doesn't asynchronously sweep through users and update + their password expiry state, for example. Instead, Okta evaluates + password policy at login time, notices the password has expired, and + moves the user to the expired state. When running reports, remember that + the data is valid as of the last login or lifecycle event for that user. + type: string + enum: + - ACTIVE + - DEPROVISIONED + - LOCKED_OUT + - PASSWORD_EXPIRED + - PROVISIONED + - RECOVERY + - STAGED + - SUSPENDED + readOnly: true + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + ErrorCause: + type: object + properties: + errorSummary: + type: string + UserCredentialsWritable: + description: >- + Specifies primary authentication and recovery credentials for a user. + Credential types and requirements vary depending on the provider and + security policy of the org. + type: object + properties: + password: + $ref: '#/components/schemas/PasswordCredential' + provider: + $ref: '#/components/schemas/AuthenticationProviderWritable' + recovery_question: + $ref: '#/components/schemas/RecoveryQuestionCredential' + GroupProfile: + description: >- + Specifies required and optional properties for a group. The + `objectClass` of a group determines which additional properties are + available. + + + You can extend group profiles with custom properties, but you must first + add the properties to the group profile schema before you can reference + them. Use the Profile Editor in the Admin Console or the [Schemas + API](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/)to + manage schema extensions. + + + Custom properties can contain HTML tags. It is the client's + responsibility to escape or encode this data before displaying it. Use + [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) + to prevent cross-site scripting. + anyOf: + - $ref: '#/components/schemas/OktaUserGroupProfile' + - $ref: '#/components/schemas/OktaActiveDirectoryGroupProfile' + GroupType: + description: Determines how a group's profile and memberships are managed + type: string + enum: + - APP_GROUP + - BUILT_IN + - OKTA_GROUP + x-enumDescriptions: + APP_GROUP: >- + Group profile and memberships are imported and must be managed within + the app (such as Active Directory or LDAP) that imported the group + BUILT_IN: >- + Group profile and memberships are managed by Okta and can't be + modified + OKTA_GROUP: >- + Group profile and memberships are directly managed in Okta via static + assignments or indirectly through group rules + Created: + format: date-time + description: Timestamp when the object was created + example: '2016-01-03T18:15:47.000Z' + type: string + readOnly: true + IdentityProviderIssuerMode: + description: >- + Indicates whether Okta uses the original Okta org domain URL or a custom + domain URL in the request to the social IdP + default: DYNAMIC + type: string + enum: + - CUSTOM_URL + - DYNAMIC + - ORG_URL + x-enumDescriptions: + ORG_URL: >- + In the authorize request to the social IdP, Okta uses the Okta org's + original domain URL (`https://${yourOktaDomain}`) as the domain in the + `redirect_uri`. + CUSTOM_URL: >- + In the authorize request to the social IdP, Okta uses the custom + domain URL as the domain in the `redirect_uri`. You can set + `issuerMode` to `CUSTOM_URL` only if you have a custom URL domain + configured. + DYNAMIC: >- + In the authorize request to the social IdP, Okta uses the custom + domain URL as the domain in the `redirect_uri` if the request was made + from the custom domain URL. Otherwise, Okta uses the Okta org's + original domain URL if the request was made from the Okta org domain. + LastUpdated: + format: date-time + description: Timestamp when the object was last updated + example: '2016-01-03T18:15:47.000Z' + type: string + readOnly: true + IdentityProviderPolicy: + description: >- + Policy settings for the IdP. + + The following provisioning and account linking actions are supported by + each IdP provider: + + | IdP type | + User provisioning actions | Group provisioning actions | + Account link actions | Account link filters | + + | ----------------------------------------------------------------- | + ------------------------- | ------------------------------------- | + -------------------- | -------------------- | + + | `SAML2` | + `AUTO` or `DISABLED` | `NONE`, `ASSIGN`, `APPEND`, or `SYNC` | + `AUTO`, `DISABLED` | `groups`, `users` | + + | `X509`, `IDV_PERSONA`, `IDV_INCODE`, and `IDV_CLEAR` | + `DISABLED` | No support for JIT provisioning + | | | + + | All other IdP types | + `AUTO`, `DISABLED` | `NONE` or `ASSIGN` | + `AUTO`, `DISABLED` | `groups`, `users` | + allOf: + - type: object + properties: + accountLink: + $ref: '#/components/schemas/PolicyAccountLink' + maxClockSkew: + type: integer + description: >- + Maximum allowable clock skew when processing messages from the + IdP + example: 120000 + provisioning: + $ref: '#/components/schemas/Provisioning' + subject: + $ref: '#/components/schemas/PolicySubject' + IdentityProviderProperties: + nullable: true + description: >- + The properties in the IdP `properties` object vary depending on the IdP + type + type: object + properties: + aalValue: + type: string + nullable: true + description: >- + The [authentication assurance + level](https://developers.login.gov/oidc/#aal-values) (AAL) value + for the Login.gov IdP. + + See [Add a Login.gov + IdP](https://developer.okta.com/docs/guides/add-logingov-idp/). + Applies to `LOGINGOV` and `LOGINGOV_SANDBOX` IdP types. + additionalAmr: + type: array + description: >- + The additional Assurance Methods References (AMR) values for Smart + Card IdPs. Applies to `X509` IdP type. + nullable: true + items: + type: string + enum: + - sc + - hwk + - pin + - mfa + x-enumDescriptions: + sc: Smart card + hwk: Hardware-secured key + pin: Personal identification number + mfa: Multifactor authentication + ialValue: + type: string + nullable: true + description: >- + The [type of identity + verification](https://developers.login.gov/oidc/#ial-values) (IAL) + value for the Login.gov IdP. + + See [Add a Login.gov + IdP](https://developer.okta.com/docs/guides/add-logingov-idp/). + Applies to `LOGINGOV` and `LOGINGOV_SANDBOX` IdP types. + inquiryTemplateId: + type: string + description: >- + The ID of the inquiry template from your Persona dashboard. The + inquiry template always starts with `itmpl`. Applies to the + `IDV_PERSONA` IdP type. + example: itmpl_HSctx8fNvXoHtrQfz2hxUVH8RBjG + required: + - inquiryTemplateId + ProtocolSaml: + title: SAML 2.0 Protocol + description: >- + Protocol settings for the [SAML 2.0 Authentication Request + Protocol](http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) + type: object + properties: + algorithms: + $ref: '#/components/schemas/SamlAlgorithms' + credentials: + $ref: '#/components/schemas/SamlCredentials' + endpoints: + $ref: '#/components/schemas/SamlEndpoints' + relayState: + $ref: '#/components/schemas/SamlRelayState' + settings: + $ref: '#/components/schemas/SamlSettings' + type: + type: string + description: SAML 2.0 protocol + enum: + - SAML2 + ProtocolOAuth: + title: OAuth 2.0 Protocol + description: >- + Protocol settings for authentication using the [OAuth 2.0 Authorization + Code flow](https://tools.ietf.org/html/rfc6749#section-4.1) + type: object + properties: + credentials: + $ref: '#/components/schemas/OAuthCredentials' + endpoints: + $ref: '#/components/schemas/OAuthEndpoints' + scopes: + $ref: '#/components/schemas/OAuthScopes' + type: + type: string + description: OAuth 2.0 Authorization Code flow + enum: + - OAUTH2 + ProtocolOidc: + title: OpenID Connect Protocol + description: >- + Protocol settings for authentication using the [OpenID Connect + Protocol](http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) + type: object + properties: + algorithms: + $ref: '#/components/schemas/OidcAlgorithms' + credentials: + $ref: '#/components/schemas/OAuthCredentials' + endpoints: + $ref: '#/components/schemas/OAuthEndpoints' + oktaIdpOrgUrl: + type: string + description: URL of the IdP org + example: https://idp.example.com + scopes: + type: array + description: >- + OpenID Connect and IdP-defined permission bundles to request + delegated access from the user + + > **Note:** The [IdP + type](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request) + table lists the scopes that are supported for each IdP. + items: + type: string + example: openid + settings: + $ref: '#/components/schemas/OidcSettings' + type: + type: string + description: OpenID Connect Authorization Code flow + enum: + - OIDC + ProtocolMtls: + title: Mutual TLS Protocol + description: >- + Protocol settings for the [MTLS + Protocol](https://tools.ietf.org/html/rfc5246#section-7.4.4) + type: object + properties: + credentials: + $ref: '#/components/schemas/MtlsCredentials' + endpoints: + $ref: '#/components/schemas/MtlsEndpoints' + type: + type: string + description: Mutual TLS + enum: + - MTLS + ProtocolIdVerification: + title: ID Verification + description: Protocol settings for the IDV + type: object + properties: + credentials: + $ref: '#/components/schemas/IDVCredentials' + endpoints: + $ref: '#/components/schemas/IDVEndpoints' + scopes: + $ref: '#/components/schemas/OAuthScopes' + type: + type: string + description: ID verification protocol + enum: + - ID_PROOFING + LifecycleStatus: + type: string + enum: + - ACTIVE + - INACTIVE + IdentityProviderType: + description: >- + The IdP object's `type` property identifies the social or enterprise IdP + used for authentication. + + Each IdP uses a specific protocol, therefore the `protocol` object must + correspond with the IdP `type`. + + If the protocol is OAuth 2.0-based, the `protocol` object's `scopes` + property must also correspond with the scopes supported by the IdP + `type`. + + For policy actions supported by each IdP type, see [IdP type policy + actions](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy&t=request). + + + | Type | + Description + | Corresponding protocol | Corresponding protocol + scopes | + + | ------------------ | + ----------------------------------------------------------------------------------------------------------------------------------------------------- + | ---------------------- | + -------------------------------------------------------------------- | + + | `AMAZON` | + [Amazon](https://developer.amazon.com/settings/console/registration?return_to=/) as + the IdP | OpenID Connect + | `profile`, `profile:user_id` + | + + | `APPLE` | + [Apple](https://developer.apple.com/sign-in-with-apple/) as the + IdP | + OpenID Connect | `names`, `email`, + `openid` | + + | `DISCORD` | [Discord](https://discord.com/login) as the + IdP + | OAuth 2.0 | `identify`, + `email` | + + | `FACEBOOK` | + [Facebook](https://developers.facebook.com) as the + IdP + | OAuth 2.0 | `public_profile`, + `email` | + + | `GITHUB` | [GitHub](https://github.com/join) as the + IdP + | OAuth 2.0 | + `user` | + + | `GITLAB` | + [GitLab](https://gitlab.com/users/sign_in) as the + IdP + | OpenID Connect | `openid`, `read_user`, `profile`, + `email` | + + | `GOOGLE` | + [Google](https://accounts.google.com/signup) as the + IdP + | OpenID Connect | `openid`, `email`, + `profile` | + + | `IDV_PERSONA` | + [Persona](https://app.withpersona.com/dashboard/login) as the IDV + IdP | ID + verification + | + | + + | `IDV_CLEAR` | [CLEAR + Verified](https://www.clearme.com/) as the IDV + IdP + | ID verification | `openid`, `profile`, + `identity_assurance` | + + | `IDV_INCODE` | [Incode](https://incode.com/) as the IDV + IdP + | ID verification | `openid`, `profile`, + `identity_assurance` | + + | `LINKEDIN` | + [LinkedIn](https://developer.linkedin.com/) as the + IdP + | OAuth 2.0 | `r_emailaddress`, + `r_liteprofile` | + + | `LOGINGOV` | + [Login.gov](https://developers.login.gov/) as the + IdP + | OpenID Connect | `email`, `profile`, + `profile:name` | + + | `LOGINGOV_SANDBOX` | [Login.gov's identity + sandbox](https://developers.login.gov/testing/) as the + IdP | OpenID + Connect | `email`, `profile`, + `profile:name` | + + | `MICROSOFT` | [Microsoft Enterprise + SSO](https://azure.microsoft.com/) as the + IdP | + OpenID Connect | `openid`, `email`, `profile`, + `https://graph.microsoft.com/User.Read` | + + | `OIDC` | IdP that supports [OpenID + Connect](https://openid.net/specs/openid-connect-core-1_0.html) + | OpenID Connect | `openid`, `email`, + `profile` | + + | `PAYPAL` | [Paypal](https://www.paypal.com/signin) as + the + IdP + | OpenID Connect | `openid`, `email`, + `profile` | + + | `PAYPAL_SANDBOX` | [Paypal + Sandbox](https://developer.paypal.com/tools/sandbox/) as the + IdP | OpenID + Connect | `openid`, `email`, + `profile` | + + | `SALESFORCE` | + [SalesForce](https://login.salesforce.com/) as the + IdP + | OAuth 2.0 | `id`, `email`, + `profile` | + + | `SAML2` | Enterprise IdP that supports the [SAML 2.0 Web + Browser SSO + Profile](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf)| + SAML 2.0 + | + | + + | `SPOTIFY` | [Spotify](https://developer.spotify.com/) as + the + IdP + | OpenID Connect | `user-read-email`, + `user-read-private` | + + | `X509` | [Smart Card + IdP](https://tools.ietf.org/html/rfc5280) + | Mutual TLS + | + | + + | `XERO` | + [Xero](https://www.xero.com/us/signup/api/) as the + IdP + | OpenID Connect | `openid`, `profile`, + `email` | + + | `YAHOO` | [Yahoo](https://login.yahoo.com/) as the + IdP + | OpenID Connect | `openid`, `profile`, + `email` | + + | `YAHOOJP` | [Yahoo + Japan](https://login.yahoo.co.jp/config/login) as the + IdP | + OpenID Connect | `openid`, `profile`, + `email` | + + | `OKTA_INTEGRATION` | IdP that supports the [OpenID + Connect](https://openid.net/specs/openid-connect-core-1_0.html) Org2Org + IdP | OpenID + Connect | `openid`, `email`, + `profile` | + type: string + enum: + - AMAZON + - APPLE + - DISCORD + - FACEBOOK + - GITHUB + - GITLAB + - GOOGLE + - IDV_CLEAR + - IDV_INCODE + - IDV_PERSONA + - LINKEDIN + - LOGINGOV + - LOGINGOV_SANDBOX + - MICROSOFT + - OIDC + - OKTA_INTEGRATION + - PAYPAL + - PAYPAL_SANDBOX + - SALESFORCE + - SAML2 + - SPOTIFY + - X509 + - XERO + - YAHOO + - YAHOOJP + AuthenticatorProfile: + description: Defines the authenticator specific parameters + type: object + properties: + phoneNumber: + type: string + description: The phone number for a `call` or `sms` authenticator enrollment. + required: + - phoneNumber + AuthenticatorType: + description: The type of authenticator + type: string + enum: + - app + - email + - federated + - password + - phone + - security_key + - security_question + - tac + AuthenticatorEnrollmentLinks: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksUser' + - $ref: '#/components/schemas/LinksAuthenticator' + readOnly: true + AuthenticatorEnrollmentCreateRequest: + type: object + properties: + authenticatorId: + type: string + description: Unique identifier of the `phone` authenticator + profile: + $ref: '#/components/schemas/AuthenticatorProfile' + required: + - authenticatorId + - profile + AuthenticatorEnrollmentCreateRequestTac: + type: object + properties: + authenticatorId: + type: string + description: Unique identifier of the TAC authenticator + profile: + $ref: '#/components/schemas/AuthenticatorProfileTacRequest' + required: + - authenticatorId + TacAuthenticatorEnrollment: + type: object + properties: + created: + type: string + description: Timestamp when the authenticator enrollment was created + format: date-time + id: + description: A unique identifier of the authenticator enrollment + type: string + key: + description: A human-readable string that identifies the authenticator + type: string + lastUpdated: + type: string + description: Timestamp when the authenticator enrollment was last updated + format: date-time + name: + description: The authenticator display name + type: string + nickname: + type: string + description: A user-friendly name for the authenticator enrollment + profile: + $ref: '#/components/schemas/AuthenticatorProfileTacResponsePost' + status: + type: string + description: Status of the enrollment + type: + $ref: '#/components/schemas/AuthenticatorType' + _links: + $ref: '#/components/schemas/AuthenticatorEnrollmentLinks' + ClassificationType: + description: The type of user classification + type: string + enum: + - LITE + - STANDARD + x-enumDescriptions: + LITE: Lite + STANDARD: Standard + GrantResourcesHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: >- + https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/grants + TokenResourcesHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: >- + https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/tokens + createdProperty: + description: Timestamp when the object was created + format: date-time + example: '2017-03-28T01:11:10.000Z' + type: string + readOnly: true + OAuth2Actor: + description: User that created the object + type: object + properties: + id: + type: string + description: User ID + readOnly: true + example: 00u5t60iloOHN9pBi0h7 + type: + type: string + description: Type of user + example: User + readOnly: true + lastUpdatedProperty: + format: date-time + description: Timestamp when the object was last updated + type: string + readOnly: true + OAuth2ScopeConsentGrantSource: + description: User type source that granted consent + example: ADMIN + type: string + enum: + - ADMIN + - END_USER + readOnly: true + GrantOrTokenStatus: + description: Status + example: ACTIVE + type: string + enum: + - ACTIVE + - REVOKED + readOnly: true + AppResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7 + title: + type: string + description: Link name + example: My App + ScopeResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: >- + https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scpCmCCV1DpxVkCaye2X + title: + type: string + description: Link name + example: My phone + UserResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7 + title: + type: string + description: Link name + example: SAML Jackson + AuthorizationServerResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: >- + https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7 + title: + type: string + description: Link name + example: Example Authorization Server + OAuth2RefreshTokenScope: + type: object + properties: + description: + type: string + description: Description of the Scope + example: >- + Requests a refresh token by default, used to obtain more access + tokens without re-prompting the user for authentication + displayName: + type: string + description: Name of the end user displayed in a consent dialog + id: + type: string + description: Scope object ID + readOnly: true + example: scppb56cIl4GvGxy70g3 + name: + type: string + description: Scope name + example: offline_access + _links: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the + current status of an application using the [JSON Hypertext + Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + scope: + description: Link to Scope resource + allOf: + - $ref: '#/components/schemas/OfflineAccessScopeResourceHrefObject' + RevokeRefreshTokenHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: >- + https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 + PasswordCredential: + description: >- + Specifies a password for a user. + + + When a user has a valid password, imported hashed password, or password + hook, and a response object contains + + a password credential, then the password object is a bare object without + the value property defined (for example, `password: {}`). This indicates + that a password value exists. You can modify password policy + requirements in the Admin Console by editing the Password + authenticator: **Security** > **Authenticators** > **Password** (or for + Okta Classic orgs, use **Security** > **Authentication** > + **Password**). + + + For information on defaults and configuring your password policies, see + [Configure the password + authenticator](https://help.okta.com/okta_help.htm?type=oie&id=ext-configure-password) + in the help documentation. + type: object + properties: + hash: + $ref: '#/components/schemas/PasswordCredentialHash' + hook: + $ref: '#/components/schemas/PasswordCredentialHook' + value: + type: string + writeOnly: true + description: >- + Specifies the password for a user. The password policy validates + this password. + format: password + example: pa$$word + AuthenticationProvider: + description: >- + Specifies the authentication provider that validates the user's password + credential. The user's current provider is managed by the **Delegated + Authentication** settings for your org. The provider object is + **read-only**. + type: object + properties: + name: + type: string + description: The name of the authentication provider + readOnly: true + example: OKTA + type: + $ref: '#/components/schemas/AuthenticationProviderType' + readOnly: true + RecoveryQuestionCredential: + description: >- + Specifies a secret question and answer that's validated (case + insensitive) when a user forgets their + + password or unlocks their account. The answer property is write-only. + type: object + properties: + answer: + type: string + description: The answer to the recovery question + minimum: 1 + maximum: 100 + writeOnly: true + example: se7en + question: + type: string + description: The recovery question + minimum: 1 + maximum: 100 + example: what is your favourite movie? + Device: + type: object + properties: + created: + type: string + format: date-time + description: Timestamp when the device was created + readOnly: true + id: + type: string + description: Unique key for the device + readOnly: true + lastUpdated: + type: string + format: date-time + description: >- + Timestamp when the device record was last updated. Updates occur + when Okta collects and saves device signals during authentication, + and when the lifecycle state of the device changes. + readOnly: true + profile: + $ref: '#/components/schemas/DeviceProfile' + resourceAlternateId: + type: string + readOnly: true + resourceDisplayName: + $ref: '#/components/schemas/DeviceDisplayName' + resourceId: + type: string + description: Alternate key for the `id` + readOnly: true + resourceType: + type: string + default: UDDevice + readOnly: true + status: + $ref: '#/components/schemas/DeviceStatus' + _links: + $ref: '#/components/schemas/LinksSelfAndFullUsersLifecycle' + UserFactorType: + description: Type of factor + type: string + enum: + - call + - email + - push + - question + - signed_nonce + - sms + - token + - token:hardware + - token:hotp + - token:software:totp + - u2f + - web + - webauthn + UserFactorStatus: + example: ACTIVE + description: Status of the factor + type: string + enum: + - ACTIVE + - DISABLED + - ENROLLED + - EXPIRED + - INACTIVE + - NOT_SETUP + - PENDING_ACTIVATION + readOnly: true + UserFactorLinks: + allOf: + - $ref: '#/components/schemas/LinksActivate' + - $ref: '#/components/schemas/LinksCancel' + - $ref: '#/components/schemas/LinksDeactivate' + - $ref: '#/components/schemas/LinksEnroll' + - $ref: '#/components/schemas/LinksFactor' + - $ref: '#/components/schemas/LinksPoll' + - $ref: '#/components/schemas/LinksQrcode' + - $ref: '#/components/schemas/LinksQuestions' + - $ref: '#/components/schemas/LinksResend' + - $ref: '#/components/schemas/LinksSend' + - $ref: '#/components/schemas/LinksSelf' + - $ref: '#/components/schemas/LinksUser' + - $ref: '#/components/schemas/LinksVerify' + readOnly: true + UserFactorProvider: + type: string + enum: + - CUSTOM + - DUO + - FIDO + - GOOGLE + - OKTA + - RSA + - SYMANTEC + - YUBICO + UserFactorPassCode: + description: OTP for the current time window + example: 1234567890 + type: string + useNumberMatchingChallenge: + description: >- + Select whether to use a number matching challenge for a `push` factor. + + + > **Note:** Sending a request with a body is required when you verify a + `push` factor with a number matching challenge. + example: true + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + type: boolean + LinksUser: + type: object + properties: + user: + allOf: + - description: Returns information on the specified user + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksVerify: + type: object + properties: + verify: + allOf: + - description: >- + Verifies the factor resource. See [Verify a + factor](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/verifyFactor). + - $ref: '#/components/schemas/HrefObject' + readOnly: true + UserFactorVerifyResult: + description: Result of a factor verification + type: string + enum: + - CHALLENGE + - ERROR + - EXPIRED + - FAILED + - PASSCODE_REPLAYED + - REJECTED + - SUCCESS + - TIMEOUT + - TIME_WINDOW_EXCEEDED + x-enumDescriptions: + CANCELED: User cancelled the verification + CHALLENGE: Okta issued a verification challenge + ERROR: Verification encountered an unexpected server error + EXPIRED: User didn't complete the verification within the allowed time window + FAILED: Verification failed + PASSCODE_REPLAYED: >- + User previously verified the factor within the same time window. + Another verification is required during another time window. + REJECTED: User rejected the verification + SUCCESS: User completed the verification + TIMEOUT: Okta didn't complete the verification within the allowed time window + TIME_WINDOW_EXCEEDED: >- + User completed the verification outside of the allowed time window. + Another verification is required. + UserFactorVerifyResultWaiting: + description: Result of a factor verification + type: string + enum: + - WAITING + x-enumDescriptions: + WAITING: Verification is in progress + NumberFactorChallengeEmbeddedLinks: + description: >- + Contains the `challenge` and `correctAnswer` objects for `push` factors + that use a number matching challenge + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + type: object + properties: + challenge: + type: object + description: Number matching challenge for a `push` factor + properties: + correctAnswer: + description: >- + The correct answer for a `push` factor that uses a number + matching challenge + type: integer + example: 72 + nullable: true + UserRiskLevelAll: + description: The risk level associated with the user + type: string + enum: + - HIGH + - LOW + - MEDIUM + - NONE + LinksUserRef: + type: object + properties: + user: + $ref: '#/components/schemas/HrefObjectUserLink' + UserRiskReason: + description: Describes the risk level for the user + example: Admin override risk + type: string + UserRiskLevelPut: + description: The risk level associated with the user + type: string + enum: + - HIGH + - LOW + RoleAssignmentType: + description: Role assignment type + type: string + enum: + - CLIENT + - GROUP + - USER + x-enumDescriptions: + USER: The role is assigned to a user + GROUP: The role is assigned to a group + CLIENT: The role is assigned to a client app + RoleType: + description: Standard role type + type: string + enum: + - ACCESS_CERTIFICATIONS_ADMIN + - ACCESS_REQUESTS_ADMIN + - API_ACCESS_MANAGEMENT_ADMIN + - API_ADMIN + - APP_ADMIN + - CUSTOM + - GROUP_MEMBERSHIP_ADMIN + - HELP_DESK_ADMIN + - MOBILE_ADMIN + - ORG_ADMIN + - READ_ONLY_ADMIN + - REPORT_ADMIN + - SUPER_ADMIN + - USER_ADMIN + - WORKFLOWS_ADMIN + x-enumDescriptions: + API_ACCESS_MANAGEMENT_ADMIN: Access Management Administrator + API_ADMIN: Access Management Administrator + APP_ADMIN: Application Administrator + CUSTOM: Custom label specified by the client + GROUP_MEMBERSHIP_ADMIN: Group Membership Administrator + HELP_DESK_ADMIN: Help Desk Administrator + MOBILE_ADMIN: Mobile Administrator + ORG_ADMIN: Organizational Administrator + READ_ONLY_ADMIN: Read-Only Administrator + REPORT_ADMIN: Report Administrator + SUPER_ADMIN: Super Administrator + USER_ADMIN: Group Administrator + WORKFLOWS_ADMIN: Workflows Administrator + ACCESS_CERTIFICATIONS_ADMIN: Access Certifications Administrator (predefined resource sets) + ACCESS_REQUESTS_ADMIN: Access Requests Administrator (predefined resource sets) + LinksAssignee: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. + type: object + properties: + assignee: + $ref: '#/components/schemas/HrefObjectAssigneeLink' + LinksCustomRoleResponse: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources. + type: object + properties: + assignee: + $ref: '#/components/schemas/HrefObjectAssigneeLink' + member: + $ref: '#/components/schemas/HrefObjectMemberLink' + permissions: + $ref: '#/components/schemas/HrefObjectPermissionsLink' + resource-set: + $ref: '#/components/schemas/HrefObjectResourceSetLink' + role: + $ref: '#/components/schemas/HrefObjectRoleLink' + LinksGovernanceSources: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the + sources using the [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. + type: object + properties: + assignee: + $ref: '#/components/schemas/HrefObjectUserLink' + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + GovernanceSourceType: + description: The grant type + type: string + enum: + - CUSTOM + - ENTITLEMENT-BUNDLE + LinksGovernanceResources: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the + resources using the [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. + type: object + properties: + resources: + $ref: '#/components/schemas/HrefObjectGovernanceResourcesLink' + readOnly: true + RoleGovernanceResource: + description: The resource of a grant + type: object + properties: + label: + type: string + description: The resource name + resource: + type: string + description: The resources id + LinksNext: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the + current status of an application using the [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. Use the `LinksNext` object for dynamic discovery of + related resources and lifecycle operations. + type: object + properties: + next: + $ref: '#/components/schemas/HrefObject' + readOnly: true + CatalogApplicationStatus: + description: App status + type: string + enum: + - ACTIVE + - INACTIVE + HrefObjectLogoLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the logo resource + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + NotificationType: + description: The type of notification + type: string + enum: + - AD_AGENT + - AGENT_AUTO_UPDATE_NOTIFICATION + - AGENT_AUTO_UPDATE_NOTIFICATION_LDAP + - APP_IMPORT + - CONNECTOR_AGENT + - IWA_AGENT + - LDAP_AGENT + - OKTA_ANNOUNCEMENT + - OKTA_UPDATE + - RATELIMIT_NOTIFICATION + - REPORT_SUSPICIOUS_ACTIVITY + - USER_DEPROVISION + - USER_LOCKED_OUT + x-enumDescriptions: + AD_AGENT: System notification sent when an AD agent disconnects or reconnects + AGENT_AUTO_UPDATE_NOTIFICATION: System notification sent when an agent automatically updates + APP_IMPORT: System notification sent with the status of an app user import + CONNECTOR_AGENT: >- + System notification sent when an on-premises provisioning or Okta + on-prem MFA agent disconnects or reconnects + IWA_AGENT: System notification sent when an IGA agent disconnects or reconnects + LDAP_AGENT: System notification sent when an LDAP agent disconnects or reconnects + OKTA_ANNOUNCEMENT: Okta communication sent for announcements and release notes + OKTA_UPDATE: Okta communication sent for scheduled system updates + RATELIMIT_NOTIFICATION: >- + System notification sent when an org reaches rate limit warning or + violation thresholds + REPORT_SUSPICIOUS_ACTIVITY: System notification sent when a user reports suspicious activity + USER_DEPROVISION: System notification sent when a user is deprovisioned from apps + USER_LOCKED_OUT: >- + System notification sent when a user is locked out from logging in to + Okta + SubscriptionStatus: + description: The status of the subscription + type: string + enum: + - subscribed + - unsubscribed + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + AuthenticationProviderWritable: + description: >- + Specifies the authentication provider that validates the user password + credential. The user's current provider is managed by the **Delegated + Authentication** settings in your org. See [Create user with + authentication + provider](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-with-authentication-provider). + type: object + properties: + name: + type: string + description: The name of the authentication provider + example: OKTA + type: + $ref: '#/components/schemas/AuthenticationProviderTypeWritable' + OktaUserGroupProfile: + description: >- + Profile for any group that is not imported from Active Directory. + Specifies the standard + + and custom profile properties for a group. + + + The `objectClass` for these groups is `okta:user_group`. + type: object + properties: + description: + type: string + example: All users West of The Rockies + description: Description of the group + name: + type: string + example: West Coast users + description: Name of the group + x-okta-extensible: true + OktaActiveDirectoryGroupProfile: + description: |- + Profile for a group that is imported from Active Directory. + + The `objectClass` for such groups is `okta:windows_security_principal`. + type: object + properties: + description: + type: string + example: All users in the engineering department + description: Description of the Windows group + dn: + type: string + example: CN=West Coast users,OU=West Coast,DC=example,DC=com + description: The distinguished name of the Windows group + externalId: + type: string + example: VKzYZ1C+IkSZxIWlrW5ITg== + description: Base-64 encoded GUID (`objectGUID`) of the Windows group + name: + type: string + example: West Coast users + description: Name of the Windows group + samAccountName: + type: string + example: West Coast users + description: Pre-Windows 2000 name of the Windows group + windowsDomainQualifiedName: + type: string + example: EXAMPLE\\West Coast users + description: Fully qualified name of the Windows group + PolicyAccountLink: + description: Specifies the behavior for linking an IdP user to an existing Okta user + type: object + properties: + action: + $ref: '#/components/schemas/PolicyAccountLinkAction' + filter: + $ref: '#/components/schemas/PolicyAccountLinkFilter' + Provisioning: + description: >- + Specifies the behavior for just-in-time (JIT) provisioning of an IdP + user as a new Okta user and their group memberships + type: object + properties: + action: + $ref: '#/components/schemas/ProvisioningAction' + conditions: + $ref: '#/components/schemas/ProvisioningConditions' + groups: + $ref: '#/components/schemas/ProvisioningGroups' + profileMaster: + type: boolean + description: >- + Determines if the IdP should act as a source of truth for user + profile attributes + PolicySubject: + description: >- + Specifies the behavior for establishing, validating, and matching a + username for an IdP user + type: object + properties: + filter: + type: string + description: >- + Optional [regular expression + pattern](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions) + used to filter untrusted IdP usernames. + + * As a best security practice, you should define a regular + expression pattern to filter untrusted IdP usernames. This is + especially important if multiple IdPs are connected to your org. The + filter prevents an IdP from issuing an assertion for any user, + including partners or directory users in your Okta org. + + * For example, the filter pattern `(\S+@example\.com)` allows only + Users that have an `@example.com` username suffix. It rejects + assertions that have any other suffix such as `@corp.example.com` or + `@partner.com`. + + * Only `SAML2` and `OIDC` IdP providers support the `filter` + property. + maxLength: 1024 + example: (\S+@example\.com) + matchAttribute: + type: string + description: >- + Okta user profile attribute for matching a transformed IdP username. + Only for matchType `CUSTOM_ATTRIBUTE`. + + The `matchAttribute` must be a valid Okta user profile attribute of + one of the following types: + + * String (with no format or 'email' format only) + + * Integer + + * Number + example: login + matchType: + $ref: '#/components/schemas/PolicySubjectMatchType' + userNameTemplate: + $ref: '#/components/schemas/PolicyUserNameTemplate' + SamlAlgorithms: + description: Settings for signing and verifying SAML messages + type: object + properties: + request: + $ref: '#/components/schemas/SamlRequestAlgorithm' + response: + $ref: '#/components/schemas/SamlResponseAlgorithm' + SamlCredentials: + description: >- + Federation Trust Credentials for verifying assertions from the IdP and + signing requests to the IdP + type: object + properties: + signing: + $ref: '#/components/schemas/SamlSigningCredentials' + trust: + $ref: '#/components/schemas/SamlTrustCredentials' + SamlEndpoints: + description: SAML 2.0 HTTP binding settings for IdP and SP (Okta) + type: object + properties: + acs: + $ref: '#/components/schemas/SamlAcsEndpoint' + slo: + $ref: '#/components/schemas/SamlSloEndpoint' + sso: + $ref: '#/components/schemas/SamlSsoEndpoint' + SamlRelayState: + description: Relay state settings for IdP + type: object + properties: + format: + $ref: '#/components/schemas/SamlRelayStateFormat' + SamlSettings: + description: Advanced settings for the SAML 2.0 protocol + type: object + properties: + honorPersistentNameId: + type: boolean + description: >- + Determines if the IdP should persist account linking when the + incoming assertion NameID format is + `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` + default: true + nameFormat: + $ref: '#/components/schemas/SamlNameIdFormat' + participateSlo: + type: boolean + description: >- + Set to `true` to have Okta send a logout request to the upstream IdP + when a user signs out of Okta or a downstream app. + sendApplicationContext: + type: boolean + description: >- + Determines if the IdP should send the application context as + `<OktaAppInstanceId>` and `<OktaAppName>` in the + `<saml2p:Extensions>` element of the `<AuthnRequest>` message + default: false + OAuthCredentials: + description: >- + Client authentication credentials for an [OAuth 2.0 Authorization + Server](https://tools.ietf.org/html/rfc6749#section-2.3) + type: object + properties: + client: + $ref: '#/components/schemas/OAuthCredentialsClient' + signing: + $ref: '#/components/schemas/AppleClientSigning' + OAuthEndpoints: + description: >- + The `OAUTH2` and `OIDC` protocols support the `authorization` and + `token` endpoints. Also, the `OIDC` protocol supports the `userInfo` and + `jwks` endpoints. + + + The IdP Authorization Server (AS) endpoints are currently defined as + part of the [IdP + provider]((https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request)) + and are read-only. + type: object + properties: + authorization: + $ref: '#/components/schemas/OAuthAuthorizationEndpoint' + jwks: + $ref: '#/components/schemas/OidcJwksEndpoint' + slo: + $ref: '#/components/schemas/OidcSloEndpoint' + token: + $ref: '#/components/schemas/OAuthTokenEndpoint' + userInfo: + $ref: '#/components/schemas/OidcUserInfoEndpoint' + OAuthScopes: + description: >- + IdP-defined permission bundles to request delegated access from the + user. + + > **Note:** The [identity provider + type](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request) + table lists the scopes that are supported for each IdP. + items: + type: string + example: public_profile + type: array + OidcAlgorithms: + type: object + properties: + request: + $ref: '#/components/schemas/OidcRequestAlgorithm' + OidcSettings: + description: Advanced settings for the OpenID Connect protocol + type: object + properties: + participateSlo: + type: boolean + description: >- + Set to `true` to have Okta send a logout request to the upstream IdP + when a user signs out of Okta or a downstream app. + sendApplicationContext: + type: boolean + description: >- + Determines if the IdP should send the application context as + `OktaAppInstanceId` and `OktaAppName` params in the request + default: false + MtlsCredentials: + description: >- + Certificate chain description for verifying assertions from the Smart + Card + type: object + properties: + trust: + $ref: '#/components/schemas/MtlsTrustCredentials' + MtlsEndpoints: + type: object + properties: + sso: + $ref: '#/components/schemas/MtlsSsoEndpoint' + IDVCredentials: + description: Credentials for verifying requests to the IDV + type: object + properties: + bearer: + type: object + description: Client credential for `IDV_PERSONA` IdP type + properties: + apiKey: + type: string + description: The API key that you generate in your Persona dashboard + required: + - apiKey + client: + type: object + description: >- + <x-lifecycle-container><x-lifecycle + class="oie"></x-lifecycle></x-lifecycle-container>Client credentials + for `IDV_CLEAR` and `IDV_INCODE` IdP types + properties: + client_id: + type: string + description: The client ID that you generate in your IDV + client_secret: + type: string + description: The client secret that you generate in your IDV + required: + - client_id + - client_secret + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: [] + IDVEndpoints: + description: Contains the endpoints for the IDV + type: object + properties: + authorization: + $ref: '#/components/schemas/IDVAuthorizationEndpoint' + par: + $ref: '#/components/schemas/IDVParEndpoint' + token: + $ref: '#/components/schemas/IDVTokenEndpoint' + readOnly: true + LinksAuthenticator: + type: object + properties: + authenticator: + allOf: + - description: >- + Returns information about a specific authenticator. See + [Retrieve an + authenticator](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Authenticator/#tag/Authenticator/operation/getAuthenticator). + - $ref: '#/components/schemas/HrefObject' + readOnly: true + AuthenticatorProfileTacRequest: + description: Defines the authenticator specific parameters + type: object + properties: + multiUse: + type: boolean + description: >- + Determines whether the enrollment can be used more than once. To + enable multi-use, the org-level authenticator’s configuration must + allow multi-use. + writeOnly: true + ttl: + type: string + description: >- + Time-to-live (TTL) in minutes. + + + Specifies how long the TAC enrollment is valid after it's created + and activated. + + The configured value must be between 10 minutes (`10`) and 10 days + (`14400`), inclusive. + + The actual allowed range depends on the org-level authenticator + configuration. + writeOnly: true + AuthenticatorProfileTacResponsePost: + description: Defines the authenticator specific parameters + type: object + properties: + expiresAt: + type: string + description: The time when the TAC enrollment expires in the UTC timezone + format: date-time + multiUse: + type: boolean + description: Determines whether an enrollment can be used more than once + tac: + type: string + description: >- + A temporary access code used for authentication. It can be used one + or more times and is valid for a defined period specified by the + `ttl` property. + + The `tac` is returned in the response when the enrollment is + created. It is not returned when the enrollment is retrieved. + + Issuing a new TAC invalidates any existing TAC for this user. + OfflineAccessScopeResourceHrefObject: + type: object + properties: + href: + type: string + description: Link URI + example: >- + https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scppb56cIl4GvGxy70g3 + title: + type: string + description: Link name + example: offline_access + PasswordCredentialHash: + description: >- + Specifies a hashed password to import into Okta. This allows an existing + password to be imported into Okta directly + + from some other store. Okta supports the BCRYPT, SHA-512, SHA-256, + SHA-1, MD5, and PBKDF2 hash functions for password import. + A hashed password may be specified in a password object when creating or updating a user, but not for other operations. + See the [Create user with imported hashed password](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-with-imported-hashed-password) description. When you update a user with a hashed password, the user must be in the `STAGED` status. + type: object + properties: + algorithm: + $ref: '#/components/schemas/PasswordCredentialHashAlgorithm' + digestAlgorithm: + $ref: '#/components/schemas/DigestAlgorithm' + iterationCount: + type: integer + description: >- + The number of iterations used when hashing passwords using PBKDF2. + Must be >= 4096. Only required for PBKDF2 algorithm. + keySize: + type: integer + description: >- + Size of the derived key in bytes. Only required for PBKDF2 + algorithm. + salt: + description: >- + Only required for salted hashes. For BCRYPT, this specifies Radix-64 + as the encoded salt used to generate the hash, + + which must be 22 characters long. For other salted hashes, this + specifies the Base64-encoded salt used to + + generate the hash. + type: string + saltOrder: + type: string + description: >- + Specifies whether salt was pre- or postfixed to the password before + hashing. Only required for salted algorithms. + value: + description: >- + For SHA-512, SHA-256, SHA-1, MD5, and PBKDF2, this is the actual + base64-encoded hash of the password (and salt, if used). + + This is the Base64-encoded `value` of the + SHA-512/SHA-256/SHA-1/MD5/PBKDF2 digest that was computed by either + pre-fixing or post-fixing + + the `salt` to the `password`, depending on the `saltOrder`. If a + `salt` was not used in the `source` system, then this should just be + + the Base64-encoded `value` of the password's + SHA-512/SHA-256/SHA-1/MD5/PBKDF2 digest. For BCRYPT, this is the + actual Radix-64 encoded hashed password. + type: string + workFactor: + type: integer + description: >- + Governs the strength of the hash and the time required to compute + it. Only required for BCRYPT algorithm. + minimum: 1 + maximum: 20 + PasswordCredentialHook: + description: >- + Specify a [password import inline + hook](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createPasswordImportInlineHook) + to trigger verification of the user's password the first time the user + signs in. This allows an existing password to be imported into Okta + directly from some other store. + type: object + properties: + type: + type: string + description: The type of password inline hook. Currently, must be set to default. + AuthenticationProviderType: + description: The type of authentication provider + type: string + enum: + - ACTIVE_DIRECTORY + - FEDERATION + - IMPORT + - LDAP + - OKTA + - SOCIAL + x-enumDescriptions: + ACTIVE_DIRECTORY: >- + Specifies the Microsoft Active Directory instance name as the `name` + property + FEDERATION: >- + Specifies a federated identity provider (such as an SAML IdP) that + validates the user's password credentials. Doesn't support a + `password` or `recovery question` credential. The user must + authenticate through a trusted identity provider. + IMPORT: Specifies a hashed password that was imported from an external source + LDAP: Specifies the LDAP directory instance name as the `name` property + OKTA: Specifies the Okta identity provider + SOCIAL: >- + Specifies an OIDC or third-party social identity provider. Doesn't + support a `password` or `recovery question` credential. The user must + authenticate through a trusted identity provider. + readOnly: true + DeviceProfile: + type: object + properties: + diskEncryptionType: + $ref: '#/components/schemas/DiskEncryptionTypeDef' + displayName: + type: string + description: Display name of the device + minLength: 1 + maxLength: 255 + imei: + type: string + description: International Mobile Equipment Identity (IMEI) of the device + minLength: 14 + maxLength: 17 + integrityJailbreak: + type: boolean + description: >- + Indicates if the device is jailbroken or rooted. Only applicable to + `IOS` and `ANDROID` platforms + managed: + type: boolean + description: >- + Indicates if the device is managed by mobile device management (MDM) + software + manufacturer: + type: string + description: Name of the manufacturer of the device + maxLength: 127 + meid: + type: string + description: Mobile equipment identifier of the device + maxLength: 14 + model: + type: string + description: Model of the device + maxLength: 127 + osVersion: + type: string + description: Version of the device OS + maxLength: 127 + platform: + $ref: '#/components/schemas/DevicePlatform' + registered: + type: boolean + description: Indicates if the device is registered at Okta + secureHardwarePresent: + type: boolean + description: Indicates if the device contains a secure hardware functionality + serialNumber: + type: string + description: Serial number of the device + maxLength: 127 + sid: + type: string + description: Windows Security identifier of the device + maxLength: 256 + tpmPublicKeyHash: + type: string + description: Windows Trusted Platform Module hash value + udid: + type: string + description: macOS Unique device identifier of the device + maxLength: 47 + required: + - displayName + - platform + - registered + DeviceDisplayName: + description: Display name of the device + type: object + properties: + sensitive: + type: boolean + description: >- + Indicates whether the associated value is Personal Identifiable + Information (PII) and requires masking + default: false + value: + type: string + description: Display name of the device + DeviceStatus: + description: The state object of the device + type: string + enum: + - ACTIVE + - DEACTIVATED + - SUSPENDED + - UNSUSPENDED + x-enumDescriptions: + ACTIVE: Use activated devices to create and delete device user links + DEACTIVATED: >- + Deactivation causes a device to lose all device user links. Set the + device status to `DEACTIVATED` before deleting it. + SUSPENDED: >- + Use suspended devices to create and delete device user links. You can + only unsuspend or deactivate suspended devices. + UNSUSPENDED: Returns a suspended device to `ACTIVE`. + LinksSelfAndFullUsersLifecycle: + allOf: + - $ref: '#/components/schemas/LinksSelfAndLifecycle' + - type: object + properties: + suspend: + $ref: '#/components/schemas/HrefObjectSuspendLink' + unsuspend: + $ref: '#/components/schemas/HrefObjectUnsuspendLink' + users: + description: Link to device users + allOf: + - $ref: '#/components/schemas/HrefObject' + LinksActivate: + type: object + properties: + activate: + allOf: + - description: >- + Activates an enrolled factor. See [Activate a + factor](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/activateFactor). + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksCancel: + type: object + properties: + cancel: + allOf: + - description: Cancels a `push` factor challenge with a `WAITING` status + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksDeactivate: + type: object + properties: + deactivate: + allOf: + - description: >- + Deactivates the factor. See [Unenroll a + factor](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/unenrollFactor). + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksEnroll: + type: object + properties: + enroll: + allOf: + - description: >- + Enrolls a supported factor. See [Enroll a + factor](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/enrollFactor). + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksFactor: + type: object + properties: + factor: + allOf: + - description: Link to the factor resource + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksPoll: + type: object + properties: + poll: + allOf: + - description: >- + Polls the factor resource for status information. Always use the + `poll` link instead of manually constructing your own URL. + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksQrcode: + type: object + properties: + qrcode: + allOf: + - description: >- + QR code that encodes the push activation code needed for + enrollment on the device + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksQuestions: + type: object + properties: + question: + allOf: + - description: >- + Lists all supported security questions. See [List all supported + security + questions](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/listSupportedSecurityQuestions). + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksResend: + type: object + properties: + resend: + allOf: + - description: >- + Resends the factor enrollment challenge. See [Resend a factor + enrollment](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/resendEnrollFactor). + - $ref: '#/components/schemas/HrefObject' + readOnly: true + LinksSend: + type: object + properties: + send: + allOf: + - description: >- + Sends an activation link through email or sms for users who + can't scan the QR code + - $ref: '#/components/schemas/HrefObject' + readOnly: true + HrefObjectUserLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the user resource + HrefObjectAssigneeLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the assignee resource + HrefObjectMemberLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the member resource + HrefObjectPermissionsLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the permissions resource + HrefObjectResourceSetLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource set resource + HrefObjectRoleLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the role resource + HrefObjectGovernanceResourcesLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resources + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + AuthenticationProviderTypeWritable: + description: The type of authentication provider + type: string + enum: + - ACTIVE_DIRECTORY + - FEDERATION + - IMPORT + - LDAP + - OKTA + - SOCIAL + x-enumDescriptions: + ACTIVE_DIRECTORY: >- + Specifies a Microsoft Active Directory instance name as the `name` + property + FEDERATION: >- + Specifies a federated identity provider (such as a SAML IdP) that + validates the user's password credentials. Doesn't support a + `password` or `recovery question` credential. The user must + authenticate through a trusted identity provider. + IMPORT: Specifies a hashed password that was imported from an external source + LDAP: Specifies the LDAP directory instance name as the `name` property + OKTA: Specifies the Okta identity provider + SOCIAL: >- + Specifies an OIDC or third-party social identity provider. Doesn't + support a `password` or `recovery question` credential. The user must + authenticate through a trusted identity provider. + PolicyAccountLinkAction: + description: Specifies the account linking action for an IdP user + type: string + enum: + - AUTO + - DISABLED + x-enumDescriptions: + AUTO: >- + The IdP user is automatically linked to an Okta user when the + transformed IdP user matches an existing Okta user according to + [subject match + rules](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy/subject&t=request). + DISABLED: >- + Okta never attempts to link the IdP user to an existing Okta user, but + may still attempt to provision a new Okta user according to the + [provisioning action + type](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy/provisioning/action&t=request). + PolicyAccountLinkFilter: + description: >- + Specifies filters on which users are available for account linking by an + IdP + type: object + properties: + groups: + $ref: '#/components/schemas/PolicyAccountLinkFilterGroups' + users: + $ref: '#/components/schemas/PolicyAccountLinkFilterUsers' + ProvisioningAction: + description: >- + Specifies the user provisioning action during authentication when an IdP + user isn't linked to an existing Okta user. + + * To successfully provision a new Okta user, you must enable + just-in-time (JIT) provisioning in your org security settings. + + * If the target username isn't unique or the resulting Okta user profile + is missing a required profile attribute, JIT provisioning may fail. + + * New Okta users are provisioned with either a `FEDERATION` or `SOCIAL` + authentication provider depending on the IdP type. + type: string + enum: + - AUTO + - DISABLED + x-enumDescriptions: + AUTO: >- + The IdP user profile is transformed through defined universal + directory profile mappings to an Okta user profile and automatically + provisioned as an Okta user. + DISABLED: >- + Okta rejects the authentication request and skips provisioning of a + new Okta user if the IdP user isn't linked to an existing Okta user. + ProvisioningConditions: + description: Conditional behaviors for an IdP user during authentication + type: object + properties: + deprovisioned: + $ref: '#/components/schemas/ProvisioningDeprovisionedCondition' + suspended: + $ref: '#/components/schemas/ProvisioningSuspendedCondition' + ProvisioningGroups: + description: Provisioning settings for a user's group memberships + type: object + properties: + action: + $ref: '#/components/schemas/ProvisioningGroupsAction' + assignments: + type: array + description: >- + List of `OKTA_GROUP` group identifiers to add an IdP user as a + member with the `ASSIGN` action + items: + type: string + example: 00gak46y5hydV6NdM0g4 + filter: + type: array + description: >- + Allowlist of `OKTA_GROUP` group identifiers for the `APPEND` or + `SYNC` provisioning action + items: + type: string + example: 00gak46y5hydV6NdM0g4 + sourceAttributeName: + type: string + description: >- + IdP user profile attribute name (case-insensitive) for an array + value that contains group memberships + maxLength: 1024 + example: Groups + PolicySubjectMatchType: + description: >- + Determines the Okta user profile attribute match conditions for account + linking and authentication of the transformed IdP username + type: string + enum: + - CUSTOM_ATTRIBUTE + - EMAIL + - USERNAME + - USERNAME_OR_EMAIL + PolicyUserNameTemplate: + description: >- + [Okta Expression Language (EL) + expression](https://developer.okta.com/docs/reference/okta-expression-language/) + to generate or transform a unique username for the IdP user. + + * IdP user profile attributes can be referenced with the `idpuser` + prefix such as `idpuser.subjectNameId`. + + * You must define an IdP user profile attribute before it can be + referenced in an Okta EL expression. To define an IdP user attribute + policy, you may need to create a new IdP instance without a base profile + property. Then edit the IdP user profile to update the IdP instance with + an expression that references the IdP user profile attribute that you + just created. + type: object + properties: + template: + type: string + minLength: 9 + maxLength: 1024 + example: idpuser.subjectNameId + SamlRequestAlgorithm: + description: Algorithm settings used to secure an `<AuthnRequest>` message + type: object + properties: + signature: + $ref: '#/components/schemas/SamlRequestSignatureAlgorithm' + SamlResponseAlgorithm: + description: >- + Algorithm settings for verifying `<SAMLResponse>` messages and + `<Assertion>` elements from the IdP + type: object + properties: + signature: + $ref: '#/components/schemas/SamlResponseSignatureAlgorithm' + SamlSigningCredentials: + description: Key used for signing requests to the IdP + type: object + properties: + kid: + $ref: '#/components/schemas/ProtocolCredentialsKeyId' + SamlTrustCredentials: + description: Federation Trust Credentials for verifying assertions from the IdP + type: object + properties: + additionalKids: + description: >- + Additional IdP key credential reference to the Okta X.509 signature + certificate + type: array + maxItems: 1 + items: + $ref: '#/components/schemas/ProtocolCredentialsKeyId' + audience: + type: string + description: >- + URI that identifies the target Okta IdP instance (SP) for an + `<Assertion>` + maxLength: 1024 + example: https://www.okta.com/saml2/service-provider/spgv32vOnpdyeGSaiUpL + issuer: + type: string + description: >- + URI that identifies the issuer (IdP) of a `<SAMLResponse>` message + `<Assertion>` element + maxLength: 1024 + example: urn:example:idp + kid: + $ref: '#/components/schemas/ProtocolCredentialsKeyId' + SamlAcsEndpoint: + description: >- + Okta's `SPSSODescriptor` endpoint where the IdP sends a `<SAMLResponse>` + message + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + type: + $ref: '#/components/schemas/SamlEndpointType' + SamlSloEndpoint: + description: >- + IdP's `SingleLogoutService` endpoint where Okta sends a + `<LogoutRequest>` message + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + url: + type: string + description: >- + URL of the binding-specific IdP endpoint where Okta sends a + `<LogoutRequest>` + maxLength: 1014 + example: https://idp.example.com/saml2/slo + SamlSsoEndpoint: + description: >- + IdP's `SingleSignOnService` endpoint where Okta sends an + `<AuthnRequest>` message + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + destination: + type: string + description: >- + URI reference that indicates the address to which the + `<AuthnRequest>` message is sent. + + The `destination` property is required if request signatures are + specified. See [SAML 2.0 Request Algorithm + object](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=protocol/0/algorithms/request&t=request). + maxLength: 512 + example: https://idp.example.com/saml2/sso + url: + type: string + description: >- + URL of the binding-specific endpoint to send an `<AuthnRequest>` + message to the IdP. + + The value of `url` defaults to the same value as the `sso` endpoint + if omitted during creation of a new IdP instance. + + The `url` should be the same value as the `Location` attribute for a + published binding in the IdP's SAML Metadata `IDPSSODescriptor`. + maxLength: 1014 + example: https://idp.example.com/saml2/sso + SamlRelayStateFormat: + description: >- + The format used to generate the `relayState` in the SAML request. The + `FROM_URL` format is used if this value is null. + type: string + enum: + - FROM_URL + - OPAQUE + SamlNameIdFormat: + description: SAML 2.0 Name Identifier formats + default: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + type: string + enum: + - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + - urn:oasis:names:tc:SAML:2.0:nameid-format:transient + OAuthCredentialsClient: + description: >- + OAuth 2.0 and OpenID Connect Client object + + > **Note:** You must complete client registration with the IdP + Authorization Server for your Okta IdP instance to obtain client + credentials. + type: object + properties: + client_id: + type: string + description: >- + The [Unique + identifier](https://tools.ietf.org/html/rfc6749#section-2.2) issued + by the AS for the Okta IdP instance + maxLength: 1024 + example: your-client-id + client_secret: + type: string + description: >- + The [Client + secret](https://tools.ietf.org/html/rfc6749#section-2.3.1) issued by + the AS for the Okta IdP instance + maxLength: 1024 + example: your-client-secret + pkce_required: + type: boolean + description: >- + Require Proof Key for Code Exchange (PKCE) for additional + verification + token_endpoint_auth_method: + type: string + description: Client authentication methods supported by the token endpoint + enum: + - private_key_jwt + AppleClientSigning: + description: >- + Information used to generate the secret JSON Web Token for the token + requests to Apple IdP + + > **Note:** The `privateKey` property is required for a CREATE request. + For an UPDATE request, it can be null and keeps the existing value if + it's null. The `privateKey` property isn't returned for LIST and GET + requests or UPDATE requests if it's null. + type: object + properties: + kid: + type: string + description: >- + The key ID that you obtained from Apple when you created the private + key for the client + maxLength: 1024 + example: test key id + privateKey: + type: string + description: >- + The PKCS \#8 encoded private key that you created for the client and + downloaded from Apple + maxLength: 1024 + example: MIGTAgEAMBM........Cb9PnybCnzDv+3cWSGWqpAIsQQZ + teamId: + type: string + description: The Team ID associated with your Apple developer account + maxLength: 1024 + example: test team id + OAuthAuthorizationEndpoint: + description: >- + Endpoint for an [OAuth 2.0 Authorization Server + (AS)](https://tools.ietf.org/html/rfc6749#page-18) + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + url: + type: string + description: URL of the IdP Authorization Server (AS) authorization endpoint + example: https://idp.example.com/authorize + OidcJwksEndpoint: + description: >- + Endpoint for the JSON Web Key Set (JWKS) document. This document + contains signing keys that are used to validate the signatures from the + provider. For more information on JWKS, see [JSON Web + Key](https://tools.ietf.org/html/rfc7517). + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + url: + type: string + description: URL of the endpoint to the JWK Set + example: https://idp.example.com/keys + OidcSloEndpoint: + description: OIDC IdP logout endpoint + type: object + properties: + url: + type: string + description: IdP logout endpoint URL + maxLength: 1014 + example: https://idp.example.com/saml2/slo + OAuthTokenEndpoint: + description: >- + Endpoint for an [OAuth 2.0 Authorization Server + (AS)](https://tools.ietf.org/html/rfc6749#page-18) + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + url: + type: string + description: URL of the IdP Authorization Server (AS) token endpoint + example: https://idp.example.com/token + OidcUserInfoEndpoint: + description: >- + Endpoint for getting identity information about the user. For more + information on the `/userinfo` endpoint, see [OpenID + Connect](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo). + type: object + properties: + binding: + $ref: '#/components/schemas/ProtocolEndpointBinding' + url: + type: string + description: URL of the resource server's `/userinfo` endpoint + example: https://idp.example.com/userinfo + OidcRequestAlgorithm: + description: Algorithm settings used to sign an authorization request + type: object + properties: + signature: + $ref: '#/components/schemas/OidcRequestSignatureAlgorithm' + MtlsTrustCredentials: + type: object + properties: + audience: + type: string + description: Not used + example: null + issuer: + type: string + description: Description of the certificate issuer + maxLength: 1024 + example: CN=Test Smart Card, OU=Test OU, O=Test O, C=US + kid: + $ref: '#/components/schemas/ProtocolCredentialsKeyId' + revocation: + $ref: '#/components/schemas/MtlsTrustCredentialsRevocation' + revocationCacheLifetime: + type: number + description: Time in minutes to cache the certificate revocation information + maximum: 4320 + example: 2880 + MtlsSsoEndpoint: + description: >- + The Single Sign-On (SSO) endpoint is the IdP's `SingleSignOnService` + endpoint + type: object + properties: + url: + type: string + maxLength: 1014 + example: https://{yourOktaDomain}.okta.com/login/cert + IDVAuthorizationEndpoint: + description: IDV authorization endpoint + type: object + properties: + binding: + type: string + enum: + - HTTP-REDIRECT + url: + type: string + description: URL of the IDV `authorization` endpoint + readOnly: true + IDVParEndpoint: + description: IDV [PAR](https://datatracker.ietf.org/doc/html/rfc9126) endpoint + type: object + properties: + binding: + type: string + enum: + - HTTP-POST + url: + type: string + description: URL of the IDV `par` endpoint + readOnly: true + IDVTokenEndpoint: + description: IDV token endpoint + type: object + properties: + binding: + type: string + enum: + - HTTP-POST + url: + type: string + description: URL of the IDV `token` endpoint + readOnly: true + PasswordCredentialHashAlgorithm: + description: >- + The algorithm used to generate the hash using the password (and salt, + when applicable). + type: string + enum: + - BCRYPT + - MD5 + - PBKDF2 + - SHA-1 + - SHA-256 + - SHA-512 + DigestAlgorithm: + description: >- + Algorithm used to generate the key. Only required for the PBKDF2 + algorithm. + type: string + enum: + - SHA256_HMAC + - SHA512_HMAC + DiskEncryptionTypeDef: + description: >- + Type of encryption used on the device + + > **Note:** The following values map to Disk Encryption ON: `FULL`, + `USER`, `ALL_INTERNAL_VOLUMES`. All other values map to Disk Encryption + OFF. + type: string + enum: + - ALL_INTERNAL_VOLUMES + - FULL + - NONE + - SYSTEM_VOLUME + - USER + x-enumDescriptions: + NONE: No encryption has been set. + FULL: >- + Disk is fully encrypted. Only applicable to `IOS` and `ANDROID` + platforms. + USER: >- + Encryption key is tied to the user or profile. Only applicable to + `ANDROID` platform. + ALL_INTERNAL_VOLUMES: >- + All internal disks are encrypted. Only applicable to `WINDOWS` and + `MACOS` platforms. + SYSTEM_VOLUME: >- + Only the system volume is encrypted. Only applicable to `WINDOWS` and + `MACOS` platforms. + DevicePlatform: + description: OS platform of the device + type: string + enum: + - ANDROID + - IOS + - MACOS + - WINDOWS + LinksSelfAndLifecycle: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + HrefObjectSuspendLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to suspend the resource + HrefObjectUnsuspendLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to unsuspend the resource + PolicyAccountLinkFilterGroups: + description: Group memberships used to determine link candidates + type: object + properties: + include: + type: array + description: >- + Specifies the allowlist of Group identifiers to match against. Group + memberships are restricted to type `OKTA_GROUP`. + items: + type: string + example: 00gjg5lzfBpn62wuF0g3 + PolicyAccountLinkFilterUsers: + description: Filters on which users are available for account linking + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + type: object + properties: + exclude: + type: array + description: >- + Specifies the blocklist of user identifiers to exclude from account + linking + items: + type: string + example: 00u2c0nz7wj4UBs8V0g5 + excludeAdmins: + type: boolean + description: >- + Specifies whether admin users should be excluded from account + linking + default: false + ProvisioningDeprovisionedCondition: + description: >- + Behavior for a previously deprovisioned IdP user during authentication. + Not supported with OIDC IdPs. + type: object + properties: + action: + $ref: '#/components/schemas/ProvisioningDeprovisionedAction' + ProvisioningSuspendedCondition: + description: >- + Behavior for a previously suspended IdP user during authentication. Not + supported with OIDC IdPs. + type: object + properties: + action: + $ref: '#/components/schemas/ProvisioningSuspendedAction' + ProvisioningGroupsAction: + description: >- + Provisioning action for the IdP user's group memberships + + + | Enum | + Description + | Existing OKTA_GROUP + Memberships + | Existing APP_GROUP Memberships | Existing BUILT_IN Memberships | + + | -------- | + ----------------------------------------------------------------------------------------------------------------------------------------------------------------- + | + ----------------------------------------------------------------------------------------------------- + | ------------------------------ | ----------------------------- | + + | `APPEND` | Adds a user to any group defined by the IdP as a value of + the `sourceAttributeName` array that matches the name of the allow + listed group defined in the `filter` | + Unchanged + | Unchanged | Unchanged | + + | `ASSIGN` | Assigns a user to groups defined in the `assignments` + array + | + Unchanged + | Unchanged | Unchanged | + + | `NONE` | Skips processing of group + memberships + | + Unchanged + | Unchanged | Unchanged | + + | `SYNC` | Group memberships are sourced by the IdP as a value of the + `sourceAttributeName` array that matches the name of the group defined + in the `filter` | Removed if not defined by the IdP in + `sourceAttributeName` and matching name of the group in `filter` | + Unchanged | Unchanged | + + + > **Note:** Group provisioning action is processed independently from + profile sourcing. You can sync group memberships through SAML with + profile sourcing disabled. + type: string + enum: + - APPEND + - ASSIGN + - NONE + - SYNC + SamlRequestSignatureAlgorithm: + description: >- + XML digital Signature Algorithm settings for signing `<AuthnRequest>` + messages sent to the IdP + + > **Note:** The `algorithm` property is ignored when you disable + request signatures (`scope` set as `NONE`). + type: object + properties: + algorithm: + $ref: '#/components/schemas/SamlSigningAlgorithm' + scope: + $ref: '#/components/schemas/ProtocolAlgorithmRequestScope' + SamlResponseSignatureAlgorithm: + description: >- + XML digital Signature Algorithm settings for verifying `<SAMLResponse>` + messages and `<Assertion>` elements from the IdP + type: object + properties: + algorithm: + $ref: '#/components/schemas/SamlSigningAlgorithm' + scope: + $ref: '#/components/schemas/ProtocolAlgorithmResponseScope' + ProtocolCredentialsKeyId: + description: IdP key credential reference to the Okta X.509 signature certificate + example: your-key-id + type: string + ProtocolEndpointBinding: + type: string + enum: + - HTTP-POST + - HTTP-REDIRECT + SamlEndpointType: + description: >- + Determines whether to publish an instance-specific (trust) or + organization (shared) ACS endpoint in the SAML metadata + default: INSTANCE + type: string + enum: + - INSTANCE + - ORG + OidcRequestSignatureAlgorithm: + description: >- + Signature Algorithm settings for signing authorization requests sent to + the IdP + + > **Note:** The `algorithm` property is ignored when you disable + request signatures (`scope` set as `NONE`). + type: object + properties: + algorithm: + $ref: '#/components/schemas/OidcSigningAlgorithm' + scope: + $ref: '#/components/schemas/ProtocolAlgorithmRequestScope' + MtlsTrustCredentialsRevocation: + description: Mechanism to validate the certificate + example: CRL + type: string + enum: + - CRL + - DELTA_CRL + - OCSP + HrefObjectActivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to activate the resource + HrefObjectDeactivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to deactivate the resource + ProvisioningDeprovisionedAction: + description: >- + Specifies the action during authentication when an IdP user is linked to + a previously deprovisioned Okta user + type: string + enum: + - NONE + - REACTIVATE + x-enumDescriptions: + NONE: >- + Take no action. If an IdP user that matches a previously deprovisioned + Okta user attempts to authenticate, authentication fails. + REACTIVATE: >- + If an IdP user that matches a previously deprovisioned Okta user + attempts to authenticate, reactivate the matching user in Okta and + allow the authentication attempt to proceed. + ProvisioningSuspendedAction: + description: >- + Specifies the action during authentication when an IdP user is linked to + a previously suspended Okta user + type: string + enum: + - NONE + - UNSUSPEND + x-enumDescriptions: + NONE: >- + Take no action. If an IdP user that matches a previously suspended + Okta user attempts to authenticate, authentication fails. + UNSUSPEND: >- + If an IdP user that matches a previously suspended Okta user attempts + to authenticate, unsuspend the matching user in Okta and allow the + authentication attempt to proceed. + SamlSigningAlgorithm: + example: SHA-256 + type: string + enum: + - SHA-1 + - SHA-256 + ProtocolAlgorithmRequestScope: + description: Specifies whether to digitally sign authorization requests to the IdP + example: REQUEST + type: string + enum: + - NONE + - REQUEST + ProtocolAlgorithmResponseScope: + description: Specifies whether to verify responses from the IdP + example: ANY + type: string + enum: + - ANY + - RESPONSE + - TOKEN + OidcSigningAlgorithm: + type: string + enum: + - HS256 + - HS384 + - HS512 + - RS256 + - RS384 + - RS512 + responses: + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + ErrorMissingRequiredParameter400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + MissingRequiredParameter: + $ref: '#/components/examples/ErrorMissingRequiredParameter' + PhoneAuthenticatorCreateEnrollmentResponse: + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AuthenticatorEnrollment' + examples: + PhoneSmsEx: + $ref: '#/components/examples/AuthenticatorEnrollmentResponsePhoneSms' + PhoneCallEx: + $ref: '#/components/examples/AuthenticatorEnrollmentResponsePhoneVoice' + ErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/ErrorApiValidationFailed' + TacAuthenticatorCreateEnrollmentResponse: + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/TacAuthenticatorEnrollment' + examples: + TacEx: + $ref: '#/components/examples/AuthenticatorEnrollmentResponseTac' + AuthenticatorEnrollmentResponse: + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/AuthenticatorEnrollment' + examples: + PhoneSmsEx: + $ref: '#/components/examples/AuthenticatorEnrollmentResponsePhoneSms' + PhoneCallEx: + $ref: '#/components/examples/AuthenticatorEnrollmentResponsePhoneVoice' + GetFactorResponse: + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/UserFactor' + examples: + SMS: + $ref: '#/components/examples/FactorResponseSms' + Email: + $ref: '#/components/examples/FactorEmail' + parameters: + OktaResponse: + name: Content-Type + in: header + description: >- + Specifies the media type of the resource. Optional `okta-response` value + can be included for performance optimization. + + + Complex DelAuth configurations may degrade performance when fetching + specific parts of the response, and passing this parameter can omit + these parts, bypassing the bottleneck. + + + Enum values for `okta-response`: + * `omitCredentials`: Omits the credentials subobject from the response. + * `omitCredentialsLinks`: Omits the following HAL links from the response: Update password, Change recovery question, Start forgot password flow, Reset password, Reset factors, Unlock. + * `omitTransitioningToStatus`: Omits the `transitioningToStatus` field from the response. + required: false + schema: + type: string + examples: + Omit credentials subobject and credentials links: + value: application/json; okta-response=omitCredentials,omitCredentialsLinks + summary: >- + Omits the credentials subobject and credentials links from the + response. Doesn't apply performance optimization. + Omit credentials, credentials links, and `transitioningToStatus` field: + value: >- + application/json; + okta-response="omitCredentials,omitCredentialsLinks, + omitTransitioningToStatus" + summary: >- + Omits the credentials, credentials links, and + `transitioningToStatus` field from the response. Applies performance + optimization. + queryAfter: + name: after + in: query + schema: + type: string + description: >- + The cursor to use for pagination. It is an opaque string that specifies + your current location in the list and is obtained from the `Link` + response header. See + [Pagination](https://developer.okta.com/docs/api/#pagination). + pathId: + name: id + description: >- + An ID, login, or login shortname (as long as the shortname is + unambiguous) of an existing Okta user + in: path + required: true + schema: + type: string + queryUserExpand: + name: expand + in: query + description: >- + An optional parameter to include metadata in the `_embedded` attribute. + Valid values: `blocks` or <x-lifecycle class="ea"></x-lifecycle> + `classification`. + required: false + schema: + type: string + example: blocks + pathUserIdOrLogin: + name: userIdOrLogin + description: >- + If for the `self` link, this is the ID of the user for whom you want to + get the primary user ID. If for the `associated` relation, this is the + user ID or login value of the user assigned the associated relationship. + + + This can be `me` to represent the current session user. + in: path + required: true + schema: + type: string + examples: + manager: + value: 00u5zex6ztMbOZhF50h7 + summary: Example ID of `primary` + subordinate: + value: 00u5zex6ztMbOZhF50h7 + summary: Example ID of `associated` + pathPrimaryRelationshipName: + name: primaryRelationshipName + description: Name of the `primary` relationship being assigned + in: path + required: true + schema: + type: string + example: manager + pathPrimaryUserId: + name: primaryUserId + description: >- + User ID to be assigned to the `primary` relationship for the + `associated` user + in: path + required: true + schema: + type: string + pathRelationshipName: + name: relationshipName + description: Name of the `primary` or `associated` relationship being queried + in: path + required: true + schema: + type: string + examples: + manager: + value: manager + summary: Example of a `primary` name + subordinate: + value: subordinate + summary: Example of an `associated` name + pathUserId: + name: userId + description: ID of an existing Okta user + in: path + required: true + schema: + type: string + example: 00ub0oNGTSWTBKOLGLNR + pathEnrollmentId: + name: enrollmentId + description: Unique identifier of an enrollment + in: path + required: true + schema: + type: string + example: sms8lqwuzSpWT4kVs0g4 + pathClientId: + name: clientId + description: Client app ID + in: path + required: true + schema: + type: string + example: 52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD + pathTokenId: + name: tokenId + description: '`id` of Token' + in: path + required: true + schema: + type: string + example: sHHSth53yJAyNSTQKDJZ + pathFactorId: + name: factorId + description: ID of an existing user factor + in: path + required: true + schema: + type: string + example: zAgrsaBe0wVGRugDYtdv + pathTransactionId: + name: transactionId + description: ID of an existing factor verification transaction + in: path + required: true + schema: + type: string + example: gPAQcN3NDjSGOCAeG2Jv + pathGrantId: + name: grantId + description: Grant ID + in: path + required: true + schema: + type: string + example: iJoqkwx50mrgX4T9LcaH + pathQueryRoleExpand: + name: expand + description: >- + An optional parameter used to return targets configured for the standard + role assignment in the `embedded` property. Supported values: + `targets/groups` or `targets/catalog/apps` + in: query + required: false + schema: + type: string + examples: + groupTarget: + value: targets/groups + summary: Return group targets + appTarget: + value: targets/catalog/apps + summary: Return app targets + pathRoleAssignmentId: + name: roleAssignmentId + description: The `id` of the role assignment + in: path + required: true + schema: + type: string + example: JBCUYUC7IRCVGS27IFCE2SKO + queryLimit: + name: limit + in: query + schema: + type: integer + minimum: 1 + maximum: 200 + default: 20 + description: A limit on the number of objects to return + pathAppName: + name: appName + description: Name of the app definition (the OIN catalog app key name) + in: path + required: true + schema: + type: string + example: google + pathAppId: + name: appId + description: Application ID + in: path + required: true + schema: + type: string + example: 0oafxqCAJWWGELFTYASJ + pathGroupId: + name: groupId + description: The `id` of the group + in: path + required: true + schema: + type: string + example: 00g1emaKYZTWRYYRRTSK + pathRoleIdOrEncodedRoleId: + name: roleIdOrEncodedRoleId + description: The `id` of the role or Base32 encoded `id` of the role name + in: path + required: true + schema: + type: string + example: JBCUYUC7IRCVGS27IFCE2SKO + assignmentType: + name: assignmentType + description: Specifies the assignment type of the user + in: query + required: false + schema: + type: string + enum: + - USER + - GROUP + example: GROUP + pathNotificationType: + name: notificationType + in: path + required: true + schema: + $ref: '#/components/schemas/NotificationType' + examples: + ListRealmAwareUsersResponse: + summary: List all users + value: + - id: 00u118oQYT4TBGuay0g4 + status: ACTIVE + created: '2022-04-04T15:56:05.000Z' + activated: null + statusChanged: null + lastLogin: '2022-05-04T19:50:52.000Z' + lastUpdated: '2022-05-05T18:15:44.000Z' + passwordChanged: '2022-04-04T16:00:22.000Z' + type: + id: oty1162QAr8hJjTaq0g4 + profile: + firstName: Alice + lastName: Smith + mobilePhone: null + secondEmail: null + login: alice.smith@example.com + email: alice.smith@example.com + realmId: guo1afiNtSnZYILxO0g4 + credentials: + password: {} + provider: + type: OKTA + name: OKTA + _links: + self: + href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4 + create-user-without-credentials-request: + description: >- + See [Create user without + credentials](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-without-credentials) + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + create-user-with-recovery-question-request: + description: >- + See [Create user with recovery + question](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-with-recovery-question) + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + recovery_question: + question: Who is a major player in the cowboy scene? + answer: Annie Oakley + create-user-with-password-request: + description: >- + Set `activate` parameter to `true`. See [Create user with + password](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-with-password). + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: + value: tlpWENT2m + create-user-with-imported-hashed-password-request: + description: >- + Set `activate` parameter to `true`. See [Create user with imported + hashed + password](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-with-imported-hashed-password). + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: + hash: + algorithm: BCRYPT + workFactor: 10 + salt: rwh3vH166HCH/NT9XV5FYu + value: qaMqvAPULkbiQzkTCWo5XDcvzpk8Tna + create-user-with-password-import-inline-hook-request: + description: >- + Set `activate` parameter to `true`. See [Create user with password + import inline + hook](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-with-password-import-inline-hook). + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: + hook: + type: default + create-user-with-password-and-recovery-question-request: + description: >- + See [Create user with password and recovery + question](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-with-password-and-recovery-question) + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: + value: tlpWENT2m + recovery_question: + question: Who is a major player in the cowboy scene? + answer: Annie Oakley + create-user-with-authentication-provider-request: + description: >- + Set `activate` parameter to `true`. See [Create user with authentication + provider](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-with-authentication-provider). + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + provider: + type: FEDERATION + name: FEDERATION + create-user-in-group-request: + description: >- + See [Create user in + group](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-in-group) + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + groupIds: + - 00g1emaKYZTWRYYRRTSK + - 00garwpuyxHaWOkdV0g4 + create-user-with-non-default-user-type-request: + description: >- + See [Create user with non-default user + type](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-with-non-default-user-type) + value: + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + type: + id: otyfnjfba4ye7pgjB0g4 + create-user-without-credentials-response: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: STAGED + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: null + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + provider: + type: OKTA + name: OKTA + _links: + activate: + href: >- + https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-recovery-question-response: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: STAGED + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: null + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + recovery_question: + question: Who's a major player in the cowboy scene? + provider: + type: OKTA + name: OKTA + _links: + activate: + href: >- + https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-password-response: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: ACTIVE + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: '2013-07-02T21:36:25.344Z' + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: {} + provider: + type: OKTA + name: OKTA + _links: + activate: + href: >- + https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-imported-hashed-password-response: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: ACTIVE + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: '2013-07-02T21:36:25.344Z' + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: {} + provider: + type: IMPORT + name: IMPORT + _links: + activate: + href: >- + https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-password-import-inline-hook-response: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: ACTIVE + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: '2013-07-02T21:36:25.344Z' + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: {} + provider: + type: IMPORT + name: IMPORT + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-password-and-recovery-question-response: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: STAGED + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: '2013-07-02T21:36:25.344Z' + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: {} + recovery_question: + question: Who's a major player in the cowboy scene? + provider: + type: OKTA + name: OKTA + _links: + activate: + href: >- + https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-authentication-provider-response: + value: + id: 00uijntSwJjSHtDY70g3 + status: ACTIVE + created: '2016-01-19T22:02:08.000Z' + activated: '2016-01-19T22:02:08.000Z' + statusChanged: '2016-01-19T22:02:08.000Z' + lastLogin: null + lastUpdated: '2016-01-19T22:02:08.000Z' + passwordChanged: null + profile: + login: isaac.brock@example.com + firstName: Isaac + lastName: Brock + mobilePhone: 555-415-1337 + email: isaac.brock@example.com + secondEmail: null + credentials: + provider: + type: FEDERATION + name: FEDERATION + _links: + resetPassword: + href: >- + https://{yourOktaDomain}/api/v1/users/00uijntSwJjSHtDY70g3/lifecycle/reset_password + method: POST + changeRecoveryQuestion: + href: >- + https://{yourOktaDomain}/api/v1/users/00uijntSwJjSHtDY70g3/credentials/change_recovery_question + method: POST + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/users/00uijntSwJjSHtDY70g3/lifecycle/deactivate + method: POST + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-in-group-response: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: STAGED + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: null + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + provider: + type: OKTA + name: OKTA + _links: + activate: + href: >- + https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + create-user-with-non-default-user-type-response: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: STAGED + created: '2013-07-02T21:36:25.344Z' + activated: null + statusChanged: null + lastLogin: null + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: null + type: + id: otyfnjfba4ye7pgjB0g4 + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + provider: + type: OKTA + name: OKTA + _links: + schema: + href: >- + https://{yourOktaDomain}/api/v1/meta/schemas/user/oscfnjfba4ye7pgjB0g4 + activate: + href: >- + https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate + self: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + type: + href: >- + https://{yourOktaDomain}/api/v1/meta/types/user/otyfnjfba4ye7pgjB0g4 + ErrorCreateUserWithTooManyManyGroupsResponse: + value: + errorCode: E0000093 + errorSummary: Target count limit exceeded + errorLink: E0000093 + errorId: oaePVSLIYnIQsC0B-ptBIllVA + errorCauses: + - errorSummary: The number of group targets is too large + ErrorCreateUserWithExpiredPasswordWithoutActivation: + value: + errorCode: E0000125 + errorSummary: >- + Could not create user. To create a user and expire their password + immediately, `activate` must be true. + errorLink: E0000125 + errorId: oaeDd77L9R-TJaD7j_rXsQ31w + errorCauses: + - errorSummary: >- + Could not create user. To create a user and expire their password + immediately, `activate` must be true. + ErrorCreateUserWithExpiredPasswordWithNullPassword: + value: + errorCode: E0000124 + errorSummary: >- + Could not create user. To create a user and expire their password + immediately, a password must be specified. + errorLink: E0000124 + errorId: oaeXxuZgXBySvqi1FvtkwoYCA + errorCauses: + - errorSummary: >- + Could not create user. To create a user and expire their password + immediately, a password must be specified. + user-example: + summary: User example + value: + id: 00ub0oNGTSWTBKOLGLNR + status: ACTIVE + created: '2013-06-24T16:39:18.000Z' + activated: '2013-06-24T16:39:19.000Z' + statusChanged: '2013-06-24T16:39:19.000Z' + lastLogin: '2013-06-24T17:39:19.000Z' + lastUpdated: '2013-07-02T21:36:25.344Z' + passwordChanged: '2013-07-02T21:36:25.344Z' + profile: + login: isaac.brock@example.com + firstName: Isaac + lastName: Brock + nickName: issac + displayName: Isaac Brock + email: isaac.brock@example.com + secondEmail: isaac@example.org + profileUrl: http://www.example.com/profile + preferredLanguage: en-US + userType: Employee + organization: Okta + title: Director + division: R&D + department: Engineering + costCenter: '10' + employeeNumber: '187' + mobilePhone: +1-555-415-1337 + primaryPhone: +1-555-514-1337 + streetAddress: 301 Brannan St. + city: San Francisco + state: CA + zipCode: '94107' + countryCode: US + credentials: + password: {} + recovery_question: + question: What's my childhood elementary school? + provider: + type: OKTA + name: OKTA + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u1f96ECLNVOKVMUSEA + update-user-profile-request: + value: + profile: + firstName: Isaac + email: isaac.brock@update.example.com + mobilePhone: 555-415-1337 + update-user-set-password-request: + value: + credentials: + password: + value: uTVM,TPw55 + update-user-set-recovery-question-and-answer: + value: + credentials: + recovery_question: + question: How many roads must a man walk down? + answer: forty two + replace-user-request: + value: + credentials: + password: + value: tlpWENT2m + recovery_question: + question: Who's a major player in the cowboy scene? + answer: Annie Oakley + provider: + type: OKTA + name: OKTA + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + ListAppLinks: + value: + - id: 00ub0oNGTSWTBKOLGLNR + label: Google Apps Mail + linkUrl: https://{yourOktaDomain}/home/google/0oa3omz2i9XRNSRIHBZO/50 + logoUrl: https://{yourOktaDomain}/img/logos/google-mail.png + appName: google + appInstanceId: 0oa3omz2i9XRNSRIHBZO + appAssignmentId: 0ua3omz7weMMMQJERBKY + credentialsSetup: false + hidden: false + sortOrder: 0 + - id: 00ub0oNGTSWTBKOLGLNR + label: Google Apps Calendar + linkUrl: https://{yourOktaDomain}/home/google/0oa3omz2i9XRNSRIHBZO/54 + logoUrl: https://{yourOktaDomain}/img/logos/google-calendar.png + appName: google + appInstanceId: 0oa3omz2i9XRNSRIHBZO + appAssignmentId: 0ua3omz7weMMMQJERBKY + credentialsSetup: false + hidden: false + sortOrder: 1 + - id: 00ub0oNGTSWTBKOLGLNR + label: Box + linkUrl: https://{yourOktaDomain}/home/boxnet/0oa3ompioiQCSTOYXVBK/72 + logoUrl: https://{yourOktaDomain}/img/logos/box.png + appName: boxnet + appInstanceId: 0oa3ompioiQCSTOYXVBK + appAssignmentId: 0ua3omx46lYEZLPPRWBO + credentialsSetup: false + hidden: false + sortOrder: 3 + - id: 00ub0oNGTSWTBKOLGLNR + label: Salesforce.com + linkUrl: https://{yourOktaDomain}/home/salesforce/0oa12ecnxtBQMKOXJSMF/46 + logoUrl: https://{yourOktaDomain}/img/logos/salesforce_logo.png + appName: salesforce + appInstanceId: 0oa12ecnxtBQMKOXJSMF + appAssignmentId: 0ua173qgj5VAVOBQMCVB + credentialsSetup: true + hidden: false + sortOrder: 2 + ListUserBlocksUnknownDevicesResponse: + value: + - type: DEVICE_BASED + appliesTo: UNKNOWN_DEVICES + ListUserBlocksAnyDevicesResponse: + value: + - type: DEVICE_BASED + appliesTo: ANY_DEVICES + ListUserGroups: + value: + - id: 0gabcd1234 + profile: + name: Cloud app users + description: Users can access cloud apps + - id: 0gefgh5678 + profile: + name: Internal app users + description: Users can access internal apps + MultipleIdPsResponse: + summary: Multiple IdPs + value: + - id: 0oa62b57p7c8PaGpU0h7 + type: FACEBOOK + name: Facebook + status: ACTIVE + created: '2016-03-24T23:18:27.000Z' + lastUpdated: '2016-03-24T23:18:27.000Z' + protocol: + type: OAUTH2 + endpoints: + authorization: + url: https://www.facebook.com/dialog/oauth + binding: HTTP-REDIRECT + token: + url: https://graph.facebook.com/v2.5/oauth/access_token + binding: HTTP-POST + scopes: + - public_profile + - email + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: >- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62b57p7c8PaGpU0h7&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oa62bc8wppPw0UGr0h7 + type: SAML2 + name: Example SAML IdP + status: ACTIVE + created: '2016-03-24T23:14:54.000Z' + lastUpdated: '2016-03-24T23:14:54.000Z' + protocol: + type: SAML2 + endpoints: + sso: + url: https://idp.example.com + binding: HTTP-POST + destination: https://idp.example.com + acs: + binding: HTTP-POST + type: INSTANCE + algorithms: + request: + signature: + algorithm: SHA-256 + scope: REQUEST + response: + signature: + algorithm: SHA-256 + scope: ANY + settings: + nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + credentials: + trust: + issuer: https://idp.example.com + audience: http://www.okta.com/123 + kid: your-key-id + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: saml.subjectNameId + filter: (\S+@example\.com) + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + metadata: + href: >- + https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/metadata.xml + type: application/xml + hints: + allow: + - GET + acs: + href: https://{yourOktaDomain}/sso/saml2/0oa62bc8wppPw0UGr0h7 + type: application/xml + hints: + allow: + - POST + users: + href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/users + hints: + allow: + - GET + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/lifecycle/deactivate + hints: + allow: + - POST + - id: 0oa62bfdiumsUndnZ0h7 + type: GOOGLE + name: Google + status: ACTIVE + created: '2016-03-24T23:21:49.000Z' + lastUpdated: '2016-03-24T23:21:49.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://accounts.google.com/o/oauth2/auth + binding: HTTP-REDIRECT + token: + url: https://www.googleapis.com/oauth2/v3/token + binding: HTTP-POST + scopes: + - profile + - email + - openid + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: >- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oa62bfdjnK55Z5x80h7 + type: LINKEDIN + name: LinkedIn + status: ACTIVE + created: '2016-03-24T23:23:59.000Z' + lastUpdated: '2016-03-24T23:23:59.000Z' + protocol: + type: OAUTH2 + endpoints: + authorization: + url: https://www.linkedin.com/uas/oauth2/authorization + binding: HTTP-REDIRECT + token: + url: https://www.linkedin.com/uas/oauth2/accessToken + binding: HTTP-POST + scopes: + - r_basicprofile + - r_emailaddress + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: >- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdjnK55Z5x80h7&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oajmvdFawBih4gey0g3 + type: MICROSOFT + name: Microsoft + status: ACTIVE + created: '2016-03-29T16:47:36.000Z' + lastUpdated: '2016-03-29T16:47:36.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://login.microsoftonline.com/common/oauth2/v2.0/authorize + binding: HTTP-REDIRECT + token: + url: https://login.microsoftonline.com/common/oauth2/v2.0/token + binding: HTTP-POST + scopes: + - openid + - email + - profile + - https://graph.microsoft.com/User.Read + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: true + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.userPrincipalName + filter: null + matchType: USERNAME + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: >- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oajmvdFawBih4gey0g3&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oaulob4BFVa4zQvt0g3 + type: OIDC + name: Example OpenID Connect IdP + status: ACTIVE + created: '2019-02-07T20:07:47.000Z' + lastUpdated: '2019-02-07T20:07:47.000Z' + protocol: + type: OIDC + endpoints: + authorization: + url: https://idp.example.com/authorize + binding: HTTP-REDIRECT + token: + url: https://idp.example.com/token + binding: HTTP-POST + userInfo: + url: https://idp.example.com/userinfo + binding: HTTP-REDIRECT + jwks: + url: https://idp.example.com/keys + binding: HTTP-REDIRECT + scopes: + - openid + issuer: + url: https://idp.example.com + credentials: + client: + client_id: your-client-id + client_secret: your-client-secret + policy: + provisioning: + action: AUTO + profileMaster: false + groups: + action: NONE + conditions: + deprovisioned: + action: NONE + suspended: + action: NONE + accountLink: + filter: null + action: AUTO + subject: + userNameTemplate: + template: idpuser.email + filter: null + matchType: USERNAME + matchAttribute: null + mapAMRClaims: false + maxClockSkew: 0 + _links: + authorize: + href: >- + https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oaulob4BFVa4zQvt0g3&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state}&nonce={nonce} + templated: true + hints: + allow: + - GET + clientRedirectUri: + href: https://{yourOktaDomain}/oauth2/v1/authorize/callback + hints: + allow: + - POST + - id: 0oa6jxasyhwM2ZHJh0g4 + type: X509 + name: Smart Card IDP Name + status: ACTIVE + created: '2020-01-07T00:19:27.000Z' + lastUpdated: '2020-01-07T00:19:27.000Z' + properties: + additionalAmr: + - sc + - hwk + - pin + - mfa + protocol: + type: MTLS + endpoints: + sso: + url: https://{yourOktaDomain}.okta.com/login/cert + credentials: + trust: + issuer: CN=Test Smart Card, OU=Test OU, O=Test O, C=US + audience: null + kid: 45dec5ff-8cdc-48c0-85fe-a4869f1753dc + revocation: CRL + revocationCacheLifetime: 2880 + policy: + provisioning: + action: DISABLED + profileMaster: false + groups: null + subject: + userNameTemplate: + template: idpuser.subjectAltNameEmail + filter: null + matchType: EMAIL + matchAttribute: null + mapAMRClaims: false + maxClockSkew: 0 + _links: + deactivate: + href: >- + https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/lifecycle/deactivate + hints: + allow: + - POST + users: + href: >- + https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/users + hints: + allow: + - GET + keys: + href: >- + https://{yourOktaDomain}.okta.com/api/v1/idps/credentials/keys/45dec5ff-8cdc-48c0-85fe-a4869f1753dc + hints: + allow: + - GET + ExpirePwdResponse: + value: + id: 00ub0oNGTSWTBKOLGLNR + status: PASSWORD_EXPIRED + created: '2013-06-24T16:39:18.000Z' + activated: '2013-06-24T16:39:19.000Z' + statusChanged: '2013-06-24T16:39:19.000Z' + lastLogin: '2013-06-24T17:39:19.000Z' + lastUpdated: '2013-06-27T16:35:28.000Z' + passwordChanged: '2013-06-24T16:39:19.000Z' + profile: + firstName: Isaac + lastName: Brock + email: isaac.brock@example.com + login: isaac.brock@example.com + mobilePhone: 555-415-1337 + credentials: + password: {} + recovery_question: + question: Who's a major player in the cowboy scene? + provider: + type: OKTA + name: OKTA + _links: + resetPassword: + href: >- + https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/reset_password + resetFactors: + href: >- + https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/reset_factors + expirePassword: + href: >- + https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/expire_password + forgotPassword: + href: >- + https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/credentials/forgot_password + changeRecoveryQuestion: + href: >- + https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/credentials/change_recovery_question + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/deactivate + changePassword: + href: >- + https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/credentials/change_password + ExpirePwdWithTempPwdResponse: + value: + tempPassword: F46gy7X4 + ResetPwdWithoutSendingEmailResponse: + value: + summary: Reset password without sending email + resetPasswordUrl: https://{yourOktaDomain}/reset_password/XE6wE17zmphl3KqAPFxO + GetPrimaryLinkedObjectResponse: + summary: Retrieve primary linked object value response + value: + - _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7 + GetAssociatedLinkedObjectsResponse: + summary: Retrieve all associated linked object values response + value: + - _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u5zex6ztMbOZhF50h7 + - _links: + self: + href: https://{yourOktaDomain}/api/v1/users/00u1tsf0nQKavLDUh0g5 + AuthenticatorEnrollmentResponseListAll: + summary: List of authenticator enrollments + value: + - type: email + id: eae4za57woixzodEK0g7 + key: okta_email + status: ACTIVE + name: Email + profile: + email: joe@example.com + nickname: null + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-28T21:45:52.000Z' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7/authenticator-enrollments/eae4za57woixzodEK0g7 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7 + hints: + allow: + - GET + authenticator: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/auth60xfl7VbebsFr0g6 + hints: + allow: + - GET + - type: password + id: laeh60xfl7VbebsFr0g6 + key: okta_password + status: ACTIVE + name: Password + nickname: null + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-26T21:05:23.000Z' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7/authenticator-enrollments/laeh60xfl7VbebsFr0g6 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7 + hints: + allow: + - GET + authenticator: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/auth60xfl7VbebsFr0g6 + hints: + allow: + - GET + - type: phone + id: sms8evhwh0Ne35iPR0g7 + key: phone_number + status: ACTIVE + name: Phone + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-29T00:21:29.000Z' + profile: + phoneNumber: +1 XXX-XXX-6065 + nickname: Joe's Work Phone + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7/authenticator-enrollments/laeh60xfl7VbebsFr0g6 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7 + hints: + allow: + - GET + authenticator: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/auth60xfl7VbebsFr0g6 + hints: + allow: + - GET + Get-User-Classification-Example: + value: + type: LITE + lastUpdated: '2022-05-04T19:50:52.000Z' + Set-User-Classification-Example: + value: + type: LITE + ListUserClients: + value: + - client_id: 0oabskvc6442nkvQO0h7 + client_name: My App + client_uri: null + logo_uri: null + _links: + grants: + href: >- + https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/grants + tokens: + href: >- + https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/tokens + ChangePwdRequest: + value: + oldPassword: + value: tlpWENT2m + newPassword: + value: uTVM,TPw55 + revokeSessions: true + ChangePwdResponse: + value: + password: {} + recovery_question: + question: Who's a major player in the cowboy scene? + provider: + type: OKTA + name: OKTA + UpdateRecQuestionRequest: + value: + password: + value: tlpWENT2m + recovery_question: + question: How many roads must a man walk down? + answer: forty two + UpdateRecQuestionResponse: + value: + password: {} + recovery_question: + question: How many roads must a man walk down? + provider: + type: OKTA + name: OKTA + ForgotPwdResponse: + value: + resetPasswordUrl: https://{yourOktaDomain}/signin/reset-password/XE6wE17zmphl3KqAPFxO + ForgotPwdRecoveryQuestionRequest: + value: + password: + value: uTVM,TPw55 + recovery_question: + answer: Annie Oakley + ForgotPwdRecoveryQuestionResponse: + value: + password: {} + recovery_question: + question: Who's a major player in the cowboy scene? + provider: + type: OKTA + name: OKTA + APIUserListDevicesResponse: + value: + - created: '2020-11-03T21:47:01.000Z' + deviceUserId: lnk46w61OLJz1uSQW0g4 + device: + id: guo8jx5vVoxfvJeLb0w4 + status: ACTIVE + created: '2020-11-03T21:47:01.000Z' + lastUpdated: '2020-11-03T23:46:27.000Z' + profile: + displayName: DESKTOP-EHAD3IE + platform: WINDOWS + manufacturer: International Corp + model: VMware7,1 + osVersion: 10.0.18362 + serialNumber: 56 4d 4f 95 74 c5 d3 e7-fc 3a 57 9c c2 f8 5d ce + udid: 954F4D56-C574-E7D3-FC3A-579CC2F85DCE + sid: S-1-5-21-3992267483-1860856704-2413701314-500 + registered: true + secureHardwarePresent: false + diskEncryptionType: NONE + resourceId: guo8jx5vVoxfvJeLb0w4 + resourceDisplayName: + value: DESKTOP-EHAD3IE + sensitive: false + resourceType: UDDevice + resourceAlternateId: null + _links: + suspend: + href: >- + https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/lifecycle/suspend + hints: + allow: + - POST + self: + href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4 + hints: + allow: + - GET + - PATCH + - PUT + users: + href: >- + https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/users + hints: + allow: + - GET + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/lifecycle/deactivate + hints: + allow: + - POST + ListFactorsResults: + summary: List of enrolled factors for the specified user + value: + - id: ufs2bysphxKODSZKWVCT + factorType: question + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2014-04-15T18:10:06.000Z' + lastUpdated: '2014-04-15T18:10:06.000Z' + profile: + question: favorite_art_piece + questionText: What is your favorite piece of art? + _links: + questions: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/questions + hints: + allow: + - GET + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufs2bysphxKODSZKWVCT + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + - id: ostf2gsyictRQDSGTDZE + factorType: token:software:totp + provider: OKTA + status: PENDING_ACTIVATION + created: '2014-06-27T20:27:33.000Z' + lastUpdated: '2014-06-27T20:27:33.000Z' + profile: + credentialId: dade.murphy@example.com + _links: + next: + name: activate + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf2gsyictRQDSGTDZE/lifecycle/activate + hints: + allow: + - POST + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf2gsyictRQDSGTDZE + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + _embedded: + activation: + timeStep: 30 + sharedSecret: HE64TMLL2IUZW2ZLB + encoding: base32 + keyLength: 16 + - id: sms2gt8gzgEBPUWBIFHN + factorType: sms + provider: OKTA + status: ACTIVE + created: '2014-06-27T20:27:26.000Z' + lastUpdated: '2014-06-27T20:27:26.000Z' + profile: + phoneNumber: +1-555-415-1337 + _links: + verify: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN/verify + hints: + allow: + - POST + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + EnrollFactorQuestionRequest: + summary: question + value: + question: + summary: question factor + value: + factorType: question + provider: OKTA + profile: + question: disliked_food + answer: mayonnaise + EnrollFactorSmsRequest: + summary: sms + value: + factorType: sms + provider: OKTA + profile: + phoneNumber: +1-555-415-1337 + EnrollFactorCallRequest: + summary: call + value: + factorType: call + provider: OKTA + profile: + phoneNumber: +1-555-415-1337 + phoneExtension: '1234' + EnrollFactorOVTotpRequest: + summary: token:software:totp + value: + factorType: token:software:totp + provider: OKTA + EnrollFactorOVPushRequest: + summary: token:software:totp push + value: + factorType: push + provider: OKTA + EnrollFactorGoogleRequest: + summary: google token:software:totp + value: + factorType: token:software:totp + provider: GOOGLE + EnrollFactorRsaSecurIdRequest: + summary: RSA SecurID + value: + factorType: token + provider: RSA + profile: + credentialId: dade.murphy@example.com + verify: + passCode: '5275875498' + EnrollFactorSymantecVipRequest: + summary: Symantec VIP + value: + factorType: token + provider: SYMANTEC + profile: + credentialId: VSMT14393584 + verify: + passCode: '875498' + nextPassCode: '678195' + EnrollFactorYubikeyRequest: + summary: yubikey + value: + factorType: token:hardware + provider: YUBICO + verify: + passCode: cccccceukngdfgkukfctkcvfidnetljjiknckkcjulji + EnrollFactorEmailRequest: + summary: email + value: + factorType: email + provider: OKTA + profile: + email: test@gmail.com + EnrollFactorU2fRequest: + summary: u2f + value: + factorType: u2f + provider: FIDO + EnrollFactorWebauthnRequest: + summary: webAuthn + value: + factorType: webauthn + provider: FIDO + EnrollFactorCustomTotpRequest: + summary: custom totp + value: + factorType: token:hotp + provider: CUSTOM + factorProfileId: fpr20l2mDyaUGWGCa0g4 + profile: + sharedSecret: 484f97be3213b117e3a20438e291540a + EnrollFactorQuestionResponse: + summary: question + value: + id: ufs1o01OTMGHLAJPVHDZ + factorType: question + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2014-08-05T22:58:49.000Z' + lastUpdated: '2014-08-05T22:58:49.000Z' + profile: + question: disliked_food + questionText: What is the food you least liked as a child? + _links: + questions: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/questions + hints: + allow: + - GET + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufs1o01OTMGHLAJPVHDZ + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + EnrollFactorSmsResponse: + summary: sms + value: + id: mbl1nz9JHJGHWRKMTLHP + factorType: sms + provider: OKTA + vendorName: OKTA + status: PENDING_ACTIVATION + created: '2014-08-05T20:59:49.000Z' + lastUpdated: '2014-08-06T03:59:49.000Z' + profile: + phoneNumber: +1-555-415-1337 + _links: + activate: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/mbl1nz9JHJGHWRKMTLHP/lifecycle/activate + hints: + allow: + - POST + resend: + - name: sms + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/mbl1nz9JHJGHWRKMTLHP/resend + hints: + allow: + - POST + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/mbl1nz9JHJGHWRKMTLHP + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + EnrollFactorCallResponse: + summary: call + value: + id: clf1nz9JHJGHWRKMTLHP + factorType: call + provider: OKTA + vendorName: OKTA + status: PENDING_ACTIVATION + created: '2014-08-05T20:59:49.000Z' + lastUpdated: '2014-08-06T03:59:49.000Z' + profile: + phoneNumber: +1-555-415-1337 + phoneExtension: '1234' + _links: + activate: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1nz9JHJGHWRKMTLHP/lifecycle/activate + hints: + allow: + - POST + resend: + - name: call + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1nz9JHJGHWRKMTLHP/resend + hints: + allow: + - POST + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1nz9JHJGHWRKMTLHP + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + EnrollFactorOVTotpResponse: + summary: token:software:totp + value: + id: ostf1fmaMGJLMNGNLIVG + factorType: token:software:totp + provider: OKTA + vendorName: OKTA + status: PENDING_ACTIVATION + created: '2014-07-16T16:13:56.000Z' + lastUpdated: '2014-07-16T16:13:56.000Z' + profile: + credentialId: dade.murphy@example.com + _links: + activate: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/lifecycle/activate + hints: + allow: + - POST + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + _embedded: + activation: + timeStep: 30 + sharedSecret: JBTWGV22G4ZGKV3N + encoding: base32 + keyLength: 6 + _links: + qrcode: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/qr/00fukNElRS_Tz6k-CFhg3pH4KO2dj2guhmaapXWbc4 + type: image/png + EnrollFactorOVPushResponse: + summary: token:software:totp + value: + id: opfbtzzrjgwauUsxO0g4 + factorType: push + provider: OKTA + vendorName: OKTA + status: PENDING_ACTIVATION + created: '2015-11-13T07:34:22.000Z' + lastUpdated: '2015-11-13T07:34:22.000Z' + _links: + poll: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/lifecycle/activate/poll + hints: + allow: + - POST + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4 + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + _embedded: + activation: + expiresAt: '2015-11-13T07:44:22.000Z' + factorResult: WAITING + _links: + send: + - name: email + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/lifecycle/activate/email + hints: + allow: + - POST + - name: sms + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/lifecycle/activate/sms + hints: + allow: + - POST + qrcode: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/qr/00Ji8qVBNJD4LmjYy1WZO2VbNqvvPdaCVua-1qjypa + type: image/png + EnrollFactorGoogleResponse: + value: + id: ostf1fmaMGJLMNGNLIVG + factorType: token:software:totp + provider: GOOGLE + vendorName: GOOGLE + status: PENDING_ACTIVATION + created: '2014-07-16T16:13:56.000Z' + lastUpdated: '2014-07-16T16:13:56.000Z' + profile: + credentialId: dade.murphy@example.com + _links: + activate: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/lifecycle/activate + hints: + allow: + - POST + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + _embedded: + activation: + timeStep: 30 + sharedSecret: JBTWGV22G4ZGKV3N + encoding: base32 + keyLength: 16 + _links: + qrcode: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/qr/00fukNElRS_Tz6k-CFhg3pH4KO2dj2guhmaapXWbc4 + type: image/png + EnrollFactorRsaSecurIdResponse: + summary: RSA SecurID + value: + id: rsabtznMn6cp94ez20g4 + factorType: token + provider: RSA + vendorName: RSA + status: ACTIVE + created: '2015-11-13T07:05:53.000Z' + lastUpdated: '2015-11-13T07:05:53.000Z' + profile: + credentialId: dade.murphy@example.com + _links: + verify: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/rsabtznMn6cp94ez20g4/verify + hints: + allow: + - POST + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/rsabtznMn6cp94ez20g4 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + EnrollFactorSymantecVipResponse: + summary: Symantec VIP + value: + id: ufvbtzgkYaA7zTKdQ0g4 + factorType: token + provider: SYMANTEC + vendorName: SYMANTEC + status: ACTIVE + created: '2015-11-13T06:52:08.000Z' + lastUpdated: '2015-11-13T06:52:08.000Z' + profile: + credentialId: VSMT14393584 + _links: + verify: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufvbtzgkYaA7zTKdQ0g4/verify + hints: + allow: + - POST + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufvbtzgkYaA7zTKdQ0g4 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + EnrollFactorYubikeyResponse: + value: + id: ykfbty3BJeBgUi3750g4 + factorType: token:hardware + provider: YUBICO + vendorName: YUBICO + status: ACTIVE + created: '2015-11-13T05:27:49.000Z' + lastUpdated: '2015-11-13T05:27:49.000Z' + profile: + credentialId: '000004102994' + _links: + verify: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ykfbty3BJeBgUi3750g4/verify + hints: + allow: + - POST + self: + href: >- + hhttps://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ykfbty3BJeBgUi3750g4 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + EnrollFactorEmailResponse: + summary: email + value: + id: emfnf3gSScB8xXoXK0g3 + factorType: email + provider: OKTA + vendorName: OKTA + status: PENDING_ACTIVATION + _links: + activate: + href: >- + https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/lifecycle/activate + hints: + allow: + - POST + resend: + - name: email + href: >- + https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/resend + hints: + allow: + - POST + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3 + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3 + hints: + allow: + - GET + EnrollFactorU2fResponse: + summary: u2f + value: + id: fuf2rovRxogXJ0nDy0g4 + factorType: u2f + provider: FIDO + vendorName: FIDO + status: PENDING_ACTIVATION + created: '2018-05-24T20:43:19.000Z' + lastUpdated: '2018-05-24T20:43:19.000Z' + _links: + activate: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4/lifecycle/activate + hints: + allow: + - POST + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4 + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + _embedded: + activation: + version: U2F_V2 + nonce: 9DmGJDLvaU6KWxJbfrZ0 + timeoutSeconds: 20 + EnrollFactorWebauthnResponse: + summary: webAuthn + value: + id: fwf2rovRxogXJ0nDy0g4 + factorType: webauthn + provider: FIDO + vendorName: FIDO + status: PENDING_ACTIVATION + created: '2018-05-24T20:43:19.000Z' + lastUpdated: '2018-05-24T20:43:19.000Z' + _links: + activate: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4/lifecycle/activate + hints: + allow: + - POST + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4 + hints: + allow: + - GET + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + _embedded: + activation: + attestation: direct + authenticatorSelection: + userVerification: preferred + requireResidentKey: false + challenge: cdsZ1V10E0BGE4GcG3IK + excludeCredentials: [] + pubKeyCredParams: + - type: public-key + alg: -7 + - type: public-key + alg: -257 + rp: + name: Rain-Cloud59 + user: + displayName: First Last + name: first.last@gmail.com + id: 00u15s1KDETTQMQYABRL + EnrollFactorCustomTotpResponse: + summary: custom totp + value: + id: chf20l33Ks8U2Zjba0g4 + factorType: token:hotp + provider: CUSTOM + vendorName: Entrust Datacard + status: ACTIVE + created: '2019-07-22T23:22:36.000Z' + lastUpdated: '2019-07-22T23:22:36.000Z' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00utf43LCCmTJVcsK0g3/factors/chf20l33Ks8U2Zjba0g4 + hints: + allow: + - GET + - DELETE + verify: + href: >- + https://{yourOktaDomain}/api/v1/users/00utf43LCCmTJVcsK0g3/factors/chf20l33Ks8U2Zjba0g4/verify + hints: + allow: + - POST + user: + href: https://{yourOktaDomain}/api/v1/users/00utf43LCCmTJVcsK0g3 + hints: + allow: + - GET + SupportedFactorResults: + value: + - factorType: question + provider: OKTA + vendorName: OKTA + _links: + questions: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/questions + hints: + allow: + - GET + enroll: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors + hints: + allow: + - POST + - factorType: token:software:totp + provider: OKTA + _links: + enroll: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors + hints: + allow: + - POST + - factorType: token:software:totp + provider: GOOGLE + _links: + enroll: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors + hints: + allow: + - POST + - factorType: sms + provider: OKTA + vendorName: OKTA + _links: + enroll: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors + hints: + allow: + - POST + _embedded: + phones: + - id: mblldntFJevYKbyQQ0g3 + profile: + phoneNumber: '+14081234567' + status: ACTIVE + - factorType: call + provider: OKTA + _links: + enroll: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors + hints: + allow: + - POST + - factorType: token + provider: RSA + _links: + enroll: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors + hints: + allow: + - POST + - factorType: token + provider: SYMANTEC + _links: + enroll: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors + hints: + allow: + - POST + FactorPasscodeRequest: + value: + passCode: '123456' + ActivateFactorU2fRequest: + summary: u2f + value: + registrationData: >- + BQTEMUyOM8h1TiZG4DL-RdMr-tYgTYSf62Y52AmwEFTiSYWIRVO5L-MwWdRJOthmV3J3JrqpmGfmFb820-awx1YIQFlTvkMhxItHlpkzahEqicpw7SIH9yMfTn2kaDcC6JaLKPfV5ds0vzuxF1JJj3gCM01bRC-HWI4nCVgc-zaaoRgwggEcMIHDoAMCAQICCwD52fCSMoNczORdMAoGCCqGSM49BAMCMBUxEzARBgNVBAMTClUyRiBJc3N1ZXIwGhcLMDAwMTAxMDAwMFoXCzAwMDEwMTAwMDBaMBUxEzARBgNVBAMTClUyRiBEZXZpY2UwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQFKJupuUgPQcRHUphaW5JPfLvkkwlEwlHKk_ntSp7MS4aTHJyGnpziqncrjiTC_oUVtb-wN-y_t_IMIjueGkhxMAoGCCqGSM49BAMCA0gAMEUCIQDBo6aOLxanIUYnBX9iu3KMngPnobpi0EZSTkVtLC8_cwIgC1945RGqGBKfbyNtkhMifZK05n7fU-gW37Bdnci5D94wRQIhAJv3VvclbRkHAQhaUR8rr8qFTg9iF-GtHoXU95vWaQdyAiAbEr-440U4dQAZF-Sj8G2fxgh5DkgkkWpyUHZhz7N9ew + clientData: >- + eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6IlhxR0h0RTBoUkxuVEoxYUF5U1oyIiwib3JpZ2luIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MzAwMCIsImNpZF9wdWJrZXkiOiJ1bnVzZWQifQ + ActivateFactorWebauthnRequest: + summary: webAuthn + value: + attestation: >- + o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEgwRgIhAMvf2+dzXlHZN1um38Y8aFzrKvX0k5dt/hnDu9lahbR4AiEAuwtMg3IoaElWMp00QrP/+3Po/6LwXfmYQVfsnsQ+da1oYXV0aERhdGFYxkgb9OHGifjS2dG03qLRqvXrDIRyfGAuc+GzF1z20/eVRV2wvl6tzgACNbzGCmSLCyXx8FUDAEIBvWNHOcE3QDUkDP/HB1kRbrIOoZ1dR874ZaGbMuvaSVHVWN2kfNiO4D+HlAzUEFaqlNi5FPqKw+mF8f0XwdpEBlClAQIDJiABIVgg0a6oo3W0JdYPu6+eBrbr0WyB3uJLI3ODVgDfQnpgafgiWCB4fFo/5iiVrFhB8pNH2tbBtKewyAHuDkRolcCnVaCcmQ== + clientData: >- + eyJjaGFsbGVuZ2UiOiJVSk5wYW9sVWt0dF9vcEZPNXJMYyIsIm9yaWdpbiI6Imh0dHBzOi8vcmFpbi5va3RhMS5jb20iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0= + ActivateFactorTotpResponse: + summary: token:software:totp + value: + id: ostf1fmaMGJLMNGNLIVG + factorType: token:software:totp + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2014-07-16T16:13:56.000Z' + lastUpdated: '2014-08-06T00:31:07.000Z' + profile: + credentialId: dade.murphy@example.com + _links: + verify: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/verify + hints: + allow: + - POST + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ActivateFactorSmsResponse: + summary: sms + value: + id: sms1o51EADOTFXHHBXBP + factorType: sms + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2014-08-06T16:56:31.000Z' + lastUpdated: '2014-08-06T16:56:31.000Z' + profile: + phoneNumber: +1-555-415-1337 + _links: + verify: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms1o51EADOTFXHHBXBP/verify + hints: + allow: + - POST + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms1o51EADOTFXHHBXBP + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ActivateFactorCallResponse: + summary: call + value: + id: clf1o51EADOTFXHHBXBP + factorType: call + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2014-08-06T16:56:31.000Z' + lastUpdated: '2014-08-06T16:56:31.000Z' + profile: + phoneNumber: +1-555-415-1337 + phoneExtension: '1234' + _links: + verify: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1o51EADOTFXHHBXBP/verify + hints: + allow: + - POST + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1o51EADOTFXHHBXBP + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ActivateFactorPushResponse: + summary: push + value: + id: opf3hkfocI4JTLAju0g4 + factorType: push + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2015-03-16T18:01:28.000Z' + lastUpdated: '2015-08-27T14:25:17.000Z' + profile: + credentialId: dade.murphy@example.com + deviceType: SmartPhone_IPhone + name: Gibson + platform: IOS + version: '9.0' + _links: + verify: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opf3hkfocI4JTLAju0g4/verify + hints: + allow: + - POST + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opf3hkfocI4JTLAju0g4 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ActivateFactorEmailResponse: + summary: email + value: + id: emfnf3gSScB8xXoXK0g3 + factorType: email + provider: OKTA + vendorName: OKTA + status: ACTIVE + profile: + email: changed@clouditude.net + _links: + verify: + href: >- + https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/verify + hints: + allow: + - POST + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3 + hints: + allow: + - GET + ActivateFactorU2fResponse: + summary: u2f + value: + id: fuf2rovRxogXJ0nDy0g4 + factorType: u2f + provider: FIDO + vendorName: FIDO + status: ACTIVE + created: '2018-05-24T20:43:19.000Z' + lastUpdated: '2018-05-24T21:43:32.000Z' + profile: + credentialId: >- + WVO-QyHEi0eWmTNqESqJynDtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA + version: U2F_V2 + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4 + hints: + allow: + - GET + - DELETE + verify: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4/verify + hints: + allow: + - POST + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + ActivateFactorWebauthnResponse: + summary: webAuthn + value: + id: fwf2rovRxogXJ0nDy0g4 + factorType: webauthn + provider: FIDO + vendorName: FIDO + status: ACTIVE + created: '2018-05-24T20:43:19.000Z' + lastUpdated: '2018-05-24T21:43:32.000Z' + profile: + credentialId: >- + l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA + authenticatorName: MacBook Touch ID + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4 + hints: + allow: + - GET + - DELETE + verify: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4/verify + hints: + allow: + - POST + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + UserFactorVerifyPushTransactionWaitingNMC: + summary: WAITING (with number matching challenge) + value: + expiresAt: '2015-04-01T15:57:32.000Z' + factorResult: WAITING + profile: + credentialId: jane.doe@example.com + _links: + poll: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/v2mst.GldKV5VxTrifyeZmWSQguA + hints: + allow: + - GET + cancel: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/v2mst.GldKV5VxTrifyeZmWSQguA + hints: + allow: + - DELETE + _embedded: + challenge: + correctAnswer: 72 + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + UserFactorVerifyPushTransactionWaiting: + summary: WAITING + value: + expiresAt: '2015-04-01T15:57:32.000Z' + factorResult: WAITING + profile: + credentialId: jane.doe@example.com + _links: + poll: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/v2mst.GldKV5VxTrifyeZmWSQguA + hints: + allow: + - GET + cancel: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/v2mst.GldKV5VxTrifyeZmWSQguA + hints: + allow: + - DELETE + UserFactorVerifyPushTransactionApproved: + summary: SUCCESS + value: + factorResult: SUCCESS + UserFactorVerifyPushTransactionRejected: + summary: REJECTED + value: + factorResult: REJECTED + profile: + credentialId: jane.doe@example.com + _links: + verify: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/verify + hints: + allow: + - POST + factor: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3 + hints: + allow: + - GET + - DELETE + UserFactorVerifyPushTransactionTimeout: + summary: TIMEOUT + value: + factorResult: TIMEOUT + profile: + credentialId: jane.doe@example.com + _links: + verify: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/verify + hints: + allow: + - POST + factor: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3 + hints: + allow: + - GET + - DELETE + NumberMatchingChallengeRequest: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + value: + useNumberMatchingChallenge: true + UserFactorVerifyU2fRequest: + summary: u2f verify + value: + clientData: >- + eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiwiY2hhbGxlbmdlIjoiS2NCLXRqUFU0NDY0ZThuVFBudXIiLCJvcmlnaW4iOiJodHRwczovL2xvY2FsaG9zdDozMDAwIiwiY2lkX3B1YmtleSI6InVudXNlZCJ9 + signatureData: >- + AQAAACYwRgIhAKPktdpH0T5mlPSm_9uGW5w-VaUy-LhI9tIacexpgItkAiEAncRVZURVPOq7zDwIw-OM5LtSkdAxOkfv0ZDVUx3UFHc + UserFactorVerifyWebauthnRequest: + summary: WebAuthn verify challenge + value: + clientData: >- + eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiwiY2hhbGxlbmdlIjoiS2NCLXRqUFU0NDY0ZThuVFBudXIiLCJvcmlnaW4iOiJodHRwczovL2xvY2FsaG9zdDozMDAwIiwiY2lkX3B1YmtleSI6InVudXNlZCJ9 + authenticatorData: SBv04caJ+NLZ0bTeotGq9esMhHJ8YC5z4bMXXPbT95UFXbDsOg== + signatureData: >- + AQAAACYwRgIhAKPktdpH0T5mlPSm_9uGW5w-VaUy-LhI9tIacexpgItkAiEAncRVZURVPOq7zDwIw-OM5LtSkdAxOkfv0ZDVUx3UFHc + UserFactorVerifySecurityQuestionRequest: + summary: security question verify + value: + answer: mayonnaise + UserFactorChallengeSmsResponse: + summary: sms challenge + value: + factorResult: CHALLENGE + profile: + phoneNumber: '+12532236986' + _links: + verify: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/smsszf1YNUtGWTx4j0g3/verify + hints: + allow: + - POST + factor: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/smsszf1YNUtGWTx4j0g3 + hints: + allow: + - GET + - DELETE + UserFactorVerifySuccessSmsResponse: + summary: sms verify + value: + factorResult: SUCCESS + UserFactorChallengeCallResponse: + summary: call challenge + value: + factorResult: CHALLENGE + profile: + phoneNumber: '+12532236986' + phoneExtension: '1234' + _links: + verify: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clff17zuKEUMYQAQGCOV/verify + hints: + allow: + - POST + factor: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clff17zuKEUMYQAQGCOV + hints: + allow: + - GET + - DELETE + UserFactorVerifyCallSuccessResponse: + summary: call verify + value: + factorResult: SUCCESS + UserFactorChallengeEmailResponse: + summary: email challenge + value: + factorResult: CHALLENGE + _links: + verify: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/emfnf3gSScB8xXoXK0g3/verify + hints: + allow: + - POST + factor: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/emfnf3gSScB8xXoXK0g3 + hints: + allow: + - GET + - DELETE + UserFactorVerifyEmailSuccessResponse: + summary: email verify + value: + factorResult: SUCCESS + UserFactorChallengeU2fResponse: + summary: u2f challenge + value: + factorResult: CHALLENGE + profile: + credentialId: >- + GAiiLsVab2m3-zL1Fi3bVtNrM9G6_MntUITHKjxkV24ktGKjLSCRnz72wCEdHCe18IvC69Aia0sE4UpsO0HpFQ + version: U2F_V2 + _links: + verify: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4/verify + hints: + allow: + - POST + factor: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4 + hints: + allow: + - GET + - DELETE + _embedded: + challenge: + nonce: vQFwTt6zKzMV7HFPzjS2 + timeoutSeconds: 20 + UserFactorVerifyU2fResponse: + summary: u2f verify response + value: + factorResult: SUCCESS + profile: + credentialId: >- + h1bFwJFU9wnelYkexJuQfoUHZ5lX3CgQMTZk4H3I8kM9Nn6XALiQ-BIab4P5EE0GQrA7VD-kAwgnG950aXkhBw + version: U2F_V2 + UserFactorChallengeWebauthnResponse: + summary: webAuthn challenge + value: + factorResult: CHALLENGE + profile: + credentialId: >- + l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA + authenticatorName: MacBook Touch ID + _links: + verify: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4/verify + hints: + allow: + - POST + factor: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4 + hints: + allow: + - GET + - DELETE + _embedded: + challenge: + challenge: vQFwTt6zKzMV7HFPzjS2 + extensions: {} + UserFactorVerifyWebauthnResponse: + summary: WebAuthn verify + value: + factorResult: SUCCESS + profile: + credentialId: >- + l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA + authenticatorName: MacBook Touch ID + UserFactorVerifySuccessSqResponse: + summary: security question verify + value: + factorResult: SUCCESS + UserFactorVerifySuccessTotpResponse: + summary: totp verify + value: + factorResult: SUCCESS + UserFactorVerifySuccessTokenResponse: + summary: token verify + value: + factorResult: SUCCESS + UserFactorVerifySuccessYubikeyResponse: + summary: yubikey verify + value: + factorResult: SUCCESS + UserFactorChallengePushResponseWithNumberMatchingChallenge: + summary: Push challenge with number matching + value: + expiresAt: '2015-04-01T15:57:32.000Z' + factorResult: WAITING + _links: + poll: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/mst1eiHghhPxf0yhp0g + hints: + allow: + - GET + cancel: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/mst1eiHghhPxf0yhp0g + hints: + allow: + - DELETE + _embedded: + challenge: + correctAnswer: 72 + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + UserFactorChallengePushResponse: + summary: push challenge + value: + expiresAt: '2015-04-01T15:57:32.000Z' + factorResult: WAITING + _links: + poll: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/mst1eiHghhPxf0yhp0g + hints: + allow: + - GET + cancel: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/mst1eiHghhPxf0yhp0g + hints: + allow: + - DELETE + UserRiskResponse: + summary: Example user risk response + value: + riskLevel: HIGH + reason: Admin override risk + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/{userId}/risk + hints: + allow: + - GET + - PUT + user: + href: https://{yourOktaDomain}/api/v1/users/{userId} + hints: + allow: + - GET + UserRiskNoneResponse: + summary: Example user risk with NONE risk level response + value: + riskLevel: NONE + _links: + self: + href: https://{yourOktaDomain}/api/v1/users/{userId}/risk + hints: + allow: + - GET + - PUT + user: + href: https://{yourOktaDomain}/api/v1/users/{userId} + hints: + allow: + - GET + UserRiskRequest: + summary: Example upsert the risk for a user request + value: + riskLevel: HIGH + StandardRolesListResponse: + value: + - id: IFIFAX2BIRGUSTQ + label: Application administrator + type: APP_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: JBCUYUC7IRCVGS27IFCE2SKO + label: Help Desk administrator + type: HELP_DESK_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: ra125eqBFpETrMwu80g4 + label: Organization administrator + type: ORG_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: gra25fapn1prGTBKV0g4 + label: API Access Management administrator + type: API_ACCESS_MANAGEMENT_ADMIN + status: ACTIVE + created": '2019-02-06T16:20:57.000Z' + lastUpdated": '2019-02-06T16:20:57.000Z' + assignmentType": GROUP + _links": + assignee": + href": https://{yourOktaDomain}/api/v1/groups/00g1ousb3XCr9Dkr20g4 + StandardAndCustomRolesListResponse: + value: + - id: IFIFAX2BIRGUSTQ + label: Application administrator + type: APP_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: JBCUYUC7IRCVGS27IFCE2SKO + label: Help Desk administrator + type: HELP_DESK_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: ra125eqBFpETrMwu80g4 + label: Organization administrator + type: ORG_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: gra25fapn1prGTBKV0g4 + label: API Access Management administrator + type: API_ACCESS_MANAGEMENT_ADMIN + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: GROUP + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/groups/00g1ousb3XCr9Dkr20g4 + - id: irb1q92TFAHzySt3x0g4 + role: cr0Yq6IJxGIr0ouum0g3 + label: UserCreatorRole + type: CUSTOM + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: USER + resource-set: iamoJDFKaJxGIr0oamd9g + _links: + assignee: + href": https://{yourOktaDomain}/api/v1/users/00u1gytb3XCr9Dkr18r2 + resource-set: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + member: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + permissions: + href: >- + https://{yourOktaDomain}/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions + - id: irb5e92YgBazyyQ3x1q5 + role: cr0Yq6IJxGIr0ouum0g3 + label: UserCreatorRole + type: CUSTOM + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: GROUP + resource-set: iamoakjsdQaJxGIr03int1o + _links: + assignee: + href: https://{ yourOktaDomain }/api/v1/groups/00g1ousb3XCr9Dkr20g4 + resource-set: + href: >- + https://{ yourOktaDomain + }/api/v1/iam/resource-sets/iamoakjsdQaJxGIr03int1o + member: + href: >- + https://{ yourOktaDomain + }/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{ yourOktaDomain }/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + permissions: + href: >- + https://{ yourOktaDomain + }/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions + IAMStandardRolesListResponse: + value: + - id: IFIFAX2BIRGUSTQ + label: Application administrator + type: APP_ADMIN + status: ACTIVE + created: '2019-02-06T16:17:40.000Z' + lastUpdated: '2019-02-06T16:17:40.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 + - id: irb1q92TFAHzySt3x0g4 + role: cr0Yq6IJxGIr0ouum0g3 + label: UserCreatorRole + type: CUSTOM + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: USER + resource-set: iamoJDFKaJxGIr0oamd9g + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00u1gytb3XCr9Dkr18r2 + resource-set: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + member: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + permissions: + href: >- + https://{yourOktaDomain}/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions + - id: irb5e92YgBazyyQ3x1q5 + role: ACCESS_CERTIFICATIONS_ADMIN + label: Access Certifications administrator + type: ACCESS_CERTIFICATIONS_ADMIN + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: USER + resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00u1gytb3XCr9Dkr18r2 + resource-set: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY + member: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_CERTIFICATIONS_ADMIN/members/irb1qe6PGuMc7Oh8N0g4 + role: + href: >- + https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_CERTIFICATIONS_ADMIN + permissions: + href: >- + https://{yourOktaDomain}/api/v1/iam/permission-sets/OKTA_IAM_TEST_DELIVERED_ROLE/permissions + StandardRoleResponseUser: + value: + id: ra1b8anIk7rx7em7L0g4 + label: Super Organization administrator + type: SUPER_ADMIN + status: ACTIVE + created: '2015-09-06T15:28:47.000Z' + lastUpdated: '2015-09-06T15:28:47.000Z' + assignmentType: USER + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + CustomRoleResponseUser: + value: + id: irb1q92TFAHzySt3x0g4 + role: cr0Yq6IJxGIr0ouum0g3 + label: UserCreatorRole + type: CUSTOM + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: USER + resource-set: iamoJDFKaJxGIr0oamd9g + _links: + assignee: + href": https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + resource-set: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 + permissions: + href: >- + https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions + IAMStandardRoleResponseUser: + value: + id: irb1q92TFAHzySt3x0g4 + role: ACCESS_REQUESTS_ADMIN + label: Access Requests administrator + type: ACCESS_REQUESTS_ADMIN + status: ACTIVE + created: '2019-02-06T16:20:57.000Z' + lastUpdated: '2019-02-06T16:20:57.000Z' + assignmentType: USER + resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY + _links: + assignee: + href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR + resource-set: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY + role: + href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN + permissions: + href: >- + https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN/permissions + member: + href: >- + https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_REQUESTS_ADMIN/members/irb1q92TFAHzySt3x0g4 + GetUseRoleGovernanceResponse: + value: + grants: + - type: CUSTOM + grantId: grai24zWTjnDazeOI0g4 + _links: + resources: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai24zWTjnDazeOI0g4/resources + - type: ENTITLEMENT-BUNDLE + grantId: grai2556vZgWesWf10g4 + bundleId: enbhz2pAwtts9UBes0g4 + expirationDate: '2024-12-09 14:17:22.0' + _links: + resources: + href: >- + https://{yourOktaDomain}//api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance + assignee: + href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5" + GetRoleAssignmentGovernanceGrantResponse: + value: + type: ENTITLEMENT-BUNDLE + grantId: grai2556vZgWesWf10g4 + bundleId: enbhz2pAwtts9UBes0g4 + expirationDate: '2024-12-09 14:17:22.0' + _links: + resources: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4 + GetRoleAssignmentGovernanceGrantResources: + value: + resources: + - resource: >- + orn:okta:directory:00ozmkUsqWxsUxhGO0g3:groups:00g114290ar1oCC5A0g5 + label: test-group-1 + - resource: >- + orn:okta:directory:00ozmkUsqWxsUxhGO0g3:groups:00g118990hl1oCC5B0g5 + label: test-group-2 + _links: + next: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources?after=orn:okta:directory:00ozmkUsqWxsUxhGO0g3:groups:00g118990hl1oCC5A0g5 + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources + RoleTargetGroupResponse: + value: + - orn: orn:okta:directory:00o5v1t2W4OSF9r4N0g4:groups:00g5vhi3rEJMOog1S0g4 + assignmentType: USER + expiration: '2025-05-10T20:21:11.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/groups/00g5vhi3rEJMOog1S0g4 + RoleTargetAppResponse: + value: + - orn: orn:okta:idp:00ozjqqlt6mmHQonQ0g3:apps:gooddata + assignmentType: GROUP + expiration: '2025-05-10T20:21:11.000Z' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/apps%3Ffilter%3Dname%2Beq%2B%22gooddata%22 + RoleTargetAppInstanceResponse: + value: + - orn: orn:okta:idp:00o5yd9J0satsK2Rp0g4:apps:myownapp:0oa5yriAxuR12wfQ30g4 + assignmentType: USER + expiration: '2025-05-10T20:21:11.000Z' + _links: + self: + href: https://{yourOktaDomain}/api/v1/apps/0oa5yriAxuR12wfQ30g4 + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + ErrorMissingRequiredParameter: + summary: Missing Required Parameter + value: + errorCode: E0000028 + errorSummary: The request is missing a required parameter. + errorLink: E0000028 + errorId: sampleiCF-l7mr9XqM1NQ + errorCauses: [] + AuthenticatorEnrollmentCreateRequestPhone: + summary: Enroll phone - SMS authenticator request + value: + authenticatorId: aut5l4ttFyGEWdy6V0k7 + profile: + phoneNumber: '+14086673418' + AuthenticatorEnrollmentResponsePhoneSms: + summary: phone - SMS authenticator enrollment response + value: + type: phone + id: sms8evhwh0Ne35iPR0g7 + key: phone_number + status: ACTIVE + name: Phone + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-29T00:21:29.000Z' + profile: + phoneNumber: +1 XXX-XXX-6065 + nickname: Joe's Work Phone + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7/authenticator-enrollments/sms8evhwh0Ne35iPR0g7 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7 + hints: + allow: + - GET + authenticator: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/auth60xfl7VbebsFr0g6 + hints: + allow: + - GET + AuthenticatorEnrollmentResponsePhoneVoice: + summary: phone - voice authenticator enrollment response + value: + type: phone + id: clf8evhwh0Ne35iPR0g7 + key: phone_number + status: ACTIVE + name: Phone + created: '2020-07-26T21:05:23.000Z' + lastUpdated: '2020-07-29T00:21:29.000Z' + profile: + phoneNumber: +1 XXX-XXX-6065 + nickname: Joe's Work Phone + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7/authenticator-enrollments/clf8evhwh0Ne35iPR0g7 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7 + hints: + allow: + - GET + authenticator: + href: >- + https://{yourOktaDomain}/api/v1/authenticators/auth60xfl7VbebsFr0g6 + hints: + allow: + - GET + ErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: {0}' + errorLink: E0000001 + errorId: sampleiCF-8D5rLW6myqiPItW + errorCauses: [] + AuthenticatorEnrollmentCreateRequestTac: + summary: Enroll TAC authenticator request + value: + authenticatorId: autnmtl4xbt8RQVzA0g4 + profile: + ttl: 11 + multiUse: false + AuthenticatorEnrollmentResponseTac: + summary: TAC authenticator enrollment response + value: + type: tac + id: tac8evhwh0Ne35iPR0g7 + key: tac + status: ACTIVE + name: Temporary Access Code + created: '2025-05-28T17:21:14.000Z' + lastUpdated: '2025-05-28T17:21:14.000Z' + profile: + tac: n@C*bU26 + multiUse: true + expiresAt: '2025-05-28T19:21:14' + _links: + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7/authenticator-enrollments/clf8evhwh0Ne35iPR0g7 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7 + hints: + allow: + - GET + FactorResponseSms: + value: + id: sms2gt8gzgEBPUWBIFHN + factorType: sms + provider: OKTA + vendorName: OKTA + status: ACTIVE + created: '2014-06-27T20:27:26.000Z' + lastUpdated: '2014-06-27T20:27:26.000Z' + profile: + phoneNumber: +1-555-415-1337 + _links: + verify: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN/verify + hints: + allow: + - POST + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL + hints: + allow: + - GET + FactorEmail: + value: + id: emfnf3gSScB8xXoXK0g3 + factorType: email + provider: OKTA + vendorName: OKTA + status: ACTIVE + profile: + email: changed@clouditude.net + _links: + verify: + href: >- + https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/verify + hints: + allow: + - POST + self: + href: >- + https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3 + hints: + allow: + - GET + - DELETE + user: + href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3 + hints: + allow: + - GET + requestBodies: + PhoneAuthenticatorEnrollmentRequestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AuthenticatorEnrollmentCreateRequest' + examples: + PhoneSmsEx: + $ref: '#/components/examples/AuthenticatorEnrollmentCreateRequestPhone' + required: true + TacAuthenticatorEnrollmentRequestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/AuthenticatorEnrollmentCreateRequestTac' + examples: + TacEx: + $ref: '#/components/examples/AuthenticatorEnrollmentCreateRequestTac' + required: true + x-stackQL-resources: + users: + id: okta.users.users + name: users + title: Users + methods: + list_users: + operation: + $ref: '#/paths/~1api~1v1~1users/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_user: + operation: + $ref: '#/paths/~1api~1v1~1users/post' + response: + mediaType: application/json + openAPIDocKey: '200' + end_user_sessions: + operation: + $ref: '#/paths/~1api~1v1~1users~1me~1lifecycle~1delete_sessions/post' + response: + mediaType: '' + openAPIDocKey: '200' + get_user: + operation: + $ref: '#/paths/~1api~1v1~1users~1{id}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + update_user: + operation: + $ref: '#/paths/~1api~1v1~1users~1{id}/post' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_user: + operation: + $ref: '#/paths/~1api~1v1~1users~1{id}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_user: + operation: + $ref: '#/paths/~1api~1v1~1users~1{id}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + activate_user: + operation: + $ref: '#/paths/~1api~1v1~1users~1{id}~1lifecycle~1activate/post' + response: + mediaType: application/json + openAPIDocKey: '200' + deactivate_user: + operation: + $ref: '#/paths/~1api~1v1~1users~1{id}~1lifecycle~1deactivate/post' + response: + mediaType: '' + openAPIDocKey: '200' + expire_password: + operation: + $ref: '#/paths/~1api~1v1~1users~1{id}~1lifecycle~1expire_password/post' + response: + mediaType: application/json + openAPIDocKey: '200' + expire_password_with_temp_password: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{id}~1lifecycle~1expire_password_with_temp_password/post + response: + mediaType: application/json + openAPIDocKey: '200' + reactivate_user: + operation: + $ref: '#/paths/~1api~1v1~1users~1{id}~1lifecycle~1reactivate/post' + response: + mediaType: application/json + openAPIDocKey: '200' + reset_factors: + operation: + $ref: '#/paths/~1api~1v1~1users~1{id}~1lifecycle~1reset_factors/post' + response: + mediaType: '' + openAPIDocKey: '200' + reset_password: + operation: + $ref: '#/paths/~1api~1v1~1users~1{id}~1lifecycle~1reset_password/post' + response: + mediaType: application/json + openAPIDocKey: '200' + suspend_user: + operation: + $ref: '#/paths/~1api~1v1~1users~1{id}~1lifecycle~1suspend/post' + response: + mediaType: '' + openAPIDocKey: '200' + unlock_user: + operation: + $ref: '#/paths/~1api~1v1~1users~1{id}~1lifecycle~1unlock/post' + response: + mediaType: '' + openAPIDocKey: '200' + unsuspend_user: + operation: + $ref: '#/paths/~1api~1v1~1users~1{id}~1lifecycle~1unsuspend/post' + response: + mediaType: '' + openAPIDocKey: '200' + change_password: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1credentials~1change_password/post + response: + mediaType: application/json + openAPIDocKey: '200' + change_recovery_question: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1credentials~1change_recovery_question/post + response: + mediaType: application/json + openAPIDocKey: '200' + forgot_password: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1credentials~1forgot_password/post + response: + mediaType: application/json + openAPIDocKey: '200' + forgot_password_set_new_password: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1credentials~1forgot_password_recovery_question/post + response: + mediaType: application/json + openAPIDocKey: '200' + revoke_user_sessions: + operation: + $ref: '#/paths/~1api~1v1~1users~1{userId}~1sessions/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: '#/components/x-stackQL-resources/users/methods/list_users' + - $ref: '#/components/x-stackQL-resources/users/methods/get_user' + insert: + - $ref: '#/components/x-stackQL-resources/users/methods/create_user' + update: + - $ref: '#/components/x-stackQL-resources/users/methods/update_user' + delete: + - $ref: '#/components/x-stackQL-resources/users/methods/delete_user' + replace: + - $ref: '#/components/x-stackQL-resources/users/methods/replace_user' + app_links: + id: okta.users.app_links + name: app_links + title: App Links + methods: + list_app_links: + operation: + $ref: '#/paths/~1api~1v1~1users~1{id}~1appLinks/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: '#/components/x-stackQL-resources/app_links/methods/list_app_links' + insert: [] + update: [] + delete: [] + replace: [] + user_blocks: + id: okta.users.user_blocks + name: user_blocks + title: User Blocks + methods: + list_user_blocks: + operation: + $ref: '#/paths/~1api~1v1~1users~1{id}~1blocks/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/user_blocks/methods/list_user_blocks + insert: [] + update: [] + delete: [] + replace: [] + user_groups: + id: okta.users.user_groups + name: user_groups + title: User Groups + methods: + list_user_groups: + operation: + $ref: '#/paths/~1api~1v1~1users~1{id}~1groups/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/user_groups/methods/list_user_groups + insert: [] + update: [] + delete: [] + replace: [] + identity_providers: + id: okta.users.identity_providers + name: identity_providers + title: Identity Providers + methods: + list_user_identity_providers: + operation: + $ref: '#/paths/~1api~1v1~1users~1{id}~1idps/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/identity_providers/methods/list_user_identity_providers + insert: [] + update: [] + delete: [] + replace: [] + linked_objects: + id: okta.users.linked_objects + name: linked_objects + title: Linked Objects + methods: + assign_linked_object_value_for_primary: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userIdOrLogin}~1linkedObjects~1{primaryRelationshipName}~1{primaryUserId}/put + response: + mediaType: '' + openAPIDocKey: '204' + list_linked_objects_for_user: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userIdOrLogin}~1linkedObjects~1{relationshipName}/get + response: + mediaType: application/json + openAPIDocKey: '200' + delete_linked_object_for_user: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userIdOrLogin}~1linkedObjects~1{relationshipName}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/linked_objects/methods/list_linked_objects_for_user + insert: [] + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/linked_objects/methods/delete_linked_object_for_user + replace: + - $ref: >- + #/components/x-stackQL-resources/linked_objects/methods/assign_linked_object_value_for_primary + authenticator_enrollments: + id: okta.users.authenticator_enrollments + name: authenticator_enrollments + title: Authenticator Enrollments + methods: + list_authenticator_enrollments: + operation: + $ref: '#/paths/~1api~1v1~1users~1{userId}~1authenticator-enrollments/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_authenticator_enrollment: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1authenticator-enrollments~1phone/post + response: + mediaType: '' + openAPIDocKey: '200' + create_tac_authenticator_enrollment: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1authenticator-enrollments~1tac/post + response: + mediaType: '' + openAPIDocKey: '200' + get_authenticator_enrollment: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1authenticator-enrollments~1{enrollmentId}/get + response: + mediaType: '' + openAPIDocKey: '200' + delete_authenticator_enrollment: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1authenticator-enrollments~1{enrollmentId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/authenticator_enrollments/methods/list_authenticator_enrollments + - $ref: >- + #/components/x-stackQL-resources/authenticator_enrollments/methods/get_authenticator_enrollment + insert: + - $ref: >- + #/components/x-stackQL-resources/authenticator_enrollments/methods/create_authenticator_enrollment + - $ref: >- + #/components/x-stackQL-resources/authenticator_enrollments/methods/create_tac_authenticator_enrollment + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/authenticator_enrollments/methods/delete_authenticator_enrollment + replace: [] + classifications: + id: okta.users.classifications + name: classifications + title: Classifications + methods: + get_user_classification: + operation: + $ref: '#/paths/~1api~1v1~1users~1{userId}~1classification/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_user_classification: + operation: + $ref: '#/paths/~1api~1v1~1users~1{userId}~1classification/put' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/classifications/methods/get_user_classification + insert: [] + update: [] + delete: [] + replace: + - $ref: >- + #/components/x-stackQL-resources/classifications/methods/replace_user_classification + user_clients: + id: okta.users.user_clients + name: user_clients + title: User Clients + methods: + list_user_clients: + operation: + $ref: '#/paths/~1api~1v1~1users~1{userId}~1clients/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/user_clients/methods/list_user_clients + insert: [] + update: [] + delete: [] + replace: [] + grants: + id: okta.users.grants + name: grants + title: Grants + methods: + list_grants_for_user_and_client: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1clients~1{clientId}~1grants/get + response: + mediaType: application/json + openAPIDocKey: '200' + revoke_grants_for_user_and_client: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1clients~1{clientId}~1grants/delete + response: + mediaType: '' + openAPIDocKey: '204' + list_user_grants: + operation: + $ref: '#/paths/~1api~1v1~1users~1{userId}~1grants/get' + response: + mediaType: application/json + openAPIDocKey: '200' + revoke_user_grants: + operation: + $ref: '#/paths/~1api~1v1~1users~1{userId}~1grants/delete' + response: + mediaType: '' + openAPIDocKey: '204' + get_user_grant: + operation: + $ref: '#/paths/~1api~1v1~1users~1{userId}~1grants~1{grantId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + revoke_user_grant: + operation: + $ref: '#/paths/~1api~1v1~1users~1{userId}~1grants~1{grantId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/grants/methods/list_grants_for_user_and_client + - $ref: '#/components/x-stackQL-resources/grants/methods/list_user_grants' + - $ref: '#/components/x-stackQL-resources/grants/methods/get_user_grant' + insert: [] + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/grants/methods/revoke_grants_for_user_and_client + - $ref: '#/components/x-stackQL-resources/grants/methods/revoke_user_grants' + - $ref: '#/components/x-stackQL-resources/grants/methods/revoke_user_grant' + replace: [] + oauth_tokens: + id: okta.users.oauth_tokens + name: oauth_tokens + title: Oauth Tokens + methods: + list_refresh_tokens_for_user_and_client: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1clients~1{clientId}~1tokens/get + response: + mediaType: application/json + openAPIDocKey: '200' + revoke_tokens_for_user_and_client: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1clients~1{clientId}~1tokens/delete + response: + mediaType: '' + openAPIDocKey: '204' + get_refresh_token_for_user_and_client: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1clients~1{clientId}~1tokens~1{tokenId}/get + response: + mediaType: application/json + openAPIDocKey: '200' + revoke_token_for_user_and_client: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1clients~1{clientId}~1tokens~1{tokenId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/oauth_tokens/methods/list_refresh_tokens_for_user_and_client + - $ref: >- + #/components/x-stackQL-resources/oauth_tokens/methods/get_refresh_token_for_user_and_client + insert: [] + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/oauth_tokens/methods/revoke_tokens_for_user_and_client + - $ref: >- + #/components/x-stackQL-resources/oauth_tokens/methods/revoke_token_for_user_and_client + replace: [] + user_devices: + id: okta.users.user_devices + name: user_devices + title: User Devices + methods: + list_user_devices: + operation: + $ref: '#/paths/~1api~1v1~1users~1{userId}~1devices/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/user_devices/methods/list_user_devices + insert: [] + update: [] + delete: [] + replace: [] + factors: + id: okta.users.factors + name: factors + title: Factors + methods: + list_factors: + operation: + $ref: '#/paths/~1api~1v1~1users~1{userId}~1factors/get' + response: + mediaType: application/json + openAPIDocKey: '200' + enroll_factor: + operation: + $ref: '#/paths/~1api~1v1~1users~1{userId}~1factors/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_factor: + operation: + $ref: '#/paths/~1api~1v1~1users~1{userId}~1factors~1{factorId}/get' + response: + mediaType: '' + openAPIDocKey: '200' + unenroll_factor: + operation: + $ref: '#/paths/~1api~1v1~1users~1{userId}~1factors~1{factorId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + activate_factor: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1factors~1{factorId}~1lifecycle~1activate/post + response: + mediaType: application/json + openAPIDocKey: '200' + resend_enroll_factor: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1factors~1{factorId}~1resend/post + response: + mediaType: application/json + openAPIDocKey: '200' + get_factor_transaction_status: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1factors~1{factorId}~1transactions~1{transactionId}/get + response: + mediaType: application/json + openAPIDocKey: '200' + verify_factor: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1factors~1{factorId}~1verify/post + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: '#/components/x-stackQL-resources/factors/methods/list_factors' + - $ref: '#/components/x-stackQL-resources/factors/methods/get_factor' + - $ref: >- + #/components/x-stackQL-resources/factors/methods/get_factor_transaction_status + insert: + - $ref: '#/components/x-stackQL-resources/factors/methods/enroll_factor' + update: [] + delete: + - $ref: '#/components/x-stackQL-resources/factors/methods/unenroll_factor' + replace: [] + supported_factors: + id: okta.users.supported_factors + name: supported_factors + title: Supported Factors + methods: + list_supported_factors: + operation: + $ref: '#/paths/~1api~1v1~1users~1{userId}~1factors~1catalog/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/supported_factors/methods/list_supported_factors + insert: [] + update: [] + delete: [] + replace: [] + supported_security_questions: + id: okta.users.supported_security_questions + name: supported_security_questions + title: Supported Security Questions + methods: + list_supported_security_questions: + operation: + $ref: '#/paths/~1api~1v1~1users~1{userId}~1factors~1questions/get' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/supported_security_questions/methods/list_supported_security_questions + insert: [] + update: [] + delete: [] + replace: [] + user_risk: + id: okta.users.user_risk + name: user_risk + title: User Risk + methods: + get_user_risk: + operation: + $ref: '#/paths/~1api~1v1~1users~1{userId}~1risk/get' + response: + mediaType: application/json + openAPIDocKey: '200' + upsert_user_risk: + operation: + $ref: '#/paths/~1api~1v1~1users~1{userId}~1risk/put' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: '#/components/x-stackQL-resources/user_risk/methods/get_user_risk' + insert: [] + update: [] + delete: [] + replace: + - $ref: >- + #/components/x-stackQL-resources/user_risk/methods/upsert_user_risk + role_assignment_users: + id: okta.users.role_assignment_users + name: role_assignment_users + title: Role Assignment Users + methods: + list_assigned_roles_for_user: + operation: + $ref: '#/paths/~1api~1v1~1users~1{userId}~1roles/get' + response: + mediaType: application/json + openAPIDocKey: '200' + assign_role_to_user: + operation: + $ref: '#/paths/~1api~1v1~1users~1{userId}~1roles/post' + response: + mediaType: application/json + openAPIDocKey: '201' + get_user_assigned_role: + operation: + $ref: '#/paths/~1api~1v1~1users~1{userId}~1roles~1{roleAssignmentId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + unassign_role_from_user: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1roles~1{roleAssignmentId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + assign_all_apps_as_target_to_role_for_user: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1roles~1{roleAssignmentId}~1targets~1catalog~1apps/put + response: + mediaType: '' + openAPIDocKey: '200' + assign_app_target_to_admin_role_for_user: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1roles~1{roleAssignmentId}~1targets~1catalog~1apps~1{appName}/put + response: + mediaType: '' + openAPIDocKey: '204' + assign_app_instance_target_to_app_admin_role_for_user: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1roles~1{roleAssignmentId}~1targets~1catalog~1apps~1{appName}~1{appId}/put + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/role_assignment_users/methods/list_assigned_roles_for_user + - $ref: >- + #/components/x-stackQL-resources/role_assignment_users/methods/get_user_assigned_role + insert: + - $ref: >- + #/components/x-stackQL-resources/role_assignment_users/methods/assign_role_to_user + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/role_assignment_users/methods/unassign_role_from_user + replace: [] + user_assigned_role_governance: + id: okta.users.user_assigned_role_governance + name: user_assigned_role_governance + title: User Assigned Role Governance + methods: + get_user_assigned_role_governance: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1roles~1{roleAssignmentId}~1governance/get + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/user_assigned_role_governance/methods/get_user_assigned_role_governance + insert: [] + update: [] + delete: [] + replace: [] + role_assignment_governance_grant: + id: okta.users.role_assignment_governance_grant + name: role_assignment_governance_grant + title: Role Assignment Governance Grant + methods: + get_role_assignment_governance_grant: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1roles~1{roleAssignmentId}~1governance~1{grantId}/get + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/role_assignment_governance_grant/methods/get_role_assignment_governance_grant + insert: [] + update: [] + delete: [] + replace: [] + role_assignment_governance_grant_resources: + id: okta.users.role_assignment_governance_grant_resources + name: role_assignment_governance_grant_resources + title: Role Assignment Governance Grant Resources + methods: + get_role_assignment_governance_grant_resources: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1roles~1{roleAssignmentId}~1governance~1{grantId}~1resources/get + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/role_assignment_governance_grant_resources/methods/get_role_assignment_governance_grant_resources + insert: [] + update: [] + delete: [] + replace: [] + admin_app_targets: + id: okta.users.admin_app_targets + name: admin_app_targets + title: Admin App Targets + methods: + list_application_targets_for_application_administrator_role_for_user: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1roles~1{roleAssignmentId}~1targets~1catalog~1apps/get + response: + mediaType: application/json + openAPIDocKey: '200' + unassign_app_target_from_app_admin_role_for_user: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1roles~1{roleAssignmentId}~1targets~1catalog~1apps~1{appName}/delete + response: + mediaType: '' + openAPIDocKey: '204' + unassign_app_instance_target_from_admin_role_for_user: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1roles~1{roleAssignmentId}~1targets~1catalog~1apps~1{appName}~1{appId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/admin_app_targets/methods/list_application_targets_for_application_administrator_role_for_user + insert: [] + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/admin_app_targets/methods/unassign_app_target_from_app_admin_role_for_user + - $ref: >- + #/components/x-stackQL-resources/admin_app_targets/methods/unassign_app_instance_target_from_admin_role_for_user + replace: [] + role_group_targets: + id: okta.users.role_group_targets + name: role_group_targets + title: Role Group Targets + methods: + list_group_targets_for_role: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1roles~1{roleAssignmentId}~1targets~1groups/get + response: + mediaType: application/json + openAPIDocKey: '200' + assign_group_target_to_user_role: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1roles~1{roleAssignmentId}~1targets~1groups~1{groupId}/put + response: + mediaType: '' + openAPIDocKey: '204' + unassign_group_target_from_user_admin_role: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1roles~1{roleAssignmentId}~1targets~1groups~1{groupId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/role_group_targets/methods/list_group_targets_for_role + insert: [] + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/role_group_targets/methods/unassign_group_target_from_user_admin_role + replace: + - $ref: >- + #/components/x-stackQL-resources/role_group_targets/methods/assign_group_target_to_user_role + role_targets: + id: okta.users.role_targets + name: role_targets + title: Role Targets + methods: + get_role_targets_by_user_id_and_role_id: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1roles~1{roleIdOrEncodedRoleId}~1targets/get + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/role_targets/methods/get_role_targets_by_user_id_and_role_id + insert: [] + update: [] + delete: [] + replace: [] + subscriptions: + id: okta.users.subscriptions + name: subscriptions + title: Subscriptions + methods: + list_subscriptions_user: + operation: + $ref: '#/paths/~1api~1v1~1users~1{userId}~1subscriptions/get' + response: + mediaType: application/json + openAPIDocKey: '200' + get_subscriptions_notification_type_user: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1subscriptions~1{notificationType}/get + response: + mediaType: application/json + openAPIDocKey: '200' + subscribe_by_notification_type_user: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1subscriptions~1{notificationType}~1subscribe/post + response: + mediaType: '' + openAPIDocKey: '200' + unsubscribe_by_notification_type_user: + operation: + $ref: >- + #/paths/~1api~1v1~1users~1{userId}~1subscriptions~1{notificationType}~1unsubscribe/post + response: + mediaType: '' + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/subscriptions/methods/list_subscriptions_user + - $ref: >- + #/components/x-stackQL-resources/subscriptions/methods/get_subscriptions_notification_type_user + insert: [] + update: [] + delete: [] + replace: [] +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/webauthn_registration.yaml b/providers/src/okta/v00.00.00000/services/webauthn_registration.yaml new file mode 100644 index 00000000..8e499e55 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/webauthn_registration.yaml @@ -0,0 +1,935 @@ +openapi: 3.0.3 +info: + title: webauthn_registration API + description: okta webauthn_registration API + version: 5.1.0 +paths: + /webauthn-registration/api/v1/activate: + post: + summary: Activate a preregistered WebAuthn factor + description: >- + Activates a preregistered WebAuthn factor. As part of this operation, + Okta first decrypts and verifies the factor PIN and enrollment data sent + by the fulfillment provider. + operationId: activatePreregistrationEnrollment + x-codegen-request-body-name: body + requestBody: + description: Enrollment activation request + content: + application/json: + schema: + $ref: '#/components/schemas/EnrollmentActivationRequest' + examples: + Activate Preregistration Enrollment Request: + $ref: '#/components/examples/EnrollmentActivationRequestExample' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/EnrollmentActivationResponse' + examples: + Activate Preregistration Enrollment Response: + $ref: '#/components/examples/EnrollmentActivationResponseExample' + '400': + description: PIN or cred requests generation failed + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + NoDisable: + $ref: >- + #/components/examples/ErrorPinOrCredResponsesProcessingFailure + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /webauthn-registration/api/v1/enroll: + post: + summary: Enroll a preregistered WebAuthn factor + description: >- + Enrolls a preregistered WebAuthn factor. This WebAuthn factor has a + longer challenge timeout period to accommodate the fulfillment request + process. As part of this operation, Okta generates elliptic curve (EC) + key-pairs used to encrypt the factor PIN and enrollment data sent by the + fulfillment provider. + operationId: enrollPreregistrationEnrollment + x-codegen-request-body-name: body + requestBody: + description: Enrollment initialization request + content: + application/json: + schema: + $ref: '#/components/schemas/EnrollmentInitializationRequest' + examples: + Initialize Preregistration Enrollment Request: + $ref: '#/components/examples/EnrollmentInitializationRequestExample' + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/EnrollmentInitializationResponse' + examples: + Initialize Preregistration Enrollment Response: + $ref: >- + #/components/examples/EnrollmentInitializationResponseExample + '400': + description: PIN or cred requests generation failed + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + NoDisable: + $ref: >- + #/components/examples/ErrorPinOrCredRequestsGenerationFailure + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /webauthn-registration/api/v1/initiate-fulfillment-request: + post: + summary: Generate a fulfillment request + description: >- + Generates a fulfillment request by sending a WebAuthn preregistration + event to start the flow. The WebAuthn preregistration integration for + Okta Workflows uses a preregistration event to populate the fulfillment + request. + operationId: generateFulfillmentRequest + x-codegen-request-body-name: body + requestBody: + description: Fulfillment request + content: + application/json: + schema: + $ref: '#/components/schemas/FulfillmentRequest' + examples: + Generate Fulfillment Request: + $ref: '#/components/examples/GenerateFulfillmentRequestExample' + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /webauthn-registration/api/v1/send-pin: + post: + summary: Send a PIN to user + description: >- + Sends the decoded PIN for the specified WebAuthn preregistration + enrollment. PINs are sent to the user's email. To resend the PIN, call + this operation again. + operationId: sendPin + x-codegen-request-body-name: body + requestBody: + description: Send PIN request + content: + application/json: + schema: + $ref: '#/components/schemas/PinRequest' + examples: + Send PIN Request: + $ref: '#/components/examples/SendPinRequestExample' + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + /webauthn-registration/api/v1/users/{userId}/enrollments: + get: + summary: List all WebAuthn preregistration factors + description: Lists all WebAuthn preregistration factors for the specified user + operationId: listWebAuthnPreregistrationFactors + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/WebAuthnPreregistrationFactor' + example: + - id: fwf23789dfs9asdf782 + factorType: webauthn + provider: FIDO + vendorName: FIDO + fulfillmentProvider: yubico + status: ACTIVE + created: '2018-05-24T20:43:19.000Z' + lastUpdated: '2018-05-24T21:43:32.000Z' + profile: + credentialId: >- + l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA + authenticatorName: YubiKey 5C + presetPinAvailable: true + _links: + self: + href: >- + https://example.okta.com/webauthn-registration/api/v1/users/00u15s1KDETTQMQYABRL/enrollments/fwf23789dfs9asdf782 + hints: + allow: + - DELETE + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.read + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathUserId' + /webauthn-registration/api/v1/users/{userId}/enrollments/{authenticatorEnrollmentId}: + delete: + summary: Delete a WebAuthn preregistration factor + description: Deletes a specific WebAuthn preregistration factor for a user + operationId: deleteWebAuthnPreregistrationFactor + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/authenticatorEnrollmentId' + /webauthn-registration/api/v1/users/{userId}/enrollments/{authenticatorEnrollmentId}/mark-error: + post: + summary: Assign the fulfillment error status to a WebAuthn preregistration factor + description: >- + Assigns the fulfillment error status to a WebAuthn preregistration + factor for a user. The `/mark-error` path indicates that the specific + `FULFILLMENT_ERRORED` AuthFactor status is set on the enrollment. + operationId: assignFulfillmentErrorWebAuthnPreregistrationFactor + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.users.manage + tags: + - WebAuthnPreregistration + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + parameters: + - $ref: '#/components/parameters/pathUserId' + - $ref: '#/components/parameters/authenticatorEnrollmentId' +components: + schemas: + EnrollmentActivationRequest: + description: Enrollment Initialization Request + type: object + properties: + credResponses: + description: List of credential responses from the fulfillment provider + type: array + items: + $ref: '#/components/schemas/WebAuthnCredResponse' + fulfillmentProvider: + description: >- + Name of the fulfillment provider for the WebAuthn preregistration + factor + type: string + enum: + - yubico + pinResponseJwe: + description: Encrypted JWE of the PIN response from the fulfillment provider + type: string + serial: + description: Serial number of the YubiKey + type: string + userId: + description: ID of an existing Okta user + type: string + version: + description: Firmware version of the YubiKey + type: string + yubicoSigningJwks: + description: >- + List of usable signing keys from Yubico (in JSON Web Key Sets (JWKS) + format). The signing keys are used to verify the JSON Web Signature + (JWS) inside the JWE. + type: array + items: + $ref: '#/components/schemas/ECKeyJWK' + EnrollmentActivationResponse: + description: Enrollment initialization response + type: object + properties: + authenticatorEnrollmentIds: + description: List of IDs for preregistered WebAuthn factors in Okta + type: array + items: + type: string + fulfillmentProvider: + description: >- + Name of the fulfillment provider for the WebAuthn preregistration + factor + type: string + enum: + - yubico + userId: + description: ID of an existing Okta user + type: string + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + EnrollmentInitializationRequest: + description: Enrollment initialization request + type: object + properties: + enrollmentRpIds: + description: List of relying party hostnames to register on the YubiKey + type: array + items: + type: string + fulfillmentProvider: + description: >- + Name of the fulfillment provider for the WebAuthn preregistration + factor + type: string + enum: + - yubico + userId: + description: ID of an existing Okta user + type: string + yubicoTransportKeyJWK: + description: >- + Transport public key in JWK (JSON Web Key) format used to encrypt + fulfillment requests to Yubico + $ref: '#/components/schemas/ECKeyJWK' + EnrollmentInitializationResponse: + description: >- + Yubico transport key in the form of a JSON Web Token (JWK), used to + encrypt our fulfillment request to Yubico. The currently agreed protocol + uses P-384. + type: object + properties: + credRequests: + description: List of credential requests for the fulfillment provider + type: array + items: + $ref: '#/components/schemas/WebAuthnCredRequest' + fulfillmentProvider: + description: >- + Name of the fulfillment provider for the WebAuthn preregistration + factor + type: string + enum: + - yubico + pinRequestJwe: + description: Encrypted JWE of PIN request for the fulfillment provider + type: string + userId: + description: ID of an existing Okta user + type: string + FulfillmentRequest: + description: Fulfillment request + type: object + properties: + fulfillmentData: + $ref: '#/components/schemas/FulfillmentData' + fulfillmentProvider: + description: >- + Name of the fulfillment provider for the WebAuthn preregistration + factor + type: string + enum: + - yubico + userId: + description: ID of an existing Okta user + type: string + PinRequest: + description: Pin request + type: object + properties: + authenticatorEnrollmentId: + description: ID for a WebAuthn preregistration factor in Okta + type: string + fulfillmentProvider: + description: >- + Name of the fulfillment provider for the WebAuthn preregistration + factor + type: string + enum: + - yubico + userId: + description: ID of an existing Okta user + type: string + WebAuthnPreregistrationFactor: + description: User factor variant used for WebAuthn preregistration factors + type: object + properties: + created: + description: Timestamp indicating when the factor was enrolled + type: string + format: date-time + readOnly: true + factorType: + $ref: '#/components/schemas/UserFactorType' + id: + description: ID of the factor + type: string + readOnly: true + lastUpdated: + description: Timestamp indicating when the factor was last updated + type: string + format: date-time + readOnly: true + profile: + type: object + description: Specific attributes related to the factor + provider: + $ref: '#/components/schemas/UserFactorProvider' + status: + $ref: '#/components/schemas/UserFactorStatus' + vendorName: + description: Name of the factor vendor. This is usually the same as the provider. + type: string + example: OKTA + readOnly: true + _links: + $ref: '#/components/schemas/LinksSelf' + WebAuthnCredResponse: + description: >- + Credential response object for enrolled credential details, along with + enrollment and key identifiers to associate the credential + type: object + properties: + authenticatorEnrollmentId: + description: ID for a WebAuthn preregistration factor in Okta + type: string + credResponseJwe: + description: >- + Encrypted JSON Web Encryption (JWE) of the credential response from + the fulfillment provider + type: string + ECKeyJWK: + description: >- + Elliptic curve key in JSON Web Key (JWK) format. It's used during + enrollment to encrypt fulfillment requests to Yubico, or during + activation to verify Yubico's JWS (JSON Web Signature) objects in + fulfillment responses. The currently agreed protocol uses P-384. + type: object + properties: + crv: + type: string + description: The elliptic curve protocol + enum: + - P-384 + kid: + type: string + description: The unique identifier of the key + kty: + type: string + enum: + - EC + description: The type of public key + use: + type: string + description: >- + The intended use for the key. This value is either `enc` + (encryption) during enrollment, when Okta uses the ECKeyJWK to + encrypt requests to Yubico. Or it's `sig` (signature) during + activation, when Okta uses the ECKeyJWK to verify the responses from + Yubico. + enum: + - enc + - sig + x: + type: string + description: The public x coordinate for the elliptic curve point + 'y': + type: string + description: The public y coordinate for the elliptic curve point + required: + - x + - 'y' + - kty + - crv + - use + - kid + ErrorCause: + type: object + properties: + errorSummary: + type: string + WebAuthnCredRequest: + description: >- + Credential request object for the initialized credential, along with the + enrollment and key identifiers to associate with the credential + type: object + properties: + authenticatorEnrollmentId: + description: ID for a WebAuthn preregistration factor in Okta + type: string + credRequestJwe: + description: Encrypted JWE of credential request for the fulfillment provider + type: string + keyId: + description: >- + ID for the Okta response key-pair used to encrypt and decrypt + credential requests and responses + type: string + FulfillmentData: + description: List of fulfillment order details + items: + $ref: '#/components/schemas/FulfillmentDataOrderDetails' + type: array + UserFactorType: + description: Type of factor + type: string + enum: + - call + - email + - push + - question + - signed_nonce + - sms + - token + - token:hardware + - token:hotp + - token:software:totp + - u2f + - web + - webauthn + UserFactorProvider: + type: string + enum: + - CUSTOM + - DUO + - FIDO + - GOOGLE + - OKTA + - RSA + - SYMANTEC + - YUBICO + UserFactorStatus: + example: ACTIVE + description: Status of the factor + type: string + enum: + - ACTIVE + - DISABLED + - ENROLLED + - EXPIRED + - INACTIVE + - NOT_SETUP + - PENDING_ACTIVATION + readOnly: true + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + FulfillmentDataOrderDetails: + description: >- + Information about the fulfillment order that includes the factor’s make + and model, the custom configuration of the factor, and inventory + details. + type: object + properties: + customizationId: + description: ID for the set of custom configurations of the requested factor + type: string + inventoryProductId: + description: ID for the specific inventory bucket of the requested factor + type: string + productId: + description: ID for the make and model of the requested factor + type: string + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/ErrorResourceNotFound' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + parameters: + pathUserId: + name: userId + description: ID of an existing Okta user + in: path + required: true + schema: + type: string + example: 00ub0oNGTSWTBKOLGLNR + authenticatorEnrollmentId: + name: authenticatorEnrollmentId + in: path + required: true + description: ID for a WebAuthn preregistration factor in Okta + schema: + type: string + examples: + EnrollmentActivationRequestExample: + summary: Enrollment activation request + value: + credResponses: + - authenticatorEnrollmentId: fwf5ajzJEWqknX6lk0g4 + credResponseJwe: eyJlcGsiOnsia3R5IjoiRUM... + fulfillmentProvider: yubico + pinResponseJwe: eyJl5IjoiRUMiLCJjcnYcGsiOnsia3... + serial: '3632071' + userId: 00us2hPODQncCkxef0g3 + version: 5.4.3 + yubicoSigningJwks: + - crv: P-384 + kid: APCS-Tsgnkey-C19881-H0027616953 + kty: EC + use: sig + x: tJc-j5osUCP-75ihCOKsswTOj3XsekayG3x79K2ndyOIXu08gDMkvL8rks06tEAa + 'y': hfVGbQeG4l2orqenn-GATWwTm8tLqHFHuwfJp33CCNOMtYYsgkAEnW60ORzt4YV- + EnrollmentActivationResponseExample: + summary: Enrollment activation response + value: + authenticatorEnrollmentIds: + - fwf5ajzJEWqknX6lk0g4 + fulfillmentProvider: yubico + userId: 00us2hPODQncCkxef0g3 + ErrorPinOrCredResponsesProcessingFailure: + summary: PIN or cred response processing failed + value: + errorCode: E0000001 + errorSummary: 'Api validation failed: pinResponseJwe|webAuthnCredResponse' + errorLink: E0000001 + errorId: oaehk3rssXQmOWDRsaFfxe8B + errorCauses: + errorSummary: There was an unexpected internal error. Please try again. + EnrollmentInitializationRequestExample: + summary: Initialize preregistration enrollment request + value: + enrollmentRpIds: + - myorg.okta.com + fulfillmentProvider: yubico + userId: 00us2hPODQncCkxef0g3 + yubicoTransportKeyJWK: + crv: P-384 + kid: APCS-Ttrans-C19881-I009 + kty: EC + use: enc + x: r6AzcX3OSiJk1yQaBVYiBOtzFS9gNSpMDPvnVvl0CAX7el1ZyzmPG_BZ7u8sqTmF + 'y': RxPyGH1Xg74E2f5AQGkkddzsvTNY1R3R7mXTEM5wQtr1Y7C4XHlvITNZfU6G + EnrollmentInitializationResponseExample: + summary: Initialize preregistration enrollment request + value: + credRequests: + - authenticatorEnrollmentId: fwf5ajzJEWqknX6lk0g4 + credRequestJwe: eyJlcGsiOnsia3R5IjoiRUMiLCJ... + keyId: h2r91gconqiai1vs0psg + fulfillmentProvider: yubico + pinRequestJwe: eyJlcGsa3R5IjoiRUMiLA... + userId: 00us2hPODQncCkxef0g3 + ErrorPinOrCredRequestsGenerationFailure: + summary: PIN or cred requests generation failed + value: + errorCode: E0000001 + errorSummary: >- + Api validation failed: + webAuthnPreregistrationPinRequest|webAuthnPreregistrationCredentialRequest + errorLink: E0000001 + errorId: oaehk3rssXQmOWDRsaFfxe8A + errorCauses: + errorSummary: There was an unexpected internal error. Please try again. + GenerateFulfillmentRequestExample: + summary: Generate fulfillment request + value: + userId: 00us2hPODQncCkxef0g3 + fulfillmentProvider: yubico + fulfillmentData: + - productId: '55' + customizationId: RXJN83 + inventoryProductId: '106' + SendPinRequestExample: + summary: Send PIN request + value: + authenticatorEnrollmentId: fwf5ajzJEWqknX6lk0g4 + fulfillmentProvider: yubico + userId: 00us2hPODQncCkxef0g3 + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: {0}' + errorLink: E0000007 + errorId: sampleMlLvGUj_YD5v16vkYWY + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + x-stackQL-resources: + enrollments: + id: okta.webauthn_registration.enrollments + name: enrollments + title: Enrollments + methods: + activate_preregistration_enrollment: + operation: + $ref: '#/paths/~1webauthn-registration~1api~1v1~1activate/post' + response: + mediaType: application/json + openAPIDocKey: '200' + enroll_preregistration_enrollment: + operation: + $ref: '#/paths/~1webauthn-registration~1api~1v1~1enroll/post' + response: + mediaType: application/json + openAPIDocKey: '200' + generate_fulfillment_request: + operation: + $ref: >- + #/paths/~1webauthn-registration~1api~1v1~1initiate-fulfillment-request/post + response: + mediaType: '' + openAPIDocKey: '204' + send_pin: + operation: + $ref: '#/paths/~1webauthn-registration~1api~1v1~1send-pin/post' + response: + mediaType: '' + openAPIDocKey: '204' + list_web_authn_preregistration_factors: + operation: + $ref: >- + #/paths/~1webauthn-registration~1api~1v1~1users~1{userId}~1enrollments/get + response: + mediaType: application/json + openAPIDocKey: '200' + delete_web_authn_preregistration_factor: + operation: + $ref: >- + #/paths/~1webauthn-registration~1api~1v1~1users~1{userId}~1enrollments~1{authenticatorEnrollmentId}/delete + response: + mediaType: '' + openAPIDocKey: '204' + assign_fulfillment_error_web_authn_preregistration_factor: + operation: + $ref: >- + #/paths/~1webauthn-registration~1api~1v1~1users~1{userId}~1enrollments~1{authenticatorEnrollmentId}~1mark-error/post + response: + mediaType: '' + openAPIDocKey: '204' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/enrollments/methods/list_web_authn_preregistration_factors + insert: [] + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/enrollments/methods/delete_web_authn_preregistration_factor + replace: [] +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains. diff --git a/providers/src/okta/v00.00.00000/services/zones.yaml b/providers/src/okta/v00.00.00000/services/zones.yaml new file mode 100644 index 00000000..b7859808 --- /dev/null +++ b/providers/src/okta/v00.00.00000/services/zones.yaml @@ -0,0 +1,1298 @@ +openapi: 3.0.3 +info: + title: zones API + description: okta zones API + version: 5.1.0 +paths: + /api/v1/zones: + get: + summary: List all network zones + description: >- + Lists all Network Zones with pagination. A subset of zones can be + returned that match a supported filter expression or query. + + + This operation requires URL encoding. For example, `filter=(id eq + "nzoul0wf9jyb8xwZm0g3" or id eq "nzoul1MxmGN18NDQT0g3")` is encoded as + `filter=%28id+eq+%22nzoul0wf9jyb8xwZm0g3%22+or+id+eq+%22nzoul1MxmGN18NDQT0g3%22%29`. + + + Okta supports filtering on the `id`, `usage`, and `system` properties. + See [Filter](https://developer.okta.com/docs/api/#filter) for more + information on the expressions that are used in filtering. + operationId: listNetworkZones + parameters: + - name: after + in: query + schema: + type: string + description: Specifies the pagination cursor for the next page of Network Zones + example: BlockedIpZones + - name: limit + in: query + schema: + type: integer + description: Specifies the number of results for a page + format: int32 + example: 5 + default: -1 + - name: filter + in: query + schema: + type: string + description: Filters zones by usage, ID, or system expression + example: id eq "nzowc1U5Jh5xuAK0o0g3" + responses: + '200': + description: Success + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/NetworkZone' + examples: + RetrieveAllZonesWithFilter: + $ref: '#/components/examples/RetrieveAllZonesWithFilter' + RetrieveAllZones: + $ref: '#/components/examples/RetrieveAllZones' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.networkZones.read + tags: + - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + post: + summary: Create a network zone + description: >- + Creates a Network Zone + + * For an IP Network Zone, you must define either `gateways` or + `proxies`. + + * For a Dynamic Network Zone, you must define at least one of the + following: `asns`, `locations`, or `proxyType`. + + * For an Enhanced Dynamic Network Zone, you must define at least one of + the following: `asns`, `locations`, or `ipServiceCategories`. + operationId: createNetworkZone + x-codegen-request-body-name: zone + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/NetworkZone' + examples: + CreateIPPolicyNetworkZone: + $ref: '#/components/examples/CreateIPPolicyNetworkZone' + CreateIPPolicyBlocklistNetworkZone: + $ref: '#/components/examples/CreateIPPolicyBlockListNetworkZone' + CreateEDNetworkZone: + $ref: '#/components/examples/CreateEDNZRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/NetworkZone' + examples: + CreateIPPolicyNetworkZone: + $ref: '#/components/examples/CreateIPPolicyNetworkZoneResponse' + CreateIPPolicyBlocklistNetworkZone: + $ref: >- + #/components/examples/CreateIPPolicyBlockListNetworkZoneResponse + CreateEDNetworkZone: + $ref: '#/components/examples/CreateEDNZResponse' + '400': + $ref: '#/components/responses/NzErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.networkZones.manage + tags: + - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /api/v1/zones/{zoneId}: + get: + summary: Retrieve a network zone + description: Retrieves a Network Zone by `zoneId` + operationId: getNetworkZone + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/NetworkZone' + examples: + RetrieveNetworkZoneIP: + $ref: '#/components/examples/RetrieveNetworkZoneIP' + RetrieveNetworkZoneDynamic: + $ref: '#/components/examples/RetrieveNetworkZoneDynamic' + RetrieveNetworkZoneEnhancedDynamic: + $ref: '#/components/examples/CreateEDNZResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/NzErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.networkZones.read + tags: + - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace a network zone + description: >- + Replaces a Network Zone by `zoneId`. The replaced Network Zone type must + be the same as the existing type. + + You can replace the usage (`POLICY`, `BLOCKLIST`) of a Network Zone by + updating the `usage` attribute. + + + **IP exempt zone**<br> + + If you have the IP exempt zone feature enabled, you can allow traffic + from specific gateway IPs irrespective of Okta ThreatInsight + configurations, blocked network zones, or IP change events within + Identity Threat Protection with Okta AI.<br> + + <br> + + When you enable this feature, Okta creates a zone called + `DefaultExemptIpZone`. Gateway IPs that you add to this zone always have + access to Okta resources. See [IP exempt + zone](https://help.okta.com/okta_help.htm?type=oie&id=csh-about-ip-exempt-zone). + + + > **Note:** You can't add trusted proxy IPs to this zone, delete the + zone, or create additional exempt IP zones. + operationId: replaceNetworkZone + x-codegen-request-body-name: zone + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/NetworkZone' + examples: + ReplaceNetworkZone: + $ref: '#/components/examples/ReplaceNetworkZone' + UpdateDefaultExemptIpZone: + $ref: '#/components/examples/UpdateDefaultExemptIpZone' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/NetworkZone' + examples: + ReplaceNetworkZone: + $ref: '#/components/examples/ReplaceNetworkZoneResponse' + UpdateDefaultExemptIpZoneResponse: + $ref: '#/components/examples/UpdateDefaultExemptIpZoneResponse' + '400': + $ref: '#/components/responses/NzErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/NzErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.networkZones.manage + tags: + - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + delete: + summary: Delete a network zone + description: >- + Deletes a Network Zone by `zoneId` + + > **Notes:** + + > * You can't delete a Network Zone that's used by a + [Policy](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/) + or + [Rule](https://developer.okta.com/docs/apihttps://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/#tag/Policy/operation/listPolicyRules). + + > * For Okta Identity Engine orgs, you can't delete a Network Zone with + an ACTIVE `status`. <x-lifecycle class="oie"></x-lifecycle> + operationId: deleteNetworkZone + responses: + '204': + description: No Content + content: {} + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/NzErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.networkZones.manage + tags: + - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathZoneId' + /api/v1/zones/{zoneId}/lifecycle/activate: + post: + summary: Activate a network zone + description: Activates a Network Zone by `zoneId` + operationId: activateNetworkZone + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/NetworkZone' + examples: + ActivateNetworkZone: + $ref: '#/components/examples/ActivateNetworkZone' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/NzErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.networkZones.manage + tags: + - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathZoneId' + /api/v1/zones/{zoneId}/lifecycle/deactivate: + post: + summary: Deactivate a network zone + description: Deactivates a Network Zone by `zoneId` + operationId: deactivateNetworkZone + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/NetworkZone' + examples: + DeactivateNetworkZone: + $ref: '#/components/examples/DeactivateNetworkZone' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/NzErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.networkZones.manage + tags: + - NetworkZone + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + parameters: + - $ref: '#/components/parameters/pathZoneId' +components: + schemas: + NetworkZone: + type: object + properties: + created: + type: string + format: date-time + description: Timestamp when the object was created + readOnly: true + id: + type: string + description: Unique identifier for the Network Zone + readOnly: true + lastUpdated: + type: string + format: date-time + description: Timestamp when the object was last modified + readOnly: true + name: + type: string + description: Unique name for this Network Zone + maxLength: 128 + status: + $ref: '#/components/schemas/NetworkZoneStatus' + system: + type: boolean + readOnly: true + description: > + Indicates a system Network Zone: + + * `true` for system Network Zones + + * `false` for custom Network Zones + + + The Okta org provides the following default system Network Zones: + + * `LegacyIpZone` + + * `BlockedIpZone` + + * `DefaultEnhancedDynamicZone` + + * `DefaultExemptIpZone` + + + Admins can modify the name of the default system Network Zone and + add up to 5000 gateway or proxy IP entries. + type: + $ref: '#/components/schemas/NetworkZoneType' + usage: + $ref: '#/components/schemas/NetworkZoneUsage' + _links: + $ref: '#/components/schemas/LinksSelfAndLifecycle' + required: + - name + - type + discriminator: + propertyName: type + mapping: + IP: '#/components/schemas/IPNetworkZone' + DYNAMIC: '#/components/schemas/DynamicNetworkZone' + DYNAMIC_V2: '#/components/schemas/EnhancedDynamicNetworkZone' + NetworkZoneStatus: + description: Network Zone status + type: string + enum: + - ACTIVE + - INACTIVE + NetworkZoneType: + description: The type of Network Zone + type: string + enum: + - DYNAMIC + - IP + - DYNAMIC_V2 + NetworkZoneUsage: + description: The usage of the Network Zone + type: string + enum: + - BLOCKLIST + - POLICY + LinksSelfAndLifecycle: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + activate: + $ref: '#/components/schemas/HrefObjectActivateLink' + deactivate: + $ref: '#/components/schemas/HrefObjectDeactivateLink' + Error: + title: Error + type: object + properties: + errorCauses: + type: array + items: + $ref: '#/components/schemas/ErrorCause' + errorCode: + type: string + description: An Okta code for this type of error + errorId: + type: string + description: >- + A unique identifier for this error. This can be used by Okta Support + to help with troubleshooting. + errorLink: + type: string + description: An Okta code for this type of error + errorSummary: + type: string + description: >- + A short description of what caused this error. Sometimes this + contains dynamically-generated information about your specific + error. + LinksSelf: + description: >- + Specifies link relations (see [Web + Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the + [JSON Hypertext Application + Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related + resources and lifecycle operations. + type: object + properties: + self: + $ref: '#/components/schemas/HrefObjectSelfLink' + readOnly: true + HrefObjectActivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to activate the resource + HrefObjectDeactivateLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to deactivate the resource + ErrorCause: + type: object + properties: + errorSummary: + type: string + HrefObjectSelfLink: + allOf: + - $ref: '#/components/schemas/HrefObject' + - description: Link to the resource (self) + HrefObject: + title: Link Object + additionalProperties: true + type: object + properties: + hints: + $ref: '#/components/schemas/HrefHints' + readOnly: true + href: + type: string + description: Link URI + name: + type: string + description: Link name + readOnly: true + templated: + type: boolean + description: >- + Indicates whether the link object's `href` property is a URI + template. + readOnly: true + type: + type: string + description: >- + The media type of the link. If omitted, it is implicitly + `application/json`. + readOnly: true + required: + - href + HrefHints: + description: Describes allowed HTTP verbs for the `href` + type: object + properties: + allow: + type: array + items: + $ref: '#/components/schemas/HttpMethod' + HttpMethod: + type: string + enum: + - DELETE + - GET + - POST + - PUT + responses: + ErrorAccessDenied403: + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + AccessDenied: + $ref: '#/components/examples/ErrorAccessDenied' + ErrorTooManyRequests429: + description: Too Many Requests + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + TooManyRequests: + $ref: '#/components/examples/ErrorTooManyRequests' + NzErrorApiValidationFailed400: + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + APIValidationFailed: + $ref: '#/components/examples/NzErrorApiValidationFailed' + NzErrorResourceNotFound404: + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + ResourceNotFound: + $ref: '#/components/examples/NzErrorResourceNotFound' + parameters: + pathZoneId: + name: zoneId + in: path + schema: + type: string + required: true + description: '`id` of the Network Zone' + example: nzowc1U5Jh5xuAK0o0g3 + examples: + RetrieveAllZonesWithFilter: + summary: Retrieves network zones with filter + value: + - type: IP + id: nzowc1U5Jh5xuAK0o0g3 + name: MyIpZone + status: ACTIVE + usage: POLICY + created: '2021-06-24T20:37:32.000Z' + lastUpdated: '2021-06-24T20:37:32.000Z' + system: false + gateways: + - type: CIDR + value: 1.2.3.4/24 + proxies: + - type: RANGE + value: 3.3.4.5-3.3.4.15 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + hints: + allow: + - POST + RetrieveAllZones: + summary: Retrieves all network zones + value: + - type: DYNAMIC_V2 + id: nzok0oz2xYHOZtIch0g4 + name: testZone106 + status: ACTIVE + usage: BLOCKLIST + create: '2024-05-13T16:33:44.000Z' + lastUpdated: '2024-05-13T16:33:44.000Z' + system: false + locations: + include: [] + exclude: [] + asns: + include: [] + exclude: [] + ipServiceCategories: + include: + - ALL_ANONYMIZERS + exclude: [] + _links: + self: + href: http://{yourOktaDomain}/api/v1/zones/nzok0oz2xYHOZtIch0g4 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + http://{yourOktaDomain}/api/v1/zones/nzok0oz2xYHOZtIch0g4/lifecycle/deactivate + hints: + allow: + - POST + - type: DYNAMIC + id: nzoy0ox5xADOZtKrh0g6 + name: test + status: ACTIVE + usage: POLICY + created: '2022-05-19T15:33:32.000Z' + lastUpdated: '2022-05-19T15:33:32.000Z' + system: false + locations: + - country: AF + region: AF-BGL + proxyType: ANY + asns: + - '23457' + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzoy0ox5xADOZtKrh0g6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/zones/nzoy0ox5xADOZtKrh0g6/lifecycle/deactivate + hints: + allow: + - POST + - type: IP + id: nzowc1U5Jh5xuAK0o0g3 + name: MyIpZone + status: ACTIVE + usage: POLICY + created: '2021-06-24T20:37:32.000Z' + lastUpdated: '2021-06-24T20:37:32.000Z' + system: false + gateways: + - type: CIDR + value: 1.2.3.4/24 + proxies: + - type: RANGE + value: 3.3.4.5-3.3.4.15 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + hints: + allow: + - POST + - type: IP + id: nzou3u0stMCmgOzXK1d6 + name: BlockedIpZone + status: ACTIVE + usage: BLOCKLIST + created: '2021-06-09T21:32:46.000Z' + lastUpdated: '2021-06-09T21:32:46.000Z' + system: true + gateways: null + proxies: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6/lifecycle/deactivate + hints: + allow: + - POST + - type: DYNAMIC_V2 + id: nzohcnxFrSgsiwyHp0g4 + name: DefaultEnhancedDynamicZone + status: ACTIVE + usage: BLOCKLIST + created: '2024-05-06T19:12:29.000Z' + lastUpdated: '2024-05-09T21:02:31.000Z' + system: true + locations: + include: [] + exclude: [] + ipServiceCategories: + include: + - ALL_ANONYMIZERS + exclue: [] + asns: + include: [] + exclude: [] + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6/lifecycle/deactivate + hints: + allow: + - POST + - type: IP + id: nzou3u0ssJfZjYsWL1d6 + name: LegacyIpZone + status: ACTIVE + usage: POLICY + created: '2021-06-09T21:32:46.000Z' + lastUpdated: '2021-06-09T21:32:46.000Z' + system: true + gateways: null + proxies: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzou3u0ssJfZjYsWL1d6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/zones/nzou3u0ssJfZjYsWL1d6/lifecycle/deactivate + hints: + allow: + - POST + CreateIPPolicyNetworkZone: + summary: Create an IP policy network zone + value: + type: IP + name: newNetworkZone + gateways: + - type: CIDR + value: 1.2.3.4/24 + - type: CIDR + value: 2.3.4.5/24 + proxies: + - type: CIDR + value: 2.2.3.4/24 + - type: CIDR + value: 3.3.4.5/24 + CreateIPPolicyBlockListNetworkZone: + summary: Create an IP blocklist network zone + value: + type: IP + name: newBlockListNetworkZone + status: ACTIVE + usage: BLOCKLIST + gateways: + - type: CIDR + value: 1.2.3.4/24 + - type: CIDR + value: 2.3.4.5/24 + proxies: null + CreateEDNZRequest: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: Create an enhanced dynamic network zone + value: + type: DYNAMIC_V2 + name: testZone106 + status: ACTIVE + usage: BLOCKLIST + locations: + include: [] + exclude: [] + asns: + include: [] + exclude: [] + ipServiceCategories: + include: + - ALL_ANONYMIZERS + exclude: [] + CreateIPPolicyNetworkZoneResponse: + summary: IP policy network zone + value: + type: IP + id: nzowb8T5Jh5xuAJ0o0g7 + name: newNetworkZone + status: ACTIVE + usage: POLICY + created: '2021-08-09T21:32:01.000Z' + lastUpdated: '2021-08-09T21:32:01.000Z' + system: false + gateways: + - type: CIDR + value: 1.2.3.4/24' + - type: CIDR + value: 2.3.4.5/24 + proxies: + - type: CIDR + value: 2.2.3.4/24 + - type: CIDR + value: 3.3.4.5/24 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzowb8T5Jh5xuAJ0o0g7 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/zones/nzowb8T5Jh5xuAJ0o0g7/lifecycle/deactivate + hints: + allow: + - POST + CreateIPPolicyBlockListNetworkZoneResponse: + summary: IP blocklist network zone + value: + type: IP + id: nzo1qasnPb1kqEq0e0g4 + name: newBlockListNetworkzone + status: ACTIVE + usage: BLOCKLIST + created: '2021-08-09T20:22:09.000Z' + lastUpdated: '2021-08-09T20:22:09.000Z' + system: false + gateways: + - type: CIDR + value: 1.2.3.4/24 + - type: CIDR + value: 2.3.4.5/24 + proxies: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzo1qasnPb1kqEq0e0g4 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/zones/nzo1qasnPb1kqEq0e0g4/lifecycle/deactivate + hints: + allow: + - POST + CreateEDNZResponse: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + summary: Enhanced dynamic network zone + value: + type: DYNAMIC_V2 + id: nzok0oz2xYHOZtIch0g4 + name: testZone106 + status: ACTIVE + usage: BLOCKLIST + create: '2024-05-13T16:33:44.000Z' + lastUpdated: '2024-05-13T16:33:44.000Z' + system: false + locations: + include: [] + exclude: [] + asns: + include: [] + exclude: [] + ipServiceCategories: + include: + - ALL_ANONYMIZERS + exclude: [] + _links: + self: + href: http://{yourOktaDomain}/api/v1/zones/nzok0oz2xYHOZtIch0g4 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + http://{yourOktaDomain}/api/v1/zones/nzok0oz2xYHOZtIch0g4/lifecycle/deactivate + hints: + allow: + - POST + RetrieveNetworkZoneIP: + summary: IP network zone + value: + type: IP + id: nzowc1U5Jh5xuAK0o0g3 + name: MyIpZone + status: ACTIVE + usage: POLICY + created: '2021-06-24T20:37:32.000Z' + lastUpdated: '2021-06-24T20:37:32.000Z' + system: false + gateways: + - type: CIDR + value: 1.2.3.4/24 + proxies: + - type: RANGE + value: 3.3.4.5-3.3.4.15 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + hints: + allow: + - POST + RetrieveNetworkZoneDynamic: + summary: Dynamic network zone + value: + type: DYNAMIC + id: nzoy0ox5xADOZtKrh0g6 + name: test + status: ACTIVE + usage: POLICY + created: '2022-05-19T15:33:32.000Z' + lastUpdated: '2022-05-19T15:33:32.000Z' + system: false + locations: + - country: AF + region: AF-BGL + proxyType: ANY + asns: + - '23457' + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzoy0ox5xADOZtKrh0g6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/zones/nzoy0ox5xADOZtKrh0g6/lifecycle/deactivate + hints: + allow: + - POST + ReplaceNetworkZone: + summary: Replace a network zone + value: + type: IP + id: nzovw2rFz2YoqmvwZ0g9 + name: UpdatedNetZone + status: ACTIVE + system: false + usage: POLICY + gateways: + - type: CIDR + value: 10.2.3.4/24 + - type: CIDR + value: 12.2.3.4/24 + - type: RANGE + value: 13.4.5.6-13.4.5.8 + - type: CIDR + value: 14.2.3.4/24 + proxies: + - type: CIDR + value: 12.2.3.4/24 + - type: CIDR + value: 13.3.4.5/24 + - type: RANGE + value: 14.4.5.6-14.4.5.8 + - type: RANGE + value: 15.5.6.7/24-15.5.6.9 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9/lifecycle/deactivate + hints: + allow: + - POST + UpdateDefaultExemptIpZone: + summary: Update the DefaultExemptIpZone + value: + type: IP + id: nzodufauoBZYt5fIB0w6 + name: DefaultExemptIpZone + status: ACTIVE + usage: POLICY + useAsExemptList: true + system: true + gateways: + - type: RANGE + value: 1.1.1.16-1.1.1.16 + proxies: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzodufauoBZYt5fIB0w6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/zones/nzodufauoBZYt5fIB0w6/lifecycle/deactivate + hints: + allow: + - POST + ReplaceNetworkZoneResponse: + summary: Replace network zone + value: + type: IP + id: nzovw2rFz2YoqmvwZ0g9 + name: UpdatedNetZone + status: ACTIVE + usage: POLICY + created: '2022-05-08T18:25:05.000Z' + lastUpdated: '2022-05-10T13:15:22.000Z' + system: false + gateways: + - type: CIDR + value: 10.2.3.4/24 + - type: CIDR + value: 12.2.3.4/24 + - type: RANGE + value: 13.4.5.6-13.4.5.8 + - type: CIDR + value: 14.2.3.4/24 + proxies: + - type: CIDR + value: 12.2.3.4/24 + - type: CIDR + value: 13.3.4.5/24 + - type: RANGE + value: 14.4.5.6-14.4.5.8 + - type: RANGE + value: 15.5.6.7/24-15.5.6.9 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9/lifecycle/deactivate + hints: + allow: + - POST + UpdateDefaultExemptIpZoneResponse: + summary: Update the DefaultExemptIpZone response + value: + type: IP + id: nzodufauoBZYt5fIB0w6 + name: DefaultExemptIpZone + status: ACTIVE + usage: POLICY + created: '2024-10-08T16:35:21.000Z' + lastUpdated: '2024-10-08T16:36:31.000Z' + system: true + useAsBlackList: false + useAsExemptList: true + gateways: + - type: RANGE + value: 1.1.1.16-1.1.1.16 + proxies: null + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzodufauoBZYt5fIB0w6 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/zones/nzodufauoBZYt5fIB0w6/lifecycle/deactivate + hints: + allow: + - POST + ActivateNetworkZone: + summary: Activated network zone + value: + type: IP + id: nzowc1U5Jh5xuAK0o0g3 + name: MyIpZone + status: ACTIVE + usage: POLICY + created: '2021-06-24T20:37:32.000Z' + lastUpdated: '2021-06-24T20:37:32.000Z' + system: false + gateways: + - type: CIDR + value: 1.2.3.4/24 + proxies: + - type: RANGE + value: 3.3.4.5-3.3.4.15 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + hints: + allow: + - GET + - PUT + - DELETE + deactivate: + href: >- + https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate + hints: + allow: + - POST + DeactivateNetworkZone: + summary: Deactivated network zone + value: + type: IP + id: nzowc1U5Jh5xuAK0o0g3 + name: MyIpZone + status: INACTIVE + usage: POLICY + created: '2021-06-24T20:37:32.000Z' + lastUpdated: '2021-06-24T20:37:32.000Z' + system: false + gateways: + - type: CIDR + value: 1.2.3.4/24 + proxies: + - type: RANGE + value: 3.3.4.5-3.3.4.15 + _links: + self: + href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 + hints: + allow: + - GET + - PUT + - DELETE + activate: + href: >- + https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/activate + hints: + allow: + - POST + ErrorAccessDenied: + summary: Access Denied + value: + errorCode: E0000006 + errorSummary: You do not have permission to perform the requested action + errorLink: E0000006 + errorId: sampleNUSD_8fdkFd8fs8SDBK + errorCauses: [] + ErrorTooManyRequests: + summary: Too Many Requests + value: + errorCode: E0000047 + errorSummary: API call exceeded rate limit due to too many requests. + errorLink: E0000047 + errorId: sampleQPivGUj_ND5v78vbYWW + errorCauses: [] + NzErrorApiValidationFailed: + summary: API Validation Failed + value: + errorCode: E0000003 + errorSummary: The request body was not well-formed. + errorLink: E0000003 + errorId: samplewNxQUR9iohr4QYlD0eg + errorCauses: [] + NzErrorResourceNotFound: + summary: Resource Not Found + value: + errorCode: E0000007 + errorSummary: 'Not found: Resource not found: itd (NetworkZone)' + errorLink: E0000007 + errorId: samplejCSVaKFDkCMElmKQ + errorCauses: [] + x-stackQL-resources: + network_zones: + id: okta.zones.network_zones + name: network_zones + title: Network Zones + methods: + list_network_zones: + operation: + $ref: '#/paths/~1api~1v1~1zones/get' + response: + mediaType: application/json + openAPIDocKey: '200' + create_network_zone: + operation: + $ref: '#/paths/~1api~1v1~1zones/post' + response: + mediaType: application/json + openAPIDocKey: '200' + get_network_zone: + operation: + $ref: '#/paths/~1api~1v1~1zones~1{zoneId}/get' + response: + mediaType: application/json + openAPIDocKey: '200' + replace_network_zone: + operation: + $ref: '#/paths/~1api~1v1~1zones~1{zoneId}/put' + response: + mediaType: application/json + openAPIDocKey: '200' + delete_network_zone: + operation: + $ref: '#/paths/~1api~1v1~1zones~1{zoneId}/delete' + response: + mediaType: '' + openAPIDocKey: '204' + activate_network_zone: + operation: + $ref: '#/paths/~1api~1v1~1zones~1{zoneId}~1lifecycle~1activate/post' + response: + mediaType: application/json + openAPIDocKey: '200' + deactivate_network_zone: + operation: + $ref: '#/paths/~1api~1v1~1zones~1{zoneId}~1lifecycle~1deactivate/post' + response: + mediaType: application/json + openAPIDocKey: '200' + sqlVerbs: + select: + - $ref: >- + #/components/x-stackQL-resources/network_zones/methods/list_network_zones + - $ref: >- + #/components/x-stackQL-resources/network_zones/methods/get_network_zone + insert: + - $ref: >- + #/components/x-stackQL-resources/network_zones/methods/create_network_zone + update: [] + delete: + - $ref: >- + #/components/x-stackQL-resources/network_zones/methods/delete_network_zone + replace: + - $ref: >- + #/components/x-stackQL-resources/network_zones/methods/replace_network_zone +servers: + - url: https://{subdomain}.okta.com/ + variables: + subdomain: + default: my-org + description: >- + The domain of your organization. This can be a provided subdomain of + an official okta domain (okta.com, oktapreview.com, etc) or one of + your configured custom domains.