From 347a6eb68e18c3b169ced9397ca4bbbc78f9aa2e Mon Sep 17 00:00:00 2001 From: clement Date: Tue, 19 Nov 2024 18:22:26 +0100 Subject: [PATCH 01/43] OpenAPI: since/until params in /api/v1/logs should have date-time format --- src/swagger/api.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 61635eeb1dd..1b83ac48412 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -14187,15 +14187,13 @@ paths: in: query schema: type: string - format: ISO 8601 compliant timestamp - default: 7 days prior to until + format: date-time - name: until description: Filters the upper time bound of the log events `published` property for bounded queries or persistence time for polling queries. in: query schema: type: string - format: ISO 8601 compliant timestamp - default: current time + format: date-time - name: after description: Retrieves the next page of results. Okta returns a link in the HTTP Header (`rel=next`) that includes the after query parameter in: query From b08e69894c9f1d08b15f9b46581e8bf28cad3223 Mon Sep 17 00:00:00 2001 From: clement Date: Tue, 19 Nov 2024 18:23:33 +0100 Subject: [PATCH 02/43] OpenAPI: add missing variant of AppUserUpdateRequest to update app user scope --- src/swagger/api.yaml | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 1b83ac48412..7b24bb8f1fa 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -46641,12 +46641,7 @@ components: profile: $ref: '#/components/schemas/AppUserProfile' scope: - type: string - description: Indicates if the assignment is direct (`USER`) or by group membership (`GROUP`). - enum: - - USER - - GROUP - example: USER + $ref: '#/components/schemas/AppUserAssignmentType' status: $ref: '#/components/schemas/AppUserStatus' statusChanged: @@ -46671,6 +46666,13 @@ components: - $ref: '#/components/schemas/AppUser' - required: - id + AppUserAssignmentType: + type: string + description: Indicates if the assignment is direct (`USER`) or by group membership (`GROUP`). + enum: + - USER + - GROUP + example: USER AppUserCredentials: description: | Specifies a user's credentials for the app. @@ -46723,6 +46725,13 @@ components: properties: profile: $ref: '#/components/schemas/AppUserProfile' + AppUserScopeRequestPayload: + title: Scope + description: Updates the assigned user scope + type: object + properties: + scope: + $ref: '#/components/schemas/AppUserAssignmentType' AppUserStatus: description: Status of an Application User example: ACTIVE @@ -46781,6 +46790,7 @@ components: oneOf: - $ref: '#/components/schemas/AppUserCredentialsRequestPayload' - $ref: '#/components/schemas/AppUserProfileRequestPayload' + - $ref: '#/components/schemas/AppUserScopeRequestPayload' AppleClientSigning: description: |- Information used to generate the secret JSON Web Token for the token requests to Apple IdP From 8c298297d464c2cba512be65d7acdaa08ca348f0 Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Tue, 19 Nov 2024 17:43:06 +0100 Subject: [PATCH 03/43] OpenAPI: UiSchemaObject#elements should be an array --- src/swagger/api.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 7b24bb8f1fa..a4484a0fa95 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -64068,7 +64068,9 @@ components: description: Specifies the button label for the `Submit` button at the bottom of the enrollment form default: Submit elements: - $ref: '#/components/schemas/UIElement' + type: array + items: + $ref: '#/components/schemas/UIElement' label: type: string description: Specifies the label at the top of the enrollment form under the logo From 615c72594e43a81152c9f7553b1f96525e06ffca Mon Sep 17 00:00:00 2001 From: clement Date: Tue, 26 Nov 2024 18:53:10 +0100 Subject: [PATCH 04/43] OpenAPI: Fix allOf used with a single $ref pointing to an array type - This generates an empty schema in the Java models --- src/swagger/api.yaml | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index a4484a0fa95..bcc5168aa15 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -50933,9 +50933,7 @@ components: - type: object properties: asns: - allOf: - - $ref: '#/components/schemas/NetworkZoneAsns' - - description: An array of ASNs for a Network Zone + $ref: '#/components/schemas/NetworkZoneAsns' proxyType: type: string description: The proxy type used for a Dynamic Network Zone @@ -50950,9 +50948,7 @@ components: Tor: Use Tor Anonymizer proxy for the Dynamic Zone. NotTorAnonymizer: Use a non Tor Anonymizer proxy for the Dynamic Zone. locations: - allOf: - - $ref: '#/components/schemas/NetworkZoneLocationArray' - - description: An array of geolocations for a Dynamic Network Zone + $ref: '#/components/schemas/NetworkZoneLocationArray' ECKeyJWK: description: Elliptic Curve Key in JWK format, currently used during enrollment to encrypt fulfillment requests to Yubico, or during activation to verify Yubico's JWS objects in fulfillment responses. The currently agreed protocol uses P-384. type: object @@ -51321,9 +51317,7 @@ components: description:
The list of ASNs associated with an Enhanced Dynamic Network Zone properties: include: - allOf: - - $ref: '#/components/schemas/NetworkZoneAsns' - - description: An array of ASNs to include for an Enhanced Dynamic Network Zone + $ref: '#/components/schemas/NetworkZoneAsns' locations: x-okta-lifecycle: lifecycle: EA @@ -51333,13 +51327,9 @@ components: description:
The list of geolocations to include or exclude for an Enhanced Dynamic Network Zone properties: include: - allOf: - - $ref: '#/components/schemas/NetworkZoneLocationArray' - - description: An array of geolocations to include for an Enhanced Dynamic Network Zone + $ref: '#/components/schemas/NetworkZoneLocationArray' exclude: - allOf: - - $ref: '#/components/schemas/NetworkZoneLocationArray' - - description: An array of geolocations to exclude for an Enhanced Dynamic Network Zone + $ref: '#/components/schemas/NetworkZoneLocationArray' ipServiceCategories: x-okta-lifecycle: lifecycle: EA From 4d7d8cdfc75cc6bdbf7505c0dbcd8dc9aa45ce63 Mon Sep 17 00:00:00 2001 From: clement Date: Wed, 27 Nov 2024 16:59:49 +0100 Subject: [PATCH 05/43] OpenAPI: Incorrect indent in UserSchemaAttribute.enum --- src/swagger/api.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index bcc5168aa15..643b06585cc 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -65701,8 +65701,8 @@ components: Enumerated value of the property. The value of the property is limited to one of the values specified in the enum definition. The list of values for the enum must consist of unique elements. - items: - $ref: '#/components/schemas/UserSchemaAttributeItems' + items: + $ref: '#/components/schemas/UserSchemaAttributeItems' externalName: type: string description: |- From 0dd6e5e5a8c263a2fe74c179ca2af96b9a1d203d Mon Sep 17 00:00:00 2001 From: clement Date: Wed, 27 Nov 2024 16:56:08 +0100 Subject: [PATCH 06/43] OpenAPI: Fix type used with $ref --- src/swagger/api.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 643b06585cc..b8b79a7fdda 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -2317,7 +2317,6 @@ paths: content: application/json: schema: - type: object $ref: '#/components/schemas/OAuth2ClientJsonWebKey' examples: OAuthClientJsonWebKeyResponseExample: @@ -2735,7 +2734,6 @@ paths: content: application/json: schema: - type: object $ref: '#/components/schemas/OAuth2ClientSecret' examples: OAuthClientSecretResponseExample: From 0cc9cc5be0a5f3390e3a5ccd2fdae0c8da2ccc95 Mon Sep 17 00:00:00 2001 From: clement Date: Wed, 27 Nov 2024 16:57:49 +0100 Subject: [PATCH 07/43] OpenAPI: Remove invalid default value for date-time field --- src/swagger/api.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index b8b79a7fdda..8fd5c33520e 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -58171,7 +58171,6 @@ components: type: string format: date-time readOnly: true - default: Assigned description: description: Description of the Policy type: string @@ -58186,7 +58185,6 @@ components: type: string format: date-time readOnly: true - default: Assigned name: description: Name of the Policy type: string From 92618fde0b3dc837ef1b858b827bdd2d3169049a Mon Sep 17 00:00:00 2001 From: clement Date: Wed, 27 Nov 2024 16:59:01 +0100 Subject: [PATCH 08/43] OpenAPI: Minor validation issues - path parameters must be required - example should match pattern --- src/swagger/api.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 8fd5c33520e..096a0a4c23f 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -11287,6 +11287,7 @@ paths: operationId: getHookKey parameters: - name: id + required: true description: A valid key ID required: true in: path @@ -62472,7 +62473,7 @@ components: type: string SplunkToken: description: The HEC token for your Splunk Cloud HTTP Event Collector. The token value is set at object creation, but isn't returned. - example: 11111111-1111-2222-2222-222222222222 + example: a747a818-a4c4-4446-8a87-704216495a08 writeOnly: true type: string pattern: "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[1-5][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" From faebf6708b7406bc36d9104a133c9c401fbd202b Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Fri, 6 Dec 2024 10:07:35 +0100 Subject: [PATCH 09/43] OpenAPI: Enable case insensitive deserialization for enums --- api/pom.xml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/api/pom.xml b/api/pom.xml index b7cc09cc06e..66490b2ad3b 100644 --- a/api/pom.xml +++ b/api/pom.xml @@ -21,7 +21,7 @@ com.okta.sdk okta-sdk-root - 23.0.0 + 20.0.1-SNAPSHOT okta-sdk-api @@ -188,6 +188,7 @@ true true true + true serializableModel=true true From db5981d4e5a99bae7aad85d5ef0fd0be246047f9 Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Wed, 11 Dec 2024 12:02:22 +0100 Subject: [PATCH 10/43] OpenApi: Fix DynamicNetworkZone TypeEnum --- src/swagger/api.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 096a0a4c23f..b6491750ea2 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -50939,7 +50939,7 @@ components: enum: - 'null' - Any - - Tor + - TorAnonymizer - NotTorAnonymizer x-enumDescriptions: 'null': (Or `""`) No proxy used From 4b3e786ddaa5ec1bf7a08fc8464437d28b34ef86 Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Wed, 11 Dec 2024 17:05:10 +0100 Subject: [PATCH 11/43] OpenApi: Fix IdentityProvider Protocol types --- src/swagger/api.yaml | 148 +++++++++++++++++++------------------------ 1 file changed, 64 insertions(+), 84 deletions(-) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index b6491750ea2..cd9f8016fbc 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -59365,26 +59365,18 @@ components: - example: DISABLED - default: DISABLED Protocol: + description: IdP-specific protocol settings for endpoints, bindings, and algorithms used to connect with the IdP and validate messages type: object properties: - algorithms: - $ref: '#/components/schemas/ProtocolAlgorithms' - credentials: - $ref: '#/components/schemas/IdentityProviderCredentials' - endpoints: - $ref: '#/components/schemas/ProtocolEndpoints' - issuer: - $ref: '#/components/schemas/ProtocolEndpoint' - relayState: - $ref: '#/components/schemas/ProtocolRelayState' - scopes: - type: array - items: - type: string - settings: - $ref: '#/components/schemas/ProtocolSettings' type: $ref: '#/components/schemas/ProtocolType' + discriminator: + propertyName: type + mapping: + SAML2: '#/components/schemas/ProtocolSaml' + OAUTH2: '#/components/schemas/ProtocolOAuth' + OIDC: '#/components/schemas/ProtocolOidc' + MTLS: '#/components/schemas/ProtocolMtls' ProtocolAlgorithmRequestScope: description: Specifies whether to digitally sign authorization requests to the IdP example: REQUEST @@ -59412,83 +59404,71 @@ components: ProtocolMtls: title: Mutual TLS Protocol description: Protocol settings for the [MTLS Protocol](https://tools.ietf.org/html/rfc5246#section-7.4.4) - type: object - properties: - credentials: - $ref: '#/components/schemas/MtlsCredentials' - endpoints: - $ref: '#/components/schemas/MtlsEndpoints' - type: - type: string - description: Mutual TLS - enum: - - MTLS + allOf: + - $ref: '#/components/schemas/Protocol' + - type: object + properties: + credentials: + $ref: '#/components/schemas/MtlsCredentials' + endpoints: + $ref: '#/components/schemas/MtlsEndpoints' ProtocolOAuth: title: OAuth 2.0 Protocol description: Protocol settings for authentication using the [OAuth 2.0 Authorization Code flow](https://tools.ietf.org/html/rfc6749#section-4.1) - type: object - properties: - credentials: - $ref: '#/components/schemas/OAuthCredentials' - endpoints: - $ref: '#/components/schemas/OAuthEndpoints' - scopes: - type: array - description: |- - IdP-defined permission bundles to request delegated access from the User - > **Note:** The [Identity Provider type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request) table lists the scopes that are supported for each Identity Provider. - items: - type: string - example: public_profile - type: - type: string - description: OAuth 2.0 Authorization Code flow - enum: - - OAUTH2 + allOf: + - $ref: '#/components/schemas/Protocol' + - type: object + properties: + credentials: + $ref: '#/components/schemas/OAuthCredentials' + endpoints: + $ref: '#/components/schemas/OAuthEndpoints' + scopes: + type: array + description: |- + IdP-defined permission bundles to request delegated access from the User + > **Note:** The [Identity Provider type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request) table lists the scopes that are supported for each Identity Provider. + items: + type: string + example: public_profile ProtocolOidc: title: OpenID Connect Protocol description: Protocol settings for authentication using the [OpenID Connect Protocol](http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) - type: object - properties: - algorithms: - $ref: '#/components/schemas/OidcAlgorithms' - credentials: - $ref: '#/components/schemas/OAuthCredentials' - endpoints: - $ref: '#/components/schemas/OAuthEndpoints' - scopes: - type: array - description: |- - OpenID Connect and IdP-defined permission bundles to request delegated access from the User - > **Note:** The [Identity Provider type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request) table lists the scopes that are supported for each Identity Provider. - items: - type: string - example: openid - type: - type: string - description: OpenID Connect Authorization Code flow - enum: - - OIDC + allOf: + - $ref: '#/components/schemas/Protocol' + - type: object + properties: + algorithms: + $ref: '#/components/schemas/OidcAlgorithms' + credentials: + $ref: '#/components/schemas/OAuthCredentials' + endpoints: + $ref: '#/components/schemas/OAuthEndpoints' + scopes: + type: array + description: |- + OpenID Connect and IdP-defined permission bundles to request delegated access from the User + > **Note:** The [Identity Provider type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request) table lists the scopes that are supported for each Identity Provider. + items: + type: string + example: openid ProtocolSaml: title: SAML 2.0 Protocol description: Protocol settings for the [SAML 2.0 Authentication Request Protocol](http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) - type: object - properties: - algorithms: - $ref: '#/components/schemas/SamlAlgorithms' - credentials: - $ref: '#/components/schemas/SamlCredentials' - endpoints: - $ref: '#/components/schemas/SamlEndpoints' - relayState: - $ref: '#/components/schemas/SamlRelayState' - settings: - $ref: '#/components/schemas/SamlSettings' - type: - type: string - description: SAML 2.0 protocol - enum: - - SAML2 + allOf: + - $ref: '#/components/schemas/Protocol' + - type: object + properties: + algorithms: + $ref: '#/components/schemas/SamlAlgorithms' + credentials: + $ref: '#/components/schemas/SamlCredentials' + endpoints: + $ref: '#/components/schemas/SamlEndpoints' + relayState: + $ref: '#/components/schemas/SamlRelayState' + settings: + $ref: '#/components/schemas/SamlSettings' ProtocolAlgorithmType: type: object properties: From 38ea0b4c92be56c9d17e499a1fdc72d06c12380a Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Mon, 6 Jan 2025 16:04:54 +0100 Subject: [PATCH 12/43] OpenApi: Update InlineHooks to match the latest spec OpenApi: Update InlineHooks to match the latest spec --- src/swagger/api.yaml | 584 +++++++++++++++++++++++++++++++++++-------- 1 file changed, 480 insertions(+), 104 deletions(-) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index cd9f8016fbc..596b41ddf05 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -13620,14 +13620,22 @@ paths: isGenerallyAvailable: true /api/v1/inlineHooks: get: - summary: List all Inline Hooks - description: Lists all inline hooks + summary: List all inline hooks + description: |- + Lists all inline hooks or all inline hooks of a specific type. + + When listing a specific inline hook, you need to specify its type. The following types are currently supported: + | Type Value | Name | + |------------------------------------|----------------------------------------------------------------| + | `com.okta.import.transform` | [User import inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createUserImportInlineHook) | + | `com.okta.oauth2.tokens.transform` | [Token inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createTokenInlineHook) | + | `com.okta.saml.tokens.transform` | [SAML assertion inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createSAMLAssertionInlineHook) | + | `com.okta.telephony.provider` | [Telephony inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createTelephonyInlineHook) | + | `com.okta.user.credential.password.import` | [Password import inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createPasswordImportInlineHook)| + | `com.okta.user.pre-registration` | [Registration inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/create-registration-hook) | operationId: listInlineHooks parameters: - - name: type - in: query - schema: - type: string + - $ref: '#/components/parameters/inlineHookType' responses: '200': description: Success @@ -13638,31 +13646,58 @@ paths: items: $ref: '#/components/schemas/InlineHook' examples: - AuthenticatorConfiguration: - $ref: '#/components/examples/InlineHookTelephony' + InlineHooktMgmtListAllexample: + $ref: '#/components/examples/InlineHooktMgmtListAllexample' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - apiToken: [] - - oauth2: - - okta.inlineHooks.read + - apiToken: [] + - oauth2: + - okta.inlineHooks.read tags: - - InlineHook + - InlineHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: - summary: Create an Inline Hook - description: Creates an inline hook + summary: Create an inline hook + description: "Creates an inline hook\n\nThis endpoint creates an inline hook\ + \ for your org in an `ACTIVE` status. You need to pass an inline hooks object\ + \ in the JSON payload of your request. \nThat object represents the set of\ + \ required information about the inline hook that you're registering, including:\n\ + \n* The URI of your external service endpoint\n* The type of inline hook you're\ + \ registering\n* The type of authentication you're registering\n\nThere are\ + \ two authentication options that you can configure for your inline hook:\ + \ HTTP headers and OAuth 2.0 tokens.\n\nHTTP headers let you specify a secret\ + \ API key that you want Okta to pass to your external service endpoint (so\ + \ that your external service can check for its presence as a security measure).\n\ + \n>**Note:** The API key that you set here is unrelated to the Okta API token\ + \ you must supply when making calls to Okta APIs.\n\nYou can also optionally\ + \ specify extra headers that you want Okta to pass to your external service\ + \ with each call.\n\nTo configure HTTP header authentication, see parameters\ + \ for the `config` object.\n\nOAuth 2.0 tokens provide enhanced security between\ + \ Okta and your external service. You can configure these tokens for the following\ + \ types—client secret and private key.\n\n>**Note:** Your external service's\ + \ endpoint needs to be a valid HTTPS endpoint. The URI you specify should\ + \ always begin with `https://`.\n\nThe total number of inline hooks that you\ + \ can create in an Okta org is limited to 50, which is a combined total for\ + \ any combination of inline hook types." operationId: createInlineHook - x-codegen-request-body-name: inlineHook + x-codegen-request-body-name: inlineHookCreate requestBody: content: application/json: schema: - $ref: '#/components/schemas/InlineHook' + $ref: '#/components/schemas/InlineHookCreate' + examples: + CreateInlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtCreateHTTPRequest' + CreateInlineHookOAuthClientSecret: + $ref: '#/components/examples/InlineHookMgmtCreateOAuthClientSecretRequest' + CreateInlineHookOAuthPrivateKey: + $ref: '#/components/examples/InlineHookMgmtCreateOAuthPrivateKeyRequest' required: true responses: '200': @@ -13670,7 +13705,14 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/InlineHook' + $ref: '#/components/schemas/InlineHookCreateResponse' + examples: + CreateInlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtCreateHTTPResponse' + CreateInlineHookOAuthClientSecret: + $ref: '#/components/examples/InlineHookMgmtCreateOAuthClientSecretResponse' + CreateInlineHookOAuthPrivateKey: + $ref: '#/components/examples/InlineHookMgmtCreateOAuthPrivateKeyResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -13678,19 +13720,19 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - apiToken: [] - - oauth2: - - okta.inlineHooks.manage + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage tags: - - InlineHook + - InlineHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/inlineHooks/{inlineHookId}: parameters: - - $ref: '#/components/parameters/pathInlineHookId' + - $ref: '#/components/parameters/pathInlineHookId' get: - summary: Retrieve an Inline Hook + summary: Retrieve an inline hook description: Retrieves an inline hook by `inlineHookId` operationId: getInlineHook responses: @@ -13701,8 +13743,12 @@ paths: schema: $ref: '#/components/schemas/InlineHook' examples: - AuthenticatorConfiguration: - $ref: '#/components/examples/InlineHookTelephony' + InlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtHTTPexample' + InlineHookOAuthClientSecret: + $ref: '#/components/examples/InlineHookMgmtOAuthCSPexample' + InlineHookOAuthPrivateKey: + $ref: '#/components/examples/InlineHookMgmtOauthPKJexample' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -13710,16 +13756,16 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - apiToken: [] - - oauth2: - - okta.inlineHooks.read + - apiToken: [] + - oauth2: + - okta.inlineHooks.read tags: - - InlineHook + - InlineHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: - summary: Update an Inline Hook + summary: Update an inline hook description: Updates an inline hook by `inlineHookId` operationId: updateInlineHook x-codegen-request-body-name: inlineHook @@ -13727,7 +13773,10 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/InlineHook' + $ref: '#/components/schemas/InlineHookReplace' + examples: + UpdateInlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtPutHTTPRequest' required: true responses: '200': @@ -13736,6 +13785,9 @@ paths: application/json: schema: $ref: '#/components/schemas/InlineHook' + examples: + UpdateInlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtPutResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -13745,24 +13797,30 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - apiToken: [] - - oauth2: - - okta.inlineHooks.manage + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage tags: - - InlineHook + - InlineHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: - summary: Replace an Inline Hook - description: Replaces an inline hook by `inlineHookId` + summary: Replace an inline hook + description: |- + Replaces an inline hook by `inlineHookId`. The submitted inline hook properties replace the existing properties after passing validation. + + >**Note:** Some properties are immutable and can't be updated. operationId: replaceInlineHook x-codegen-request-body-name: inlineHook requestBody: content: application/json: schema: - $ref: '#/components/schemas/InlineHook' + $ref: '#/components/schemas/InlineHookReplace' + examples: + UpdateInlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtPutHTTPRequest' required: true responses: '200': @@ -13771,6 +13829,9 @@ paths: application/json: schema: $ref: '#/components/schemas/InlineHook' + examples: + UpdateInlineHookHTTP: + $ref: '#/components/examples/InlineHookMgmtPutResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -13780,17 +13841,19 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - apiToken: [] - - oauth2: - - okta.inlineHooks.manage + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage tags: - - InlineHook + - InlineHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: - summary: Delete an Inline Hook - description: Deletes an inline hook by `inlineHookId`. Once deleted, the Inline Hook is unrecoverable. As a safety precaution, only Inline Hooks with a status of INACTIVE are eligible for deletion. + summary: Delete an inline hook + description: Deletes an inline hook by `inlineHookId`. After it's deleted, the + inline hook is unrecoverable. As a safety precaution, only inline hooks with + a status of `INACTIVE` are eligible for deletion. operationId: deleteInlineHook responses: '204': @@ -13803,27 +13866,56 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - apiToken: [] - - oauth2: - - okta.inlineHooks.manage + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage tags: - - InlineHook + - InlineHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/inlineHooks/{inlineHookId}/execute: parameters: - - $ref: '#/components/parameters/pathInlineHookId' + - $ref: '#/components/parameters/pathInlineHookId' post: summary: Execute an Inline Hook - description: Executes the inline hook by `inlineHookId` using the request body as the input. This will send the provided data through the Channel and return a response if it matches the correct data contract. This execution endpoint should only be used for testing purposes. + description: "Executes the inline hook that matches the provided `inlineHookId`\ + \ by using the request body as the input. This inline hook sends the provided\ + \ \ndata through the `channel` object and returns a response if it matches\ + \ the correct data contract. Otherwise it returns an error. You need to \n\ + construct a JSON payload that matches the payloads that Okta would send to\ + \ your external service for this inline hook type.\n\nA timeout of three seconds\ + \ is enforced on all outbound requests, with one retry in the event of a timeout\ + \ or an error response from the remote system. \nIf a successful response\ + \ isn't received after the request, a 400 error is returned with more information\ + \ about what failed.\n\n>**Note:** This execution endpoint isn't tied to any\ + \ other functionality in Okta, and you should only use it for testing purposes." operationId: executeInlineHook x-codegen-request-body-name: payloadData requestBody: content: application/json: schema: - $ref: '#/components/schemas/InlineHookPayload' + oneOf: + - $ref: '#/components/schemas/PasswordImportRequestExecute' + - $ref: '#/components/schemas/TelephonyRequestExecute' + - $ref: '#/components/schemas/RegistrationInlineHookRequest' + - $ref: '#/components/schemas/TokenRequest' + - $ref: '#/components/schemas/SAMLPayloadExecute' + - $ref: '#/components/schemas/UserImportRequestExecute' + examples: + PasswordImportPayloadExample: + $ref: '#/components/examples/PasswordImportPayloadExample' + TelephonyPayloadExample: + $ref: '#/components/examples/TelephonyPayloadExample' + ProfileEnrollmentRequest: + $ref: '#/components/examples/ProfileEnrollmentRequest' + TokenPayLoadExample: + $ref: '#/components/examples/TokenPayLoadExample' + SAMLPayloadExample: + $ref: '#/components/examples/SAMLPayLoadExample' + UserImportPayloadExample: + $ref: '#/components/examples/UserImportPayloadExample' required: true responses: '200': @@ -13831,7 +13923,26 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/InlineHookResponse' + oneOf: + - $ref: '#/components/schemas/PasswordImportResponse' + - $ref: '#/components/schemas/TelephonyResponse' + - $ref: '#/components/schemas/RegistrationInlineHookResponse' + - $ref: '#/components/schemas/TokenHookResponse' + - $ref: '#/components/schemas/SAMLHookResponse' + - $ref: '#/components/schemas/UserImportResponse' + examples: + PasswordImportPayloadExample: + $ref: '#/components/examples/PasswordImportVerifiedResponse' + TelephonyPayloadExample: + $ref: '#/components/examples/TelephonySuccessResponse' + ProfileEnrollmentRequest: + $ref: '#/components/examples/ProfileEnrollmentResponse' + TokenPayLoadExample: + $ref: '#/components/examples/TokenHookResponse' + SAMLPayloadExample: + $ref: '#/components/examples/SAMLHookResponseExample' + UserImportPayloadExample: + $ref: '#/components/examples/UserImportChangeAppUserProfileExample' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': @@ -13841,19 +13952,19 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - apiToken: [] - - oauth2: - - okta.inlineHooks.manage + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage tags: - - InlineHook + - InlineHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/inlineHooks/{inlineHookId}/lifecycle/activate: parameters: - - $ref: '#/components/parameters/pathInlineHookId' + - $ref: '#/components/parameters/pathInlineHookId' post: - summary: Activate an Inline Hook + summary: Activate an inline hook description: Activates the inline hook by `inlineHookId` operationId: activateInlineHook responses: @@ -13863,6 +13974,9 @@ paths: application/json: schema: $ref: '#/components/schemas/InlineHook' + examples: + ActivateAnInlineHook: + $ref: '#/components/examples/InlineHookMgmtOAuthCSPexample' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -13870,19 +13984,19 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - apiToken: [] - - oauth2: - - okta.inlineHooks.manage + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage tags: - - InlineHook + - InlineHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/inlineHooks/{inlineHookId}/lifecycle/deactivate: parameters: - - $ref: '#/components/parameters/pathInlineHookId' + - $ref: '#/components/parameters/pathInlineHookId' post: - summary: Deactivate an Inline Hook + summary: Deactivate an inline hook description: Deactivates the inline hook by `inlineHookId` operationId: deactivateInlineHook responses: @@ -13892,6 +14006,9 @@ paths: application/json: schema: $ref: '#/components/schemas/InlineHook' + examples: + DeactivateAnInlineHook: + $ref: '#/components/examples/InlineHookMgmtHTTPexampleDeactivate' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': @@ -13899,11 +14016,11 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - apiToken: [] - - oauth2: - - okta.inlineHooks.manage + - apiToken: [] + - oauth2: + - okta.inlineHooks.manage tags: - - InlineHook + - InlineHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true @@ -44653,6 +44770,19 @@ components: required: true schema: type: string + inlineHookType: + name: type + description: One of the supported inline hook types + in: query + schema: + type: string + enum: + - com.okta.import.transform + - com.okta.oauth2.tokens.transform + - com.okta.saml.tokens.transform + - com.okta.user.credential.password.import + - com.okta.user.pre-registration + - com.okta.telephony.provider limitParameter: name: limit in: query @@ -53584,6 +53714,8 @@ components: capabilities: $ref: '#/components/schemas/CapabilitiesInboundProvisioningObject' InlineHook: + description: An inline hook object that specifies the details of the inline + hook type: object properties: channel: @@ -53592,28 +53724,32 @@ components: type: string format: date-time readOnly: true + description: Date of the inline hook creation id: type: string readOnly: true + description: The unique identifier for the inline hook lastUpdated: type: string format: date-time readOnly: true - metadata: - type: object - description: Specific properties for the inline hook configuration, for example, `optOutServiceProtectionRateLimit` to opt-out of Telephony Service Protection Rate Limits when using the Telephony inline hook. - additionalProperties: - type: string + description: Date of the last inline hook update name: type: string + description: The display name of the inline hook + maximum: 255 + minimum: 1 status: $ref: '#/components/schemas/InlineHookStatus' type: $ref: '#/components/schemas/InlineHookType' version: type: string + description: Version of the inline hook type. The currently supported version + is `1.0.0`. + readOnly: true _links: - $ref: '#/components/schemas/LinksSelf' + $ref: '#/components/schemas/InlineHookLinks' InlineHookBasePayload: type: object properties: @@ -53632,7 +53768,7 @@ components: eventTime: type: string description: The time the inline hook request was sent - example: '2020-01-17T21:23:56.000Z' + example: 2020-01-17T21:23:56.000Z eventTypeVersion: description: The inline hook version example: 1 @@ -53644,47 +53780,116 @@ components: $ref: '#/components/schemas/InlineHookChannelType' version: type: string + description: Version of the inline hook type. The currently supported version + is `1.0.0`. discriminator: propertyName: type mapping: HTTP: '#/components/schemas/InlineHookChannelHttp' OAUTH: '#/components/schemas/InlineHookChannelOAuth' InlineHookChannelConfig: + description: Properties of the communications channel that are used to contact + your external service type: object properties: - authScheme: - $ref: '#/components/schemas/InlineHookChannelConfigAuthScheme' headers: type: array + description: An optional list of key/value pairs for headers that you can + send with the request to the external service items: $ref: '#/components/schemas/InlineHookChannelConfigHeaders' method: type: string + description: The method of the Okta inline hook request uri: type: string - InlineHookChannelConfigAuthScheme: + description: The external service endpoint that executes the inline hook + handler. It must begin with `https://` and be reachable by Okta. No white + space is allowed in the URI. + maximum: 1024 + InlineHookChannelConfigAuthSchemeBody: + description: The authentication scheme to use for this request + nullable: true type: object properties: key: type: string + description: The header name for the authorization server type: type: string + description: The authentication scheme type. Supported type—`HEADER`. value: type: string + description: The header value. This secret value is passed to your external + service endpoint. Your external service can check it as a security measure. + InlineHookChannelConfigAuthSchemeResponse: + description: The authentication scheme to use for this request + nullable: true + type: object + properties: + key: + type: string + description: The header name for the authorization server + type: + type: string + description: The authentication scheme type. Supported type—`HEADER` + InlineHookChannelConfigCreate: + description: Properties of the communications channel that are used to contact + your external service + type: object + properties: + headers: + type: array + description: An optional list of key/value pairs for headers that you can + send with the request to the external service. + items: + $ref: '#/components/schemas/InlineHookChannelConfigHeaders' + method: + type: string + description: The method of the Okta inline hook request + uri: + type: string + description: The external service endpoint that executes the inline hook + handler. It must begin with `https://` and be reachable by Okta. No white + space is allowed in the URI. + maximum: 1024 InlineHookChannelConfigHeaders: type: object properties: key: type: string + description: The optional field or header name value: type: string + description: The value for the key + InlineHookChannelCreate: + type: object + properties: + type: + $ref: '#/components/schemas/InlineHookChannelType' + version: + type: string + description: Version of the inline hook type. The currently supported version + is `1.0.0`. + discriminator: + propertyName: type + mapping: + HTTP: '#/components/schemas/InlineHookChannelHttpCreate' + OAUTH: '#/components/schemas/InlineHookChannelOAuthCreate' InlineHookChannelHttp: allOf: - $ref: '#/components/schemas/InlineHookChannel' - type: object properties: config: - $ref: '#/components/schemas/InlineHookChannelConfig' + $ref: '#/components/schemas/InlineHookHttpConfig' + InlineHookChannelHttpCreate: + allOf: + - $ref: '#/components/schemas/InlineHookChannelCreate' + - type: object + properties: + config: + $ref: '#/components/schemas/InlineHookHttpConfigCreate' InlineHookChannelOAuth: allOf: - $ref: '#/components/schemas/InlineHookChannel' @@ -53692,51 +53897,221 @@ components: properties: config: $ref: '#/components/schemas/InlineHookOAuthChannelConfig' + InlineHookChannelOAuthCreate: + allOf: + - $ref: '#/components/schemas/InlineHookChannelCreate' + - type: object + properties: + config: + $ref: '#/components/schemas/InlineHookOAuthChannelConfigCreate' InlineHookChannelType: type: string enum: - - HTTP - - OAUTH - InlineHookOAuthBasicConfig: - allOf: - - $ref: '#/components/schemas/InlineHookChannelConfig' + - HTTP + - OAUTH + InlineHookCreate: + description: An inline hook object that specifies the details of the inline + hook type: object properties: - authType: + channel: + $ref: '#/components/schemas/InlineHookChannelCreate' + name: type: string - clientId: + description: The display name of the inline hook + maximum: 255 + minimum: 1 + type: + $ref: '#/components/schemas/InlineHookType' + version: type: string - scope: + description: Version of the inline hook type. The currently supported version + is `1.0.0`. + InlineHookCreateResponse: + description: An inline hook object that specifies the details of the inline + hook + type: object + properties: + channel: + $ref: '#/components/schemas/InlineHookChannel' + created: + type: string + format: date-time + readOnly: true + description: Date of the inline hook creation + id: + type: string + readOnly: true + description: The unique identifier for the inline hook + lastUpdated: + type: string + format: date-time + readOnly: true + description: Date of the last inline hook update + name: type: string - tokenUrl: + description: The display name of the inline hook + maximum: 255 + minimum: 1 + status: + $ref: '#/components/schemas/InlineHookStatus' + type: + $ref: '#/components/schemas/InlineHookType' + version: type: string + description: Version of the inline hook type. The currently supported version + is `1.0.0`. + readOnly: true + _links: + $ref: '#/components/schemas/InlineHookLinksCreate' + InlineHookHttpConfig: + allOf: + - $ref: '#/components/schemas/InlineHookChannelConfig' + - type: object + properties: + authScheme: + $ref: '#/components/schemas/InlineHookChannelConfigAuthSchemeResponse' + InlineHookHttpConfigCreate: + allOf: + - $ref: '#/components/schemas/InlineHookChannelConfigCreate' + - type: object + properties: + authScheme: + $ref: '#/components/schemas/InlineHookChannelConfigAuthSchemeBody' + InlineHookLinks: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + activate: + description: URL to activate the inline hook + allOf: + - $ref: '#/components/schemas/HrefObject' + deactivate: + description: URL to deactivate the inline hook + allOf: + - $ref: '#/components/schemas/HrefObject' + delete: + description: URL to delete the inline hook + allOf: + - $ref: '#/components/schemas/HrefObject' + execute: + description: URL to test the inline hook + allOf: + - $ref: '#/components/schemas/HrefObject' + InlineHookLinksCreate: + allOf: + - $ref: '#/components/schemas/LinksSelf' + - type: object + properties: + deactivate: + description: URL to deactivate the inline hook + allOf: + - $ref: '#/components/schemas/HrefObject' + execute: + description: URL to test the inline hook + allOf: + - $ref: '#/components/schemas/HrefObject' + InlineHookOAuthBasicConfig: + allOf: + - $ref: '#/components/schemas/InlineHookChannelConfig' + - type: object + properties: + clientId: + type: string + description: A publicly exposed string provided by the service that's used + to identify the OAuth app and build authorization URLs + scope: + type: string + description: Include the scopes that allow you to perform the actions on + the hook endpoint that you want to access + tokenUrl: + type: string + description: The URI where inline hooks can exchange an authorization code + for access and refresh tokens InlineHookOAuthChannelConfig: type: object properties: authType: type: string + description: The authentication method for the token endpoint discriminator: propertyName: authType mapping: client_secret_post: '#/components/schemas/InlineHookOAuthClientSecretConfig' private_key_jwt: '#/components/schemas/InlineHookOAuthPrivateKeyJwtConfig' - InlineHookOAuthClientSecretConfig: - allOf: - - $ref: '#/components/schemas/InlineHookOAuthBasicConfig' + InlineHookOAuthChannelConfigCreate: type: object properties: - clientSecret: + authType: type: string + description: The authentication method for the token endpoint + discriminator: + propertyName: authType + mapping: + client_secret_post: '#/components/schemas/InlineHookOAuthClientSecretConfigCreate' + private_key_jwt: '#/components/schemas/InlineHookOAuthPrivateKeyJwtConfig' + InlineHookOAuthClientSecretConfig: + allOf: + - $ref: '#/components/schemas/InlineHookOAuthBasicConfig' + - $ref: '#/components/schemas/InlineHookOAuthChannelConfig' + - type: object + properties: + authScheme: + type: string + description: Not applicable. Must be `null`. + nullable: true + InlineHookOAuthClientSecretConfigCreate: + allOf: + - $ref: '#/components/schemas/InlineHookOAuthBasicConfig' + - $ref: '#/components/schemas/InlineHookOAuthChannelConfigCreate' + - type: object + properties: + clientSecret: + type: string + description: A private value provided by the service used to authenticate + the identity of the app to the service + method: + type: string + description: The method of the Okta inline hook request. Only accepts `POST`. InlineHookOAuthPrivateKeyJwtConfig: allOf: - $ref: '#/components/schemas/InlineHookOAuthBasicConfig' - type: object - properties: - hookKeyId: - type: string + - $ref: '#/components/schemas/InlineHookOAuthChannelConfig' + - type: object + properties: + authType: + type: string + authScheme: + type: string + description: Not applicable. Must be `null`. + nullable: true + hookKeyId: + type: string + description: An ID value of the hook key pair generated from the [Hook Keys + API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/HookKey/#tag/HookKey) + method: + type: string + description: The method of the Okta inline hook request. Only accepts `POST`. InlineHookPayload: type: object x-okta-extensible: true + InlineHookReplace: + description: An inline hook object that specifies the details of the inline + hook + type: object + properties: + channel: + $ref: '#/components/schemas/InlineHookChannelCreate' + name: + type: string + description: The display name of the inline hook + maximum: 255 + minimum: 1 + version: + type: string + description: Version of the inline hook type. The currently supported version + is `1.0.0`. InlineHookRequestObject: description: The API request that triggered the inline hook type: object @@ -53785,17 +54160,18 @@ components: InlineHookStatus: type: string enum: - - ACTIVE - - INACTIVE + - ACTIVE + - INACTIVE InlineHookType: + description: One of the inline hook types type: string enum: - - com.okta.import.transform - - com.okta.oauth2.tokens.transform - - com.okta.saml.tokens.transform - - com.okta.telephony.provider - - com.okta.user.credential.password.import - - com.okta.user.pre-registration + - com.okta.import.transform + - com.okta.oauth2.tokens.transform + - com.okta.saml.tokens.transform + - com.okta.telephony.provider + - com.okta.user.credential.password.import + - com.okta.user.pre-registration IssuerMode: type: string enum: From 0ddcda607602920ed4fb4378802c911560df9999 Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Tue, 4 Feb 2025 17:17:33 +0100 Subject: [PATCH 13/43] OpenApi: Add missing RiskScorePolicyRuleCondition and RiskPolicyRuleCondition to OktaSignOnPolicyRuleConditions OpenApi: Update InlineHooks to match the latest spec --- src/swagger/api.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 596b41ddf05..38eaf29b64f 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -56960,6 +56960,10 @@ components: $ref: '#/components/schemas/PolicyPeopleCondition' identityProvider: $ref: '#/components/schemas/IdentityProviderPolicyRuleCondition' + risk: + $ref: '#/components/schemas/RiskPolicyRuleCondition' + riskScore: + $ref: '#/components/schemas/RiskScorePolicyRuleCondition' OktaSignOnPolicyRuleSignonActions: type: object properties: From fb1727ac879e9bc937e947409595733386a208c0 Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Mon, 24 Mar 2025 16:03:08 +0100 Subject: [PATCH 14/43] OpenApi: Add missing AppAndInstancePolicyRuleCondition to AuthenticatorEnrollmentPolicyRuleConditions OpenApi: Update InlineHooks to match the latest spec --- src/swagger/api.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 38eaf29b64f..5ea5738def5 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -47919,6 +47919,7 @@ components: - CHALLENGE - LOGIN - NEVER + - NEVER_INCLUDING_RECOVERY AuthenticatorEnrollmentPolicyRuleActions: allOf: - $ref: '#/components/schemas/PolicyRuleActions' @@ -47931,13 +47932,15 @@ components: properties: network: $ref: '#/components/schemas/PolicyNetworkCondition' + app: + $ref: '#/components/schemas/AppAndInstancePolicyRuleCondition' people: type: object description: Identifies Users and Groups that are used together properties: users: type: object - description: Specifies a set of Users to be included or excluded + description: Specifies a set of Uers to be included or excluded properties: exclude: type: array From 9362f359f7b282b8d51584fe1ed0a764c62b2fe8 Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Tue, 25 Mar 2025 09:29:55 +0100 Subject: [PATCH 15/43] OpenApi: Add missing ChromeOs to PolicyPlatformOperatingSystemType enum OpenApi: Update InlineHooks to match the latest spec --- src/swagger/api.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 5ea5738def5..d9cedc114e5 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -58787,6 +58787,7 @@ components: - ANY - IOS - OSX + - CHROMEOS - OTHER - WINDOWS PolicyPlatformType: From a6fb10096d53ec5d1e8d1a037d71c8ea923fa5f8 Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Thu, 27 Mar 2025 14:40:59 +0100 Subject: [PATCH 16/43] OpenApi: remove readOnly on PasswordPolicyRecoveryQuestionComplexity minLength property OpenApi: Update InlineHooks to match the latest spec --- src/swagger/api.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index d9cedc114e5..9d36404ea9e 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -58300,7 +58300,6 @@ components: minLength: description: Minimum length of the password recovery question answer type: integer - readOnly: true default: 4 PasswordPolicyRecoveryQuestionProperties: type: object From 370b8a26607ef6166bffd924952c36948156b1f0 Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Tue, 22 Apr 2025 17:37:23 +0200 Subject: [PATCH 17/43] OpenApi: Add missing permissions in RolePermissionType Enum --- src/swagger/api.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 9d36404ea9e..5e0dca2f3ef 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -61150,6 +61150,8 @@ components: description: Permission type type: string enum: + - okta.agents.manage + - okta.agents.register - okta.apps.assignment.manage - okta.apps.manage - okta.apps.manageFirstPartyApps @@ -61166,6 +61168,7 @@ components: - okta.devices.lifecycle.unsuspend - okta.devices.manage - okta.devices.read + - okta.directories.manage - okta.governance.accessCertifications.manage - okta.governance.accessRequests.manage - okta.groups.appAssignment.manage @@ -61173,10 +61176,13 @@ components: - okta.groups.manage - okta.groups.members.manage - okta.groups.read + - okta.iam.read - okta.identityProviders.manage - okta.identityProviders.read - okta.profilesources.import.run + - okta.realms.manage - okta.support.cases.manage + - okta.users.apitokens.manage - okta.users.appAssignment.manage - okta.users.create - okta.users.credentials.expirePassword @@ -61195,6 +61201,10 @@ components: - okta.users.manage - okta.users.read - okta.users.userprofile.manage + - okta.workflows.flows.read + - okta.workflows.flows.invoke + - okta.workflows.invoke + - okta.workflows.read RoleType: description: Standard role type type: string From 86245d4529b5c5b85ca53e4e9538ceae1d116094 Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Mon, 5 May 2025 10:08:11 +0200 Subject: [PATCH 18/43] OpenApi: Add missing GovernanceBundle Api calls --- src/swagger/api.yaml | 312 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 312 insertions(+) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 5e0dca2f3ef..649c3218871 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -11434,6 +11434,318 @@ paths: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true + /api/v1/iam/governance/bundles: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + get: + summary: List all governance bundles for the Admin Console + description: Lists all Governance Bundles for the Admin Console in your + org + operationId: listGovernanceBundles + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/GovernanceBundlesResponse' + examples: + GovernanceBundlesResponse: + $ref: '#/components/examples/GovernanceBundlesResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - GovernanceBundle + post: + summary: Create a governance bundle for the Admin Console in RAMP + description: Creates a Governance Bundle for the Admin Console in RAMP + operationId: createGovernanceBundle + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/GovernanceBundleCreateRequest' + examples: + GovernanceBundleCreateRequestStandardRole: + $ref: '#/components/examples/GovernanceBundleCreateRequestStandardRole' + GovernanceBundleCreateRequestScopedStandardRole: + $ref: '#/components/examples/GovernanceBundleCreateRequestScopedStandardRole' + GovernanceBundleCreateRequestCustomRole: + $ref: '#/components/examples/GovernanceBundleCreateRequestCustomRole' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/GovernanceBundle' + examples: + createGovernanceBundleResponse: + $ref: '#/components/examples/GovernanceBundle' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - GovernanceBundle + /api/v1/iam/governance/bundles/{bundleId}: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathBundleId' + get: + summary: Retrieve a governance bundle from RAMP + description: Retrieves a Governance Bundle from RAMP + operationId: getGovernanceBundle + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/GovernanceBundle' + examples: + GovernanceBundle: + $ref: '#/components/examples/GovernanceBundle' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - GovernanceBundle + put: + summary: Replace a governance bundle in RAMP + description: Replaces a Governance Bundle in RAMP + operationId: replaceGovernanceBundle + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/GovernanceBundleUpdateRequest' + examples: + GovernanceBundleUpdateRequestStandardRole: + $ref: '#/components/examples/GovernanceBundleUpdateRequestStandardRole' + GovernanceBundleUpdateRequestScopedStandardRole: + $ref: '#/components/examples/GovernanceBundleUpdateRequestScopedStandardRole' + GovernanceBundleUpdateRequestCustomRole: + $ref: '#/components/examples/GovernanceBundleUpdateRequestCustomRole' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/GovernanceBundle' + examples: + GovernanceBundle: + $ref: '#/components/examples/GovernanceBundle' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - GovernanceBundle + delete: + summary: Delete a governance bundle from RAMP + description: Deletes a Governance Bundle from RAMP + operationId: deleteGovernanceBundle + responses: + '204': + description: No Content + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - GovernanceBundle + /api/v1/iam/governance/bundles/{bundleId}/entitlements: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathBundleId' + get: + summary: List all entitlements for a governance bundle + description: Lists all Entitlements specific to a Governance Bundle + operationId: listBundleEntitlements + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/BundleEntitlementsResponse' + examples: + BundleEntitlementsResponse: + $ref: '#/components/examples/BundleEntitlementsResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - GovernanceBundle + /api/v1/iam/governance/bundles/{bundleId}/entitlements/{entitlementId}/values: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + parameters: + - $ref: '#/components/parameters/pathBundleId' + - $ref: '#/components/parameters/pathEntitlementId' + get: + summary: List all entitlement values for a bundle entitlement + description: Lists all Entitlement Values specific to a Bundle Entitlement + operationId: listBundleEntitlementValues + parameters: + - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryLimit' + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/EntitlementValuesResponse' + examples: + EntitlementValuesResponse: + $ref: '#/components/examples/EntitlementValuesResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - GovernanceBundle + /api/v1/iam/governance/optIn: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] + get: + summary: Retrieve the opt-in status from RAMP + description: Retrieves the opt-in status of the Admin Console from RAMP + operationId: getOptInStatus + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/OptInStatusResponse' + examples: + OptInStatusResponse: + $ref: '#/components/examples/OptInStatusResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.read + tags: + - GovernanceBundle + post: + summary: Opt in the Admin Console to RAMP + description: Opts in the Admin Console to RAMP + operationId: optIn + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OptInStatusResponse' + examples: + OptInStatusResponse: + $ref: '#/components/examples/OptInStatusResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - GovernanceBundle + /api/v1/iam/governance/optOut: + post: + summary: Opt out the Admin Console from RAMP + description: Opts out the Admin Console from RAMP + operationId: optOut + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/OptInStatusResponse' + examples: + OptOutStatusResponse: + $ref: '#/components/examples/OptOutStatusResponse' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.roles.manage + tags: + - GovernanceBundle + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: false + SKUs: [] /api/v1/iam/resource-sets: get: summary: List all Resource Sets From fe0cd00b72ead63b5263b884a84dd6d9cc4052af Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Mon, 5 May 2025 10:54:26 +0200 Subject: [PATCH 19/43] OpenApi: Revert fix version of API POM --- api/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/pom.xml b/api/pom.xml index 66490b2ad3b..0ae2376e06b 100644 --- a/api/pom.xml +++ b/api/pom.xml @@ -21,7 +21,7 @@ com.okta.sdk okta-sdk-root - 20.0.1-SNAPSHOT + 23.0.0 okta-sdk-api From 50f630b7ea4f8013deb7dd705ea27961407a751d Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Mon, 5 May 2025 11:27:12 +0200 Subject: [PATCH 20/43] fix: update versions in root pom file --- pom.xml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pom.xml b/pom.xml index 1d81bb8d5a3..42b1ab4ea2b 100644 --- a/pom.xml +++ b/pom.xml @@ -68,12 +68,12 @@ com.okta.sdk okta-sdk-api - 22.0.0 + ${project.version} com.okta.sdk okta-sdk-impl - 22.0.0 + ${project.version} @@ -103,14 +103,14 @@ com.okta.sdk okta-sdk-integration-tests - 22.0.0 + ${project.version} com.okta.sdk okta-sdk-examples-quickstart - 22.0.0 + ${project.version} From 311473b409d737f970fdd91c408c4cc45d543db7 Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Mon, 16 Jun 2025 08:45:16 +0200 Subject: [PATCH 21/43] fix: add Okta to IdentityProviderType for Idp Discovery Rule Creation --- src/swagger/api.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 649c3218871..18720a26c38 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -53789,6 +53789,7 @@ components: - XERO - YAHOO - YAHOOJP + - OKTA IdentitySourceSession: type: object properties: From d3492ce94be50b10cd1f5a17253ef14081600cbd Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Mon, 16 Jun 2025 15:24:25 +0200 Subject: [PATCH 22/43] OpenApi: add nullable items property to UserSchemaAttributeType --- src/swagger/api.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 18720a26c38..d8fbe50d10e 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -66473,6 +66473,14 @@ components: - $ref: '#/components/schemas/UserSchemaAttributeType' unique: type: string + items: + type: object + nullable: true + properties: + type: + description: Type of property of the main type is an Array + allOf: + - $ref: '#/components/schemas/UserSchemaAttributeType' x-okta-allow-null-property-value-for-updates: true UserSchemaAttributeEnum: type: object From c97cc0e6d1f1d1ffcb93699a5e6137548230d20a Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Mon, 30 Jun 2025 10:30:16 +0200 Subject: [PATCH 23/43] OpenApi: fix API Service Integration related components --- src/swagger/api.yaml | 94 ++++++++++++++++++++++++++++++++------------ 1 file changed, 68 insertions(+), 26 deletions(-) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index d8fbe50d10e..1885ede09b9 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -46364,7 +46364,7 @@ components: createdAt: type: string description: Timestamp when the API Service Integration instance was created - example: '2023-02-21T20:08:24.000Z' + example: 2023-02-21T20:08:24.000Z readOnly: true createdBy: type: string @@ -46373,11 +46373,12 @@ components: readOnly: true grantedScopes: type: array - description: The list of Okta management scopes granted to the API Service Integration instance. See [Okta management OAuth 2.0 scopes](/oauth2/#okta-admin-management). + description: The list of Okta management scopes granted to the API Service + Integration instance. See [Okta management OAuth 2.0 scopes](/oauth2/#okta-admin-management). items: type: string example: - - okta.logs.read + - okta.logs.read id: type: string description: The ID of the API Service Integration instance @@ -46385,12 +46386,18 @@ components: example: 0oa72lrepvp4WqEET1d9 name: type: string - description: The name of the API service integration that corresponds with the `type` property. This is the full name of the API service integration listed in the Okta Integration Network (OIN) catalog. + description: The name of the API service integration that corresponds with + the `type` property. This is the full name of the API service integration + listed in the Okta Integration Network (OIN) catalog. readOnly: true example: My App Cloud Identity Engine + properties: + $ref: '#/components/schemas/AppProperties' type: type: string - description: The type of the API service integration. This string is an underscore-concatenated, lowercased API service integration name. For example, `my_api_log_integration`. + description: The type of the API service integration. This string is an + underscore-concatenated, lowercased API service integration name. For + example, `my_api_log_integration`. example: my_app_cie _links: $ref: '#/components/schemas/APIServiceIntegrationLinks' @@ -46400,13 +46407,17 @@ components: properties: client_secret: type: string - description: The OAuth 2.0 client secret string. The client secret string is returned in the response of a Secret creation request. In other responses (such as list, activate, or deactivate requests), the client secret is returned as an undisclosed hashed value. + description: The OAuth 2.0 client secret string. The client secret string + is returned in the response of a Secret creation request. In other responses + (such as list, activate, or deactivate requests), the client secret is + returned as an undisclosed hashed value. example: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B readOnly: true created: type: string - description: Timestamp when the API Service Integration instance Secret was created - example: '2023-02-21T20:08:24.000Z' + description: Timestamp when the API Service Integration instance Secret + was created + example: 2023-02-21T20:08:24.000Z readOnly: true id: type: string @@ -46415,8 +46426,9 @@ components: readOnly: true lastUpdated: type: string - description: Timestamp when the API Service Integration instance Secret was updated - example: '2023-02-21T20:08:24.000Z' + description: Timestamp when the API Service Integration instance Secret + was updated + example: 2023-02-21T20:08:24.000Z readOnly: true secret_hash: type: string @@ -46426,23 +46438,27 @@ components: status: type: string enum: - - ACTIVE - - INACTIVE + - ACTIVE + - INACTIVE description: Status of the API Service Integration instance Secret example: ACTIVE _links: $ref: '#/components/schemas/APIServiceIntegrationSecretLinks' readOnly: true required: - - id - - status - - client_secret - - created - - lastUpdated - - secret_hash - - _links + - id + - status + - client_secret + - created + - lastUpdated + - secret_hash + - _links APIServiceIntegrationLinks: - description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) + available for the current status of an application using the [JSON Hypertext + Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related resources + and lifecycle operations. properties: client: $ref: '#/components/schemas/HrefObjectClientLink' @@ -46452,7 +46468,11 @@ components: $ref: '#/components/schemas/HrefObjectSelfLink' readOnly: true APIServiceIntegrationSecretLinks: - description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. + description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) + available for the current status of an application using the [JSON Hypertext + Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) + specification. This object is used for dynamic discovery of related resources + and lifecycle operations. properties: activate: $ref: '#/components/schemas/HrefObjectActivateLink' @@ -46993,6 +47013,23 @@ components: type: array items: type: string + AppProperties: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + description: App instance properties + additionalProperties: + type: object + properties: + name: + type: string + description: Name of the property + example: baseUrl + value: + type: string + description: Value of the property + example: https://example.com + type: object AppLink: type: object properties: @@ -67448,18 +67485,23 @@ components: properties: grantedScopes: type: array - description: The list of Okta management scopes granted to the API Service Integration instance. See [Okta management OAuth 2.0 scopes](/oauth2/#okta-admin-management). + description: The list of Okta management scopes granted to the API Service + Integration instance. See [Okta management OAuth 2.0 scopes](/oauth2/#okta-admin-management). items: type: string example: - - okta.logs.read + - okta.logs.read + properties: + $ref: '#/components/schemas/AppProperties' type: type: string - description: The type of the API service integration. This string is an underscore-concatenated, lowercased API service integration name. For example, `my_api_log_integration`. + description: The type of the API service integration. This string is an + underscore-concatenated, lowercased API service integration name. For + example, `my_api_log_integration`. example: my_app_cie required: - - type - - grantedScopes + - type + - grantedScopes profile: description: Specific profile properties for the privileged account additionalProperties: From dedf5731ff30c5e350128f73a62ebe3445a08b66 Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Mon, 30 Jun 2025 10:38:18 +0200 Subject: [PATCH 24/43] OpenApi: fix API Service Integration post request security --- src/swagger/api.yaml | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 1885ede09b9..d3e0b17133c 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -24103,11 +24103,11 @@ paths: - Okta Identity Engine /integrations/api/v1/api-services: get: - summary: List all API Service Integration instances + summary: List all API service integration instances description: Lists all API Service Integration instances with a pagination option operationId: listApiServiceIntegrationInstances parameters: - - $ref: '#/components/parameters/queryAfter' + - $ref: '#/components/parameters/queryAfter' responses: '200': description: OK @@ -24127,16 +24127,16 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - apiToken: [] - - oauth2: - - okta.oauthIntegrations.read + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.read tags: - - ApiServiceIntegrations + - ApiServiceIntegrations x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: - summary: Create an API Service Integration instance + summary: Create an API service integration instance description: Creates and authorizes an API Service Integration instance operationId: createApiServiceIntegrationInstance requestBody: @@ -24147,6 +24147,8 @@ paths: examples: postAPIServiceIntegrationRequestExample: $ref: '#/components/examples/postAPIServiceIntegrationRequest' + postAPIServiceWithPropertiesIntegrationRequestExample: + $ref: '#/components/examples/postAPIServiceWithPropertiesIntegrationRequest' required: true responses: '201': @@ -24158,6 +24160,8 @@ paths: examples: APIServiceIntegrationResponseExample: $ref: '#/components/examples/postAPIServiceIntegrationResponse' + APIServiceWithPropertiesIntegrationResponseExample: + $ref: '#/components/examples/postAPIServiceWithPropertiesIntegrationResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '401': @@ -24167,9 +24171,11 @@ paths: '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - - apiToken: [] + - apiToken: [] + - oauth2: + - okta.oauthIntegrations.manage tags: - - ApiServiceIntegrations + - ApiServiceIntegrations x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true From aa5b8268ab4ef651a7003aba4e22aed6003d4c06 Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Tue, 1 Jul 2025 11:24:54 +0200 Subject: [PATCH 25/43] OpenApi: add missing description to userSchema --- src/swagger/api.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index d3e0b17133c..aec5b4ea4ee 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -66380,6 +66380,9 @@ components: type: string readOnly: true description: Timestamp when the Schema was created + description: + type: string + description: The description of the Schema definitions: allOf: - $ref: '#/components/schemas/UserSchemaDefinitions' From d0409ece79f5b938f17a97dd9f4a80170c22363c Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Tue, 1 Jul 2025 11:39:20 +0200 Subject: [PATCH 26/43] Revert "OpenApi: add missing description to userSchema" This reverts commit aa5b8268ab4ef651a7003aba4e22aed6003d4c06. --- src/swagger/api.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index aec5b4ea4ee..d3e0b17133c 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -66380,9 +66380,6 @@ components: type: string readOnly: true description: Timestamp when the Schema was created - description: - type: string - description: The description of the Schema definitions: allOf: - $ref: '#/components/schemas/UserSchemaDefinitions' From 111611c109785542a6af0109e28455e9478190ea Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Tue, 8 Jul 2025 15:50:56 +0200 Subject: [PATCH 27/43] OpenApi: fix return type of /oauth2/v1/clients/{clientId}/roles --- src/swagger/api.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index d3e0b17133c..991dd0ce64d 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -24424,9 +24424,11 @@ paths: content: application/json: schema: - oneOf: - - $ref: '#/components/schemas/StandardRole' - - $ref: '#/components/schemas/CustomRole' + type: array + items: + oneOf: + - $ref: '#/components/schemas/StandardRole' + - $ref: '#/components/schemas/CustomRole' examples: Standard Roles: $ref: '#/components/examples/StandardRolesListResponseClient' From c74a8abd88609fc2096c978864d9c69f5da933c2 Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Wed, 9 Jul 2025 16:55:07 +0200 Subject: [PATCH 28/43] OpenApi: add missing default attribute to UserSchemaAttribute --- src/swagger/api.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 991dd0ce64d..f43bf861072 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -66417,6 +66417,9 @@ components: UserSchemaAttribute: type: object properties: + default: + nullable: true + type: object description: type: string description: Description of the property From cdd80f4d1f279b723e43a2b8fe916be4cf7a39ad Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Fri, 1 Aug 2025 15:28:19 +0200 Subject: [PATCH 29/43] OpenApi: Fix heritance of PostAuthSessionFailureActionsObject --- src/swagger/api.yaml | 32 +++++++++++++------------------- 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index f43bf861072..0098005c9d1 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -59471,27 +59471,21 @@ components: people: $ref: '#/components/schemas/PolicyPeopleCondition' PostAuthSessionPolicyRuleRunWorkflow: - type: object - properties: - action: - type: string - enum: - - RUN_WORKFLOW - workflow: - type: object - description: This action runs a workflow + allOf: + - $ref: '#/components/schemas/PostAuthSessionFailureActionsObject' + - type: object properties: - id: - type: integer - description: The `id` of the workflow that runs. + workflow: + type: object + description: This action runs a workflow + properties: + id: + type: integer + description: The `id` of the workflow that runs. PostAuthSessionPolicyRuleTerminateSession: - type: object - properties: - action: - type: string - description: The action to take when post auth session evaluation detects a failure. - enum: - - TERMINATE_SESSION + allOf: + - $ref: '#/components/schemas/PostAuthSessionFailureActionsObject' + - type: object PreRegistrationInlineHook: type: object properties: From a5d2623138b6cc3fe8f50f3fa597d1714d3c7c64 Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Thu, 7 Aug 2025 14:38:28 +0200 Subject: [PATCH 30/43] OpenApi: add missing userVerificationMethods to PossesionConstraint --- src/swagger/api.yaml | 75 +++++++++++++++++++++++++++----------------- 1 file changed, 46 insertions(+), 29 deletions(-) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 0098005c9d1..a4cec8d4b0c 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -59370,45 +59370,62 @@ components: - PENDING - SUSPENDED PossessionConstraint: - allOf: - - $ref: '#/components/schemas/AccessPolicyConstraint' - - type: object - properties: - deviceBound: - type: string - description: Indicates if device-bound Factors are required. This property is only set for `POSSESSION` constraints. - enum: + allOf: + - $ref: '#/components/schemas/AccessPolicyConstraint' + - type: object + properties: + deviceBound: + type: string + description: Indicates if device-bound Factors are required. This + property is only set for `POSSESSION` constraints. + enum: - OPTIONAL - REQUIRED - default: OPTIONAL - hardwareProtection: - type: string - description: Indicates if any secrets or private keys used during authentication must be hardware protected and not exportable. This property is only set for `POSSESSION` constraints. - enum: + default: OPTIONAL + hardwareProtection: + type: string + description: Indicates if any secrets or private keys used during + authentication must be hardware protected and not exportable. This + property is only set for `POSSESSION` constraints. + enum: - OPTIONAL - REQUIRED - default: OPTIONAL - phishingResistant: - type: string - description: Indicates if phishing-resistant Factors are required. This property is only set for `POSSESSION` constraints. - enum: + default: OPTIONAL + phishingResistant: + type: string + description: Indicates if phishing-resistant Factors are required. + This property is only set for `POSSESSION` constraints. + enum: - OPTIONAL - REQUIRED - default: OPTIONAL - userPresence: - type: string - description: Indicates if the user needs to approve an Okta Verify prompt or provide biometrics (meets NIST AAL2 requirements). This property is only set for `POSSESSION` constraints. - enum: + default: OPTIONAL + userPresence: + type: string + description: Indicates if the user needs to approve an Okta Verify + prompt or provide biometrics (meets NIST AAL2 requirements). This + property is only set for `POSSESSION` constraints. + enum: - OPTIONAL - REQUIRED - default: REQUIRED - userVerification: - type: string - description: Indicates the user interaction requirement (PIN or biometrics) to ensure verification of a possession factor - enum: + default: REQUIRED + userVerification: + type: string + description: Indicates the user interaction requirement (PIN or biometrics) + to ensure verification of a possession factor + enum: - OPTIONAL - REQUIRED - default: OPTIONAL + default: OPTIONAL + userVerificationMethods: + description: Indicates which methods can be used for user verification. + `userVerificationMethods` can only be used when `userVerification` + is `REQUIRED`. `BIOMETRICS` is currently the only supported method. + type: array + items: + type: string + enum: + - BIOMETRICS + - PIN PostAuthKeepMeSignedInPrompt: type: object properties: From a1db848b7af6e4aa28ef871283c2d5f1ce27fb36 Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Thu, 7 Aug 2025 15:09:32 +0200 Subject: [PATCH 31/43] OpenApi: add missing ProtocolIdVerification and associated schemas --- src/swagger/api.yaml | 166 +++++++++++++++++++++++++++++++++---------- 1 file changed, 130 insertions(+), 36 deletions(-) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index a4cec8d4b0c..58f0263eb03 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -53359,6 +53359,86 @@ components: type: array items: type: string + IDVAuthorizationEndpoint: + description: IDV authorization endpoint + type: object + properties: + binding: + type: string + enum: + - HTTP-REDIRECT + url: + type: string + description: URL of the IDV `authorization` endpoint + readOnly: true + IDVCredentials: + description: Credentials for verifying requests to the IDV + type: object + properties: + bearer: + type: object + description: Client credential for `IDV_PERSONA` IdP type + properties: + apiKey: + type: string + description: The API key that you generate in your Persona dashboard + required: + - apiKey + client: + type: object + description: + Client + credentials for `IDV_CLEAR` and `IDV_INCODE` IdP types + properties: + client_id: + type: string + description: The client ID that you generate in your IDV + client_secret: + type: string + description: The client secret that you generate in your IDV + required: + - client_id + - client_secret + x-okta-lifecycle: + lifecycle: EA + isGenerallyAvailable: false + SKUs: + - Okta Identity Engine + IDVEndpoints: + description: Contains the endpoints for the IDV + type: object + properties: + authorization: + $ref: '#/components/schemas/IDVAuthorizationEndpoint' + par: + $ref: '#/components/schemas/IDVParEndpoint' + token: + $ref: '#/components/schemas/IDVTokenEndpoint' + readOnly: true + IDVParEndpoint: + description: IDV [PAR](https://datatracker.ietf.org/doc/html/rfc9126) endpoint + type: object + properties: + binding: + type: string + enum: + - HTTP-POST + url: + type: string + description: URL of the IDV `par` endpoint + readOnly: true + IDVTokenEndpoint: + description: IDV token endpoint + type: object + properties: + binding: + type: string + enum: + - HTTP-POST + url: + type: string + description: URL of the IDV `token` endpoint + readOnly: true IPNetworkZone: allOf: - $ref: '#/components/schemas/NetworkZone' @@ -53813,28 +53893,31 @@ components: | `YAHOOJP` | [Yahoo Japan](https://login.yahoo.co.jp/config/login) as the Identity Provider | OpenID Connect | `openid`, `profile`, `email` | type: string enum: - - AMAZON - - APPLE - - DISCORD - - FACEBOOK - - GITHUB - - GITLAB - - GOOGLE - - LINKEDIN - - LOGINGOV - - LOGINGOV_SANDBOX - - MICROSOFT - - OIDC - - PAYPAL - - PAYPAL_SANDBOX - - SALESFORCE - - SAML2 - - SPOTIFY - - X509 - - XERO - - YAHOO - - YAHOOJP - - OKTA + - AMAZON + - APPLE + - DISCORD + - FACEBOOK + - GITHUB + - GITLAB + - GOOGLE + - IDV_CLEAR + - IDV_INCODE + - IDV_PERSONA + - LINKEDIN + - LOGINGOV + - LOGINGOV_SANDBOX + - MICROSOFT + - OIDC + - OKTA + - PAYPAL + - PAYPAL_SANDBOX + - SALESFORCE + - SAML2 + - SPOTIFY + - X509 + - XERO + - YAHOO + - YAHOOJP IdentitySourceSession: type: object properties: @@ -56771,6 +56854,14 @@ components: - code - id_token - token + OAuthScopes: + description: |- + IdP-defined permission bundles to request delegated access from the user. + > **Note:** The [identity provider type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request) table lists the scopes that are supported for each IdP. + items: + type: string + example: public_profile + type: array OAuthTokenEndpoint: description: Endpoint for an [OAuth 2.0 Authorization Server (AS)](https://tools.ietf.org/html/rfc6749#page-18) type: object @@ -60129,6 +60220,7 @@ components: OAUTH2: '#/components/schemas/ProtocolOAuth' OIDC: '#/components/schemas/ProtocolOidc' MTLS: '#/components/schemas/ProtocolMtls' + ID_PROOFING: "#/components/schemas/ProtocolIdVerification" ProtocolAlgorithmRequestScope: description: Specifies whether to digitally sign authorization requests to the IdP example: REQUEST @@ -60153,6 +60245,19 @@ components: enum: - HTTP-POST - HTTP-REDIRECT + ProtocolIdVerification: + title: ID Verification + description: Protocol settings for the IDV + allOf: + - $ref: '#/components/schemas/Protocol' + - type: object + properties: + credentials: + $ref: '#/components/schemas/IDVCredentials' + endpoints: + $ref: '#/components/schemas/IDVEndpoints' + scopes: + $ref: '#/components/schemas/OAuthScopes' ProtocolMtls: title: Mutual TLS Protocol description: Protocol settings for the [MTLS Protocol](https://tools.ietf.org/html/rfc5246#section-7.4.4) @@ -60176,13 +60281,7 @@ components: endpoints: $ref: '#/components/schemas/OAuthEndpoints' scopes: - type: array - description: |- - IdP-defined permission bundles to request delegated access from the User - > **Note:** The [Identity Provider type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request) table lists the scopes that are supported for each Identity Provider. - items: - type: string - example: public_profile + $ref: '#/components/schemas/OAuthScopes' ProtocolOidc: title: OpenID Connect Protocol description: Protocol settings for authentication using the [OpenID Connect Protocol](http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) @@ -60197,13 +60296,7 @@ components: endpoints: $ref: '#/components/schemas/OAuthEndpoints' scopes: - type: array - description: |- - OpenID Connect and IdP-defined permission bundles to request delegated access from the User - > **Note:** The [Identity Provider type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request) table lists the scopes that are supported for each Identity Provider. - items: - type: string - example: openid + $ref: '#/components/schemas/OAuthScopes' ProtocolSaml: title: SAML 2.0 Protocol description: Protocol settings for the [SAML 2.0 Authentication Request Protocol](http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) @@ -60305,6 +60398,7 @@ components: - OAUTH2 - OIDC - SAML2 + - ID_PROOFING ProviderType: type: string enum: From 3f3a8c6a4dd4c890bfe8e513f562ea9e3c1f0331 Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Thu, 7 Aug 2025 16:49:16 +0200 Subject: [PATCH 32/43] OpenApi: add missing IdProofingMethod VerificationMethod --- src/swagger/api.yaml | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 58f0263eb03..9cf48d03f53 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -53601,6 +53601,18 @@ components: description: Base64url-encoded SHA-256 thumbprint of the DER encoding of an X.509 certificate type: string example: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE + IdProofingMethod: + x-okta-lifecycle: + lifecycle: LIMITED_GA + isGenerallyAvailable: false + SKUs: [] + allOf: + - $ref: '#/components/schemas/VerificationMethod' + - type: object + properties: + id: + type: string + description: ID for ID proofing entity IdentityProvider: type: object properties: @@ -59379,6 +59391,7 @@ components: enum: - ASSURANCE - AUTH_METHOD_CHAIN + - ID_PROOFING PolicySubject: description: Specifies the behavior for establishing, validating, and matching a username for an IdP User type: object @@ -67055,11 +67068,7 @@ components: - $ref: '#/components/schemas/HrefObject' - description: Link to the [Application Users](/openapi/okta-management/management/tag/ApplicationUsers/#tag/ApplicationUsers/operation/listApplicationUsers) resource VerificationMethod: - description: |- - Describes the method for verifying the user. The supported method types are `ASSURANCE` and `AUTH_METHOD_CHAIN`. - - The method type `AUTH_METHOD_CHAIN` is an [Early Access](https://developer.okta.com/docs/api/openapi/okta-management/guides/release-lifecycle/#early-access-ea) (Self-Service) feature. You can - enable the feature for your org from the **Settings** > **Features** page in the Admin Console. + description: The method used to verify a user type: object properties: type: @@ -67069,6 +67078,7 @@ components: mapping: ASSURANCE: '#/components/schemas/AssuranceMethod' AUTH_METHOD_CHAIN: '#/components/schemas/AuthenticationMethodChainMethod' + ID_PROOFING: '#/components/schemas/IdProofingMethod' Version: description: The version specified as a [Semantic Version](https://semver.org/). type: string From 782d3cf3f56c87db46861bf7bb189102cbbcdb7b Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Wed, 27 Aug 2025 08:10:53 +0200 Subject: [PATCH 33/43] OpenApi: remove format attribute from created and lastUpdated property in BehaviorRule as it is not formatted correctly --- src/swagger/api.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 9cf48d03f53..bb6b15d9e08 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -49276,14 +49276,12 @@ components: properties: created: type: string - format: date-time readOnly: true id: type: string readOnly: true lastUpdated: type: string - format: date-time readOnly: true name: type: string From 201f9e746590f1cdf7dbfe630441c9d21a490bf9 Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Wed, 1 Oct 2025 15:27:21 +0200 Subject: [PATCH 34/43] OpenApi: clarify typing of authentication methods --- src/swagger/api.yaml | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index bb6b15d9e08..2aa52a1d8b9 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -48063,15 +48063,26 @@ components: $ref: '#/components/schemas/AuthenticationMethod' type: array next: - type: array - description: The next steps of the authentication method chain. This is an array of `AuthenticationMethodChain`. Only supports one item in the array. items: - type: object + $ref: '#/components/schemas/AuthenticationMethodNext' + type: array reauthenticateIn: type: string description: |- Specifies how often the user should be prompted for authentication using duration format for the time period. For example, `PT2H30M` for two and a half hours. This parameter can't be set at the same time as the `reauthenticateIn` property on the `verificationMethod`. + AuthenticationMethodNext: + type: object + properties: + authenticationMethods: + items: + $ref: '#/components/schemas/AuthenticationMethod' + type: array + reauthenticateIn: + type: string + description: |- + Specifies how often the user should be prompted for authentication using duration format for the time period. + For example, `PT2H30M` for two and a half hours. This parameter can't be set at the same time as the `reauthenticateIn` property on the `verificationMethod`. AuthenticationMethodChainMethod: x-okta-lifecycle: lifecycle: EA From c83bc7ebef27455f5c9c4c972851ded246613194 Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Tue, 7 Oct 2025 17:03:58 +0200 Subject: [PATCH 35/43] OpenApi: add missing attribute to SamlSettings --- src/swagger/api.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 2aa52a1d8b9..79eeb4326a5 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -62401,6 +62401,9 @@ components: default: true nameFormat: $ref: '#/components/schemas/SamlNameIdFormat' + sendApplicationContext: + type: boolean + nullable: true SamlSigningAlgorithm: example: SHA-256 type: string From 82fdf3569cc7cc4aaa4c1aef25ccc9f02e81059c Mon Sep 17 00:00:00 2001 From: eolia-bagnoli-backupta Date: Wed, 15 Oct 2025 11:39:15 +0200 Subject: [PATCH 36/43] OpenApi: add missing parameter in AuthenticationMethod object --- src/swagger/api.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 79eeb4326a5..7c19a4ec516 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -48052,6 +48052,13 @@ components: - OPTIONAL - REQUIRED default: OPTIONAL + userVerificationMethods: + type: array + items : + type : string + enum: + - BIOMETRICS + required: false required: - key - method From 5227224ce97b885d3e5a5036d9c70f17ead37460 Mon Sep 17 00:00:00 2001 From: Antoine Piron Date: Thu, 13 Nov 2025 16:18:38 +0100 Subject: [PATCH 37/43] OpenApi: add all GroupPushMappings components --- src/swagger/api.yaml | 411 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 411 insertions(+) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 7c19a4ec516..1e6186fb043 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -3129,6 +3129,238 @@ paths: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true + /api/v1/apps/{appId}/group-push/mappings: + parameters: + - $ref: '#/components/parameters/pathAppId' + get: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: List all group push mappings + description: Lists all group push mappings with pagination support + operationId: listGroupPushMappings + parameters: + - name: after + description: Specifies the pagination cursor for the next page of mappings + in: query + schema: + type: string + - name: limit + in: query + description: Specifies the number of results returned + schema: + type: integer + format: int32 + default: 100 + maximum: 1000 + minimum: 1 + - name: lastUpdated + description: |- + Filters group push mappings by last updated date. The `lastUpdated` parameter supports the following format: `YYYY-MM-DDTHH:mm:ssZ`. This filters mappings updated on or after the specified date and time in UTC. + + If you don't specify a value, all group push mappings are returned. + in: query + schema: + type: string + example: '2025-01-01T00:00:00Z' + - name: sourceGroupId + description: Filters group push mappings by source group ID. If you don't specify a value, all group push mappings are returned. + in: query + schema: + type: string + example: 00g00000000000000000 + - name: status + description: Filters group push mappings by status. If you don't specify a value, all group push mappings are returned. + in: query + schema: + $ref: '#/components/schemas/GroupPushMappingStatus' + responses: + '200': + description: OK + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/GroupPushMapping' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + - okta.groups.read + tags: + - GroupPushMapping + post: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: Create a group push mapping + description: |- + Creates or links a group push mapping. + + **Note:** Either `targetGroupId` or `targetGroupName` must be provided, but not both. If `targetGroupId` is provided, it links to an existing group. If `targetGroupName` is provided, it creates a new group. + operationId: createGroupPushMapping + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CreateGroupPushMappingRequest' + required: true + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/GroupPushMapping' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + - okta.groups.manage + tags: + - GroupPushMapping + /api/v1/apps/{appId}/group-push/mappings/{mappingId}: + parameters: + - $ref: '#/components/parameters/pathAppId' + - $ref: '#/components/parameters/pathGroupPushMappingId' + get: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: Retrieve a group push mapping + description: Retrieves a group push mapping by ID + operationId: getGroupPushMapping + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/GroupPushMapping' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.read + - okta.groups.read + tags: + - GroupPushMapping + patch: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: Update a group push mapping + description: Updates the status of a group push mapping + operationId: updateGroupPushMapping + x-codegen-request-body-name: body + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/UpdateGroupPushMappingRequest' + required: true + responses: + '200': + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/GroupPushMapping' + '400': + $ref: '#/components/responses/ErrorApiValidationFailed400' + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + description: Forbidden + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + - okta.groups.manage + tags: + - GroupPushMapping + delete: + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + summary: Delete a group push mapping + description: Deletes a specific group push mapping. The group push mapping must be in an `INACTIVE` state. + operationId: deleteGroupPushMapping + parameters: + - in: query + name: deleteTargetGroup + description: If set to `true`, the target group is also deleted. If set to `false`, the target group isn't deleted. + required: true + schema: + type: boolean + default: false + responses: + '204': + description: No Content + '401': + $ref: '#/components/responses/ErrorInvalidToken401' + '403': + description: Forbidden + headers: {} + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + examples: + Access Denied: + $ref: '#/components/examples/ErrorAccessDenied' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.apps.manage + - okta.groups.manage + tags: + - GroupPushMapping /api/v1/apps/{appId}/groups: parameters: - $ref: '#/components/parameters/pathAppId' @@ -45371,6 +45603,14 @@ components: schema: type: string example: 00g1emaKYZTWRYYRRTSK + pathGroupPushMappingId: + name: mappingId + description: Group push mapping ID + in: path + required: true + schema: + type: string + example: gPm00000000000000000 pathGroupRuleId: name: groupRuleId description: The `id` of the group rule @@ -46656,6 +46896,19 @@ components: properties: assignUserToRealm: $ref: '#/components/schemas/AssignUserToRealm' + ActiveDirectoryGroupScope: + description: The scope of the group in Active Directory + type: string + enum: + - DOMAIN_LOCAL + - GLOBAL + - UNIVERSAL + ActiveDirectoryGroupType: + description: The type of the group in Active Directory + type: string + enum: + - DISTRIBUTION + - SECURITY AdminConsoleSettings: title: Okta Admin Console Settings description: Settings specific to the Okta Admin Console @@ -46975,6 +47228,56 @@ components: enum: - APP - APP_TYPE + AppConfig: + description: Additional app configuration for group push mappings. Currently only required for Active Directory. + type: object + properties: + type: + type: string + $ref: '#/components/schemas/AppConfigType' + discriminator: + propertyName: type + mapping: + ACTIVE_DIRECTORY: '#/components/schemas/AppConfigActiveDirectory' + AppConfigActiveDirectory: + allOf: + - $ref: '#/components/schemas/AppConfig' + type: object + properties: + distinguishedName: + description: The distinguished name of the group in Active Directory + type: string + groupScope: + $ref: '#/components/schemas/ActiveDirectoryGroupScope' + groupType: + $ref: '#/components/schemas/ActiveDirectoryGroupType' + samAccountName: + description: The SAM account name of the group in Active Directory + type: string + required: + - distinguishedName + - groupScope + - groupType + - samAccountName + AppConfigType: + description: The type of the app configuration + type: string + enum: + - ACTIVE_DIRECTORY + AppConnectionUserProvisionJWKList: + properties: + keys: + type: array + items: + $ref: '#/components/schemas/JsonWebKey' + required: + - keys + AppConnectionUserProvisionJWKResponse: + properties: + jwks: + $ref: '#/components/schemas/AppConnectionUserProvisionJWKList' + required: + - jwks AppCsrPkcs10: description: Base64URL-encoded CSR in DER format format: base64 @@ -50225,6 +50528,26 @@ components: description: The name of the Brand required: - name + CreateGroupPushMappingRequest: + type: object + properties: + appConfig: + type: object + $ref: '#/components/schemas/AppConfig' + sourceGroupId: + description: The ID of the source group for the group push mapping + type: string + status: + type: string + $ref: '#/components/schemas/GroupPushMappingStatusUpsert' + targetGroupId: + description: The ID of the existing target group for the group push mapping. This is used to link to an existing group. Required if `targetGroupName` is not provided. + type: string + targetGroupName: + description: The name of the target group for the group push mapping. This is used when creating a new downstream group. If the group already exists, it links to the existing group. Required if `targetGroupId` is not provided. + type: string + required: + - sourceGroupId CreateGroupRuleRequest: type: object properties: @@ -52803,6 +53126,80 @@ components: anyOf: - $ref: '#/components/schemas/OktaUserGroupProfile' - $ref: '#/components/schemas/OktaActiveDirectoryGroupProfile' + GroupPushMapping: + type: object + properties: + appConfig: + type: object + readOnly: true + $ref: '#/components/schemas/AppConfig' + created: + description: Timestamp when the group push mapping was created + type: string + format: date-time + readOnly: true + errorSummary: + description: The error message summary if the latest push failed + type: string + readOnly: true + id: + description: The ID of the group push mapping + type: string + readOnly: true + lastPush: + description: Timestamp when the group push mapping was pushed + type: string + format: date-time + readOnly: true + lastUpdated: + description: Timestamp when the group push mapping was last updated + type: string + format: date-time + readOnly: true + sourceGroupId: + description: The ID of the source group for the group push mapping + type: string + readOnly: true + status: + description: The status of the group push mapping + type: string + $ref: '#/components/schemas/GroupPushMappingStatus' + readOnly: true + targetGroupId: + description: The ID of the target group for the group push mapping + type: string + readOnly: true + _links: + $ref: '#/components/schemas/GroupPushMappingLinks' + GroupPushMappingLinks: + description: Discoverable resources related to the group push mapping + type: object + properties: + app: + $ref: '#/components/schemas/HrefObjectAppLink' + sourceGroup: + $ref: '#/components/schemas/HrefObjectGroupLink' + targetGroup: + $ref: '#/components/schemas/HrefObjectGroupLink' + GroupPushMappingStatus: + description: The status of the group push mapping + type: string + enum: + - ACTIVE + - ERROR + - INACTIVE + x-enumDescriptions: + ACTIVE: The group push mapping is active and Okta pushes membership changes to the target group + INACTIVE: The group push mapping is inactive and Okta doesn't push membership changes to the target group + ERROR: The group push mapping is in an error state and Okta doesn't push membership changes to the target group + GroupPushMappingStatusUpsert: + description: The status of the group push mapping + title: GroupPushMappingStatus + default: ACTIVE + type: string + enum: + - ACTIVE + - INACTIVE GroupRule: type: object properties: @@ -64972,6 +65369,20 @@ components: UpdateEmailDomain: allOf: - $ref: '#/components/schemas/BaseEmailDomain' + UpdateGroupPushMappingRequest: + type: object + properties: + status: + description: |- + The status of the group push mapping. + + If changing the group push mapping status to `ACTIVE`, Okta performs an initial push to the target group, and then begins pushing membership changes. + + If changing the group push mapping status to `INACTIVE`, Okta stops pushing membership changes to the target group. + type: string + $ref: '#/components/schemas/GroupPushMappingStatusUpsert' + required: + - status UpdateIamRoleRequest: type: object properties: From e91541cdda1570745ff30e573da2b9d396a66fd1 Mon Sep 17 00:00:00 2001 From: eolia-bagnoli-backupta Date: Thu, 8 Jan 2026 10:55:59 +0100 Subject: [PATCH 38/43] OpenApi: add Okta Integration into IdpType enum --- src/swagger/api.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 1e6186fb043..87cadd854e1 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -54332,6 +54332,7 @@ components: - LOGINGOV - LOGINGOV_SANDBOX - MICROSOFT + - OKTA_INTEGRATION - OIDC - OKTA - PAYPAL From b75ed9f1f8014a9352328b33316bf665d5ac60d3 Mon Sep 17 00:00:00 2001 From: eolia-bagnoli-backupta Date: Thu, 8 Jan 2026 11:50:44 +0100 Subject: [PATCH 39/43] OpenApi: add missing oktaIdpOrgUrl parameter for OIDC protocol --- src/swagger/api.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 87cadd854e1..3612c929338 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -60724,6 +60724,9 @@ components: $ref: '#/components/schemas/OAuthEndpoints' scopes: $ref: '#/components/schemas/OAuthScopes' + oktaIdpOrgUrl: + type: string + nullable: true ProtocolSaml: title: SAML 2.0 Protocol description: Protocol settings for the [SAML 2.0 Authentication Request Protocol](http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) From 9662c89d28a4fbdb64cc254ab7c669b8ba94b58e Mon Sep 17 00:00:00 2001 From: eolia-bagnoli-backupta Date: Tue, 13 Jan 2026 13:51:28 +0100 Subject: [PATCH 40/43] OpenApi: add Okta Personal Settings Api --- src/swagger/api.yaml | 101 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 3612c929338..7845b230b1f 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -1493,6 +1493,107 @@ paths: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true + /okta-personal-settings/api/v1/edit-feature: + put: + summary: Replace the Okta Personal admin settings + description: Replaces Okta Personal admin settings in a Workforce org + operationId: replaceOktaPersonalAdminSettings + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/OktaPersonalAdminFeatureSettings' + examples: + exampleSettings: + $ref: '#/components/examples/editFeatureExample' + required: true + responses: + '204': + description: No Content + content: {} + '401': + $ref: '#/components/responses/Error-FF-NotEnabled-Response-401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.personal.adminSettings.manage + tags: + - OktaPersonalSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + /okta-personal-settings/api/v1/export-blocklists: + get: + summary: List all blocked email domains + description: Lists all blocked email domains which are excluded from app migration + operationId: listPersonalAppsExportBlockList + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/PersonalAppsBlockList' + examples: + exampleSettings: + $ref: '#/components/examples/getBlockListExample' + '401': + $ref: '#/components/responses/Error-FF-NotEnabled-Response-401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.personal.adminSettings.read + tags: + - OktaPersonalSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true + put: + summary: Replace the blocked email domains + description: Replaces the list of blocked email domains which are excluded from app migration + operationId: replaceBlockedEmailDomains + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/PersonalAppsBlockList' + examples: + exampleSettings: + $ref: '#/components/examples/getBlockListExample' + required: true + responses: + '204': + description: No Content + content: {} + '401': + $ref: '#/components/responses/Error-FF-NotEnabled-Response-401' + '403': + $ref: '#/components/responses/ErrorAccessDenied403' + '404': + $ref: '#/components/responses/ErrorResourceNotFound404' + '429': + $ref: '#/components/responses/ErrorTooManyRequests429' + security: + - apiToken: [] + - oauth2: + - okta.personal.adminSettings.manage + tags: + - OktaPersonalSettings + x-okta-lifecycle: + lifecycle: GA + isGenerallyAvailable: true /api/v1/apps: get: summary: List all Applications From c885762befe001d0928d92ef3db136f52af2dfab Mon Sep 17 00:00:00 2001 From: eolia-bagnoli-backupta Date: Fri, 16 Jan 2026 11:06:55 +0100 Subject: [PATCH 41/43] OpenApi: add Automation policies --- src/swagger/api.yaml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 7845b230b1f..92aacf8492c 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -49408,6 +49408,40 @@ components: type: string description: Link name example: Example Authorization Server + AutomationPolicy: + allOf: + - $ref: '#/components/schemas/Policy' + - type: object + properties: + conditions: + $ref: '#/components/schemas/AutomationPolicyConditions' + AutomationPolicyConditions: + type: object + properties: + people: + $ref: '#/components/schemas/AutomationPolicyConditionsPeople' + AutomationPolicyConditionsPeople: + type: object + description: Identifies conditions on User and Groups + properties: + groups: + type: object + properties: + include: + type: array + items: + type: string + users: + type: object + description: Specifies for how long and it what state the users should be for the policy to apply + properties: + inactivity: + type: object + properties: + unit: + type: string + number: + type: integer AutoAssignAdminAppSetting: description: The org setting that automatically assigns the Okta Admin Console when an admin role is assigned type: object @@ -59581,6 +59615,7 @@ components: PROFILE_ENROLLMENT: '#/components/schemas/ProfileEnrollmentPolicy' POST_AUTH_SESSION: '#/components/schemas/PostAuthSessionPolicy' ENTITY_RISK: '#/components/schemas/EntityRiskPolicy' + USER_LIFECYCLE: '#/components/schemas/AutomationPolicy' PolicyAccess: type: string enum: @@ -59958,6 +59993,7 @@ components: - POST_AUTH_SESSION - PROFILE_ENROLLMENT - RESOURCE_ACCESS + - USER_LIFECYCLE PolicyTypeSimulation: type: string enum: From 354cb14b4f3ea313b2b8edc259ebb7dda83cf77f Mon Sep 17 00:00:00 2001 From: eolia-bagnoli-backupta Date: Fri, 16 Jan 2026 15:48:26 +0100 Subject: [PATCH 42/43] OpenApi: add Automation policy rules --- src/swagger/api.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 92aacf8492c..64c9e66bccc 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -49442,6 +49442,30 @@ components: type: string number: type: integer + AutomationPolicyRule: + allOf: + - $ref: '#/components/schemas/PolicyRule' + - type: object + properties: + actions: + $ref: '#/components/schemas/AutomationPolicyRuleActions' + AutomationPolicyRuleActions: + description: Specifies whether the User is to be enrolled the first time they `LOGIN`, the next time they are in the `CHALLENGE` process, or `NEVER` + type: object + properties: + updateUserLifecycle: + type: object + properties : + targetStatus: + type: string + quietPeriod: + type: object + description: Quiet Period + properties: + unit: + type: string + number: + type: integer AutoAssignAdminAppSetting: description: The org setting that automatically assigns the Okta Admin Console when an admin role is assigned type: object @@ -59853,6 +59877,7 @@ components: POST_AUTH_SESSION: '#/components/schemas/PostAuthSessionPolicyRule' ENTITY_RISK: '#/components/schemas/EntityRiskPolicyRule' MFA_ENROLL: '#/components/schemas/AuthenticatorEnrollmentPolicyRule' + USER_LIFECYCLE: '#/components/schemas/AutomationPolicyRule' PolicyRuleActions: type: object PolicyRuleActionsEnroll: From 93683868ca1e4077b9d87a43194b72f87b5cc503 Mon Sep 17 00:00:00 2001 From: eolia-bagnoli-backupta Date: Fri, 16 Jan 2026 16:32:20 +0100 Subject: [PATCH 43/43] OpenApi: missing USER_LIFECYCLE in PolicyRuleType --- src/swagger/api.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/src/swagger/api.yaml b/src/swagger/api.yaml index 64c9e66bccc..a77b6f120e5 100644 --- a/src/swagger/api.yaml +++ b/src/swagger/api.yaml @@ -59960,6 +59960,7 @@ components: - PROFILE_ENROLLMENT - RESOURCE_ACCESS - SIGN_ON + - USER_LIFECYCLE PolicyRuleVerificationMethodType: description: Verification method type type: string