Authorization Servers

Authorization Servers generate OAuth 2.0 and OpenID Connect tokens, including access tokens and ID tokens. The Okta Management API gives you the ability to configure and manage Authorization Servers and the security policies that are attached to them.

Work with the Default Authorization Server

Okta provides a pre-configured Custom Authorization Server with the name default. This Default Authorization Server includes a basic access policy and rule, which you can edit to control access. It allows you to specify default instead of the authorizationServerId in requests to it:

https://${yourOktaDomain}/api/v1/authorizationServers/default

vs

https://${yourOktaDomain}/api/v1/authorizationServers/${authorizationServerId} for other Custom Authorization Servers

List all Authorization Servers
API Access Management
OAuth 2.0: okta.authorizationServers.read

Lists all custom authorization servers in the org

Request
query Parameters
q
string

Searches the name and audiences of authorization servers for matching values

Example: q=customasone
limit
integer <int32>
Default: 200

Specifies the number of authorization server results on a page. Maximum value: 200

after
string

Specifies the pagination cursor for the next page of authorization servers. Treat as an opaque value and obtain through the next link relationship.

Responses
200

Success

403

Forbidden

429

Too Many Requests

get/api/v1/authorizationServers
Request samples
Response samples
application/json
[]

Create an Authorization Server
API Access Management
OAuth 2.0: okta.authorizationServers.manage

Creates an authorization server

Request
Request Body schema: application/json
required
audiences
Array of strings

The recipients that the tokens are intended for. This becomes the aud claim in an access token. Okta currently supports only one audience.

object (AuthorizationServerCredentials)
object (AuthorizationServerCredentialsSigningConfig)
rotationMode
string (AuthorizationServerCredentialsRotationMode)

The Key rotation mode for the authorization server

Enum: "AUTO" "MANUAL"
use
string (AuthorizationServerCredentialsUse)

How the key is used

Value: "sig"
description
string

The description of the custom authorization server

issuer
string

The complete URL for the custom authorization server. This becomes the iss claim in an access token.

issuerMode
string

Indicates which value is specified in the issuer of the tokens that a custom authorization server returns: the Okta org domain URL or a custom domain URL.

issuerMode is visible if you have a custom URL domain configured or the Dynamic Issuer Mode feature enabled. If you have a custom URL domain configured, you can set a custom domain URL in a custom authorization server, and this property is returned in the appropriate responses.

When set to ORG_URL, then in responses, issuer is the Okta org domain URL: https://${yourOktaDomain}.

When set to CUSTOM_URL, then in responses, issuer is the custom domain URL configured in the administration user interface.

When set to DYNAMIC, then in responses, issuer is the custom domain URL if the OAuth 2.0 request was sent to the custom domain, or is the Okta org's domain URL if the OAuth 2.0 request was sent to the original Okta org domain.

After you configure a custom URL domain, all new custom authorization servers use CUSTOM_URL by default. If the Dynamic Issuer Mode feature is enabled, then all new custom authorization servers use DYNAMIC by default. All existing custom authorization servers continue to use the original value until they're changed using the Admin Console or the API. This way, existing integrations with the client and resource server continue to work after the feature is enabled.

name
string

The name of the custom authorization server

status
string (LifecycleStatus)
Enum: "ACTIVE" "INACTIVE"
Responses
201

Created

400

Bad Request

403

Forbidden

429

Too Many Requests

post/api/v1/authorizationServers
Request samples
application/json
{
  • "name": "Sample Authorization Server",
  • "description": "Sample Authorization Server description",
  • "audiences": [
    • "api://default"
    ]
}
Response samples
application/json
{}

Retrieve an Authorization Server
API Access Management
OAuth 2.0: okta.authorizationServers.read

Retrieves an authorization server

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}
Request samples
Response samples
application/json
{}

Replace an Authorization Server
API Access Management
OAuth 2.0: okta.authorizationServers.manage

Replaces an authorization server

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
Request Body schema: application/json
required
audiences
Array of strings

The recipients that the tokens are intended for. This becomes the aud claim in an access token. Okta currently supports only one audience.

object (AuthorizationServerCredentials)
object (AuthorizationServerCredentialsSigningConfig)
rotationMode
string (AuthorizationServerCredentialsRotationMode)

The Key rotation mode for the authorization server

Enum: "AUTO" "MANUAL"
use
string (AuthorizationServerCredentialsUse)

How the key is used

Value: "sig"
description
string

The description of the custom authorization server

issuer
string

The complete URL for the custom authorization server. This becomes the iss claim in an access token.

issuerMode
string

Indicates which value is specified in the issuer of the tokens that a custom authorization server returns: the Okta org domain URL or a custom domain URL.

issuerMode is visible if you have a custom URL domain configured or the Dynamic Issuer Mode feature enabled. If you have a custom URL domain configured, you can set a custom domain URL in a custom authorization server, and this property is returned in the appropriate responses.

When set to ORG_URL, then in responses, issuer is the Okta org domain URL: https://${yourOktaDomain}.

When set to CUSTOM_URL, then in responses, issuer is the custom domain URL configured in the administration user interface.

When set to DYNAMIC, then in responses, issuer is the custom domain URL if the OAuth 2.0 request was sent to the custom domain, or is the Okta org's domain URL if the OAuth 2.0 request was sent to the original Okta org domain.

After you configure a custom URL domain, all new custom authorization servers use CUSTOM_URL by default. If the Dynamic Issuer Mode feature is enabled, then all new custom authorization servers use DYNAMIC by default. All existing custom authorization servers continue to use the original value until they're changed using the Admin Console or the API. This way, existing integrations with the client and resource server continue to work after the feature is enabled.

name
string

The name of the custom authorization server

status
string (LifecycleStatus)
Enum: "ACTIVE" "INACTIVE"
Responses
200

Success

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

put/api/v1/authorizationServers/{authServerId}
Request samples
application/json
{
  • "name": "New Authorization Server",
  • "description": "Authorization Server description",
  • "audiences": [
    • "api://default"
    ],
  • "credentials": {
    • "signing": {
      }
    },
  • "issuerMode": "ORG_URL",
  • "status": "ACTIVE"
}
Response samples
application/json
{}

Delete an Authorization Server
API Access Management
OAuth 2.0: okta.authorizationServers.manage

Deletes an authorization server

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
Responses
204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

delete/api/v1/authorizationServers/{authServerId}
Request samples
Response samples
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}

List all Clients
API Access Management
OAuth 2.0: okta.authorizationServers.read

Lists all clients

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}/clients
Request samples
Response samples
application/json
[
  • {
    • "client_id": "string",
    • "client_name": "string",
    • "client_uri": "string",
    • "logo_uri": "string",
    • "_links": {
      }
    }
]

List all Refresh Tokens for a Client
API Access Management
OAuth 2.0: okta.authorizationServers.read

Lists all refresh tokens for a client

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
clientId
required
string

client_id of the app

Example: 52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD
query Parameters
expand
string
after
string
limit
integer <int32>
Default: -1
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens
Request samples
Response samples
application/json
[
  • {
    • "clientId": "string",
    • "created": "2019-08-24T14:15:22Z",
    • "expiresAt": "2019-08-24T14:15:22Z",
    • "id": "string",
    • "issuer": "string",
    • "lastUpdated": "2019-08-24T14:15:22Z",
    • "scopes": [
      ],
    • "status": "ACTIVE",
    • "userId": "string",
    • "_embedded": {
      },
    • "_links": {
      }
    }
]

Revoke all Refresh Tokens for a Client
API Access Management
OAuth 2.0: okta.authorizationServers.manage

Revokes all refresh tokens for a client

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
clientId
required
string

client_id of the app

Example: 52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD
Responses
204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

delete/api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens
Request samples
Response samples
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}

Retrieve a Refresh Token for a Client
API Access Management
OAuth 2.0: okta.authorizationServers.read

Retrieves a refresh token for a client

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
clientId
required
string

client_id of the app

Example: 52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD
tokenId
required
string

id of Token

Example: sHHSth53yJAyNSTQKDJZ
query Parameters
expand
string
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens/{tokenId}
Request samples
Response samples
application/json
{
  • "clientId": "string",
  • "created": "2019-08-24T14:15:22Z",
  • "expiresAt": "2019-08-24T14:15:22Z",
  • "id": "string",
  • "issuer": "string",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "scopes": [
    • "string"
    ],
  • "status": "ACTIVE",
  • "userId": "string",
  • "_embedded": {
    • "scopes": [
      ]
    },
  • "_links": {
    • "self": {
      },
    • "app": {
      },
    • "revoke": {
      },
    • "client": {
      },
    • "user": {
      },
    • "authorizationServer": {
      }
    }
}

Revoke a Refresh Token for a Client
API Access Management
OAuth 2.0: okta.authorizationServers.manage

Revokes a refresh token for a client

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
clientId
required
string

client_id of the app

Example: 52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD
tokenId
required
string

id of Token

Example: sHHSth53yJAyNSTQKDJZ
Responses
204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

delete/api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens/{tokenId}
Request samples
Response samples
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}

List all Credential Keys
API Access Management
OAuth 2.0: okta.authorizationServers.read

Lists all credential keys

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}/credentials/keys
Request samples
Response samples
application/json
[
  • {
    • "alg": "string",
    • "created": "2019-08-24T14:15:22Z",
    • "e": "string",
    • "expiresAt": "2019-08-24T14:15:22Z",
    • "key_ops": [
      ],
    • "kid": "string",
    • "kty": "string",
    • "lastUpdated": "2019-08-24T14:15:22Z",
    • "n": "string",
    • "status": "string",
    • "use": "string",
    • "x5c": [
      ],
    • "x5t": "string",
    • "x5t#S256": "string",
    • "x5u": "string",
    • "_links": {
      }
    }
]

Rotate all Credential Keys
API Access Management
OAuth 2.0: okta.authorizationServers.manage

Rotates all credential keys

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
Request Body schema: application/json
required
use
string (JwkUseType)
Value: "sig"
Responses
200

Success

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/authorizationServers/{authServerId}/credentials/lifecycle/keyRotate
Request samples
application/json
{
  • "use": "sig"
}
Response samples
application/json
[
  • {
    • "alg": "string",
    • "created": "2019-08-24T14:15:22Z",
    • "e": "string",
    • "expiresAt": "2019-08-24T14:15:22Z",
    • "key_ops": [
      ],
    • "kid": "string",
    • "kty": "string",
    • "lastUpdated": "2019-08-24T14:15:22Z",
    • "n": "string",
    • "status": "string",
    • "use": "string",
    • "x5c": [
      ],
    • "x5t": "string",
    • "x5t#S256": "string",
    • "x5u": "string",
    • "_links": {
      }
    }
]

Activate an Authorization Server
API Access Management
OAuth 2.0: okta.authorizationServers.manage

Activates an authorization server

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
Responses
204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/authorizationServers/{authServerId}/lifecycle/activate
Request samples
Response samples
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}

Deactivate an Authorization Server
API Access Management
OAuth 2.0: okta.authorizationServers.manage

Deactivates an authorization server

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
Responses
204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/authorizationServers/{authServerId}/lifecycle/deactivate
Request samples
Response samples
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}

List all Policies
API Access Management
OAuth 2.0: okta.authorizationServers.read

Lists all policies

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}/policies
Request samples
Response samples
application/json
[
  • {
    • "conditions": {
      }
    }
]

Create a Policy
API Access Management
OAuth 2.0: okta.authorizationServers.manage

Creates a policy

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
Request Body schema: application/json
required
object (AuthorizationServerPolicyConditions)
object (ClientPolicyCondition)

Specifies which clients are included in the Policy

include
Array of strings

Which clients are included in the Policy

Responses
201

Created

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/authorizationServers/{authServerId}/policies
Request samples
application/json
{
  • "conditions": {
    • "clients": {
      }
    }
}
Response samples
application/json
{
  • "conditions": {
    • "clients": {
      }
    }
}

Retrieve a Policy
API Access Management
OAuth 2.0: okta.authorizationServers.read

Retrieves a policy

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
policyId
required
string

id of the Policy

Example: 00plrilJ7jZ66Gn0X0g3
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}/policies/{policyId}
Request samples
Response samples
application/json
{
  • "conditions": {
    • "clients": {
      }
    }
}

Replace a Policy
API Access Management
OAuth 2.0: okta.authorizationServers.manage

Replaces a policy

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
policyId
required
string

id of the Policy

Example: 00plrilJ7jZ66Gn0X0g3
Request Body schema: application/json
required
object (AuthorizationServerPolicyConditions)
object (ClientPolicyCondition)

Specifies which clients are included in the Policy

include
Array of strings

Which clients are included in the Policy

Responses
200

Success

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

put/api/v1/authorizationServers/{authServerId}/policies/{policyId}
Request samples
application/json
{
  • "conditions": {
    • "clients": {
      }
    }
}
Response samples
application/json
{
  • "conditions": {
    • "clients": {
      }
    }
}

Delete a Policy
API Access Management
OAuth 2.0: okta.authorizationServers.manage

Deletes a policy

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
policyId
required
string

id of the Policy

Example: 00plrilJ7jZ66Gn0X0g3
Responses
204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

delete/api/v1/authorizationServers/{authServerId}/policies/{policyId}
Request samples
Response samples
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}

Activate a Policy
API Access Management
OAuth 2.0: okta.authorizationServers.manage

Activates an authorization server policy

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
policyId
required
string

id of the Policy

Example: 00plrilJ7jZ66Gn0X0g3
Responses
204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/authorizationServers/{authServerId}/policies/{policyId}/lifecycle/activate
Request samples
Response samples
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}

Deactivate a Policy
API Access Management
OAuth 2.0: okta.authorizationServers.manage

Deactivates an authorization server policy

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
policyId
required
string

id of the Policy

Example: 00plrilJ7jZ66Gn0X0g3
Responses
204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/authorizationServers/{authServerId}/policies/{policyId}/lifecycle/deactivate
Request samples
Response samples
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}

List all Policy Rules
API Access Management
OAuth 2.0: okta.authorizationServers.read

Lists all policy rules for the specified Custom Authorization Server and Policy

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
policyId
required
string

id of the Policy

Example: 00plrilJ7jZ66Gn0X0g3
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules
Request samples
Response samples
application/json
[
  • {
    • "created": "2019-08-24T14:15:22Z",
    • "id": "string",
    • "lastUpdated": "2019-08-24T14:15:22Z",
    • "name": "string",
    • "priority": 0,
    • "status": "ACTIVE",
    • "system": false,
    • "type": "ACCESS_POLICY",
    • "actions": {
      },
    • "conditions": {
      }
    }
]

Create a Policy Rule
API Access Management
OAuth 2.0: okta.authorizationServers.manage

Creates a policy rule for the specified Custom Authorization Server and Policy

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
policyId
required
string

id of the Policy

Example: 00plrilJ7jZ66Gn0X0g3
Request Body schema: application/json
required
id
string

Identifier for the rule

name
string

Name of the rule

priority
integer

Priority of the rule

status
string (LifecycleStatus)
Enum: "ACTIVE" "INACTIVE"
system
boolean
Default: false

Specifies whether Okta created the Policy Rule (system=true). You can't delete Policy Rules that have system set to true.

type
string (PolicyRuleType)

Rule type

object (AccessPolicyRuleActions)
object (AccessPolicyRuleApplicationSignOn)
access
string
object (VerificationMethod)
object (AccessPolicyRuleConditions)
object (AppAndInstancePolicyRuleCondition)
Array of objects (AppAndInstanceConditionEvaluatorAppOrInstance)
Array of objects (AppAndInstanceConditionEvaluatorAppOrInstance)
object (AppInstancePolicyRuleCondition)
exclude
Array of strings
include
Array of strings
object (PolicyRuleAuthContextCondition)
authType
string (PolicyRuleAuthContextType)
Enum: "ANY" "RADIUS"
object (PasswordPolicyAuthenticationProviderCondition)
include
Array of strings
provider
string (PasswordPolicyAuthenticationProviderType)
Enum: "ACTIVE_DIRECTORY" "ANY" "LDAP" "OKTA"
object (BeforeScheduledActionPolicyRuleCondition)
object (Duration)
object (ScheduledUserLifecycleAction)
object (ClientPolicyCondition)

Specifies which clients are included in the Policy

include
Array of strings

Which clients are included in the Policy

object (ContextPolicyRuleCondition)
migrated
boolean
object (DevicePolicyRuleConditionPlatform)
rooted
boolean
trustLevel
string (DevicePolicyTrustLevel)
Enum: "ANY" "TRUSTED"
expression
string
object (DeviceAccessPolicyRuleCondition)
migrated
boolean
object
rooted
boolean
trustLevel
string
Enum: "ANY" "TRUSTED"
object (DevicePolicyRuleConditionAssurance)
managed
boolean
registered
boolean
object (GrantTypePolicyRuleCondition)

Array of grant types that this condition includes. Determines the mechanism that Okta uses to authorize the creation of the tokens.

include
Array of strings

Array of grant types thagt this condition includes.

object (GroupPolicyRuleCondition)

Specifies a set of Groups whose Users are to be included or excluded

exclude
Array of strings

Groups to be excluded

include
Array of strings

Groups to be included

object (IdentityProviderPolicyRuleCondition)
idpIds
Array of strings
provider
string (IdentityProviderPolicyProvider)
Enum: "ANY" "OKTA" "SPECIFIC_IDP"
object (MDMEnrollmentPolicyRuleCondition)
blockNonSafeAndroid
boolean
enrollment
string (MDMEnrollmentPolicyEnrollment)
Enum: "ANY_OR_NONE" "OMM"
object (PolicyNetworkCondition)
connection
string (PolicyNetworkConnection)

Network selection mode

Enum: "ANYWHERE" "ZONE"
exclude
Array of strings
include
Array of strings
object (PolicyPeopleCondition)

Identifies Users and Groups that are used together

object (GroupCondition)

Specifies a set of Groups whose Users are to be included or excluded

object (UserCondition)

Specifies a set of Users to be included or excluded

object (PlatformPolicyRuleCondition)
Array of objects (PlatformConditionEvaluatorPlatform)
Array of objects (PlatformConditionEvaluatorPlatform)
object (RiskPolicyRuleCondition)
behaviors
Array of strings unique
object (RiskScorePolicyRuleCondition)
level
string
object (OAuth2ScopesMediationPolicyRuleCondition)

Array of scopes that the condition includes

include
Array of strings
object (UserIdentifierPolicyRuleCondition)
attribute
string
Array of objects (UserIdentifierConditionEvaluatorPattern)
type
string (UserIdentifierType)
Enum: "ATTRIBUTE" "IDENTIFIER"
object (UserPolicyRuleCondition)

Specifies a set of Users to be included or excluded

exclude
Array of strings

Users to be excluded

object (InactivityPolicyRuleCondition)
include
Array of strings

Users to be included

object (LifecycleExpirationPolicyRuleCondition)
object (PasswordExpirationPolicyRuleCondition)
object (UserLifecycleAttributePolicyRuleCondition)
object (UserStatusPolicyRuleCondition)
value
string (PolicyUserStatus)
Enum: "ACTIVATING" "ACTIVE" "DELETED" "DELETING" "EXPIRED_PASSWORD" "INACTIVE" "PENDING" "SUSPENDED"
object (AccessPolicyRuleCustomCondition)
condition
string
object (UserTypeCondition)
exclude
Array of strings
include
Array of strings
Responses
201

Created

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules
Request samples
application/json
{
  • "id": "string",
  • "name": "string",
  • "priority": 0,
  • "status": "ACTIVE",
  • "system": false,
  • "type": "ACCESS_POLICY",
  • "actions": {
    • "appSignOn": {
      }
    },
  • "conditions": {
    • "app": {
      },
    • "apps": {
      },
    • "authContext": {
      },
    • "authProvider": {
      },
    • "beforeScheduledAction": {
      },
    • "clients": {
      },
    • "context": {
      },
    • "device": {
      },
    • "grantTypes": {
      },
    • "groups": {
      },
    • "identityProvider": {
      },
    • "mdmEnrollment": {
      },
    • "network": {
      },
    • "people": {
      },
    • "platform": {
      },
    • "risk": {
      },
    • "riskScore": {
      },
    • "scopes": {
      },
    • "userIdentifier": {
      },
    • "users": {
      },
    • "userStatus": {
      },
    • "elCondition": {
      },
    • "userType": {
      }
    }
}
Response samples
application/json
{
  • "created": "2019-08-24T14:15:22Z",
  • "id": "string",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "name": "string",
  • "priority": 0,
  • "status": "ACTIVE",
  • "system": false,
  • "type": "ACCESS_POLICY",
  • "actions": {
    • "appSignOn": {
      }
    },
  • "conditions": {
    • "app": {
      },
    • "apps": {
      },
    • "authContext": {
      },
    • "authProvider": {
      },
    • "beforeScheduledAction": {
      },
    • "clients": {
      },
    • "context": {
      },
    • "device": {
      },
    • "grantTypes": {
      },
    • "groups": {
      },
    • "identityProvider": {
      },
    • "mdmEnrollment": {
      },
    • "network": {
      },
    • "people": {
      },
    • "platform": {