Authorization Server Rules

Provides operations to manage policy rules for the given authServerId, policyId, and ruleId.

List all Policy Rules
OAuth 2.0: okta.authorizationServers.read

Lists all policy rules for the specified Custom Authorization Server and Policy

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
policyId
required
string

id of the Policy

Example: 00plrilJ7jZ66Gn0X0g3
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules
Request samples
Response samples
application/json
[
  • {
    • "created": "2019-08-24T14:15:22Z",
    • "id": "string",
    • "lastUpdated": "2019-08-24T14:15:22Z",
    • "name": "string",
    • "priority": 0,
    • "status": "ACTIVE",
    • "system": false,
    • "type": "ACCESS_POLICY",
    • "actions": {
      },
    • "conditions": {
      }
    }
]

Create a Policy Rule
OAuth 2.0: okta.authorizationServers.manage

Creates a policy rule for the specified Custom Authorization Server and Policy

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
policyId
required
string

id of the Policy

Example: 00plrilJ7jZ66Gn0X0g3
Request Body schema: application/json
required
id
string

Identifier for the rule

name
string

Name of the rule

priority
integer

Priority of the rule

status
string (LifecycleStatus)
Enum: "ACTIVE" "INACTIVE"
system
boolean
Default: false

Specifies whether Okta created the Policy Rule (system=true). You can't delete Policy Rules that have system set to true.

type
string (PolicyRuleType)

Rule type

object (AccessPolicyRuleActions)
object (AccessPolicyRuleApplicationSignOn)
access
string
object (VerificationMethod)
object (AccessPolicyRuleConditions)
object (AppAndInstancePolicyRuleCondition)
Array of objects (AppAndInstanceConditionEvaluatorAppOrInstance)
Array of objects (AppAndInstanceConditionEvaluatorAppOrInstance)
object (AppInstancePolicyRuleCondition)
exclude
Array of strings
include
Array of strings
object (PolicyRuleAuthContextCondition)
authType
string (PolicyRuleAuthContextType)
Enum: "ANY" "RADIUS"
object (PasswordPolicyAuthenticationProviderCondition)
include
Array of strings
provider
string (PasswordPolicyAuthenticationProviderType)
Enum: "ACTIVE_DIRECTORY" "ANY" "LDAP" "OKTA"
object (BeforeScheduledActionPolicyRuleCondition)
object (Duration)
object (ScheduledUserLifecycleAction)
object (ClientPolicyCondition)

Specifies which clients are included in the Policy

include
Array of strings

Which clients are included in the Policy

object (ContextPolicyRuleCondition)
migrated
boolean
object (DevicePolicyRuleConditionPlatform)
rooted
boolean
trustLevel
string (DevicePolicyTrustLevel)
Enum: "ANY" "TRUSTED"
expression
string
object (DeviceAccessPolicyRuleCondition)
migrated
boolean
object
rooted
boolean
trustLevel
string
Enum: "ANY" "TRUSTED"
object (DevicePolicyRuleConditionAssurance)
managed
boolean
registered
boolean
object (GrantTypePolicyRuleCondition)

Array of grant types that this condition includes. Determines the mechanism that Okta uses to authorize the creation of the tokens.

include
Array of strings

Array of grant types thagt this condition includes.

object (GroupPolicyRuleCondition)

Specifies a set of Groups whose Users are to be included or excluded

exclude
Array of strings

Groups to be excluded

include
Array of strings

Groups to be included

object (IdentityProviderPolicyRuleCondition)
idpIds
Array of strings
provider
string (IdentityProviderPolicyProvider)
Enum: "ANY" "OKTA" "SPECIFIC_IDP"
object (MDMEnrollmentPolicyRuleCondition)
blockNonSafeAndroid
boolean
enrollment
string (MDMEnrollmentPolicyEnrollment)
Enum: "ANY_OR_NONE" "OMM"
object (PolicyNetworkCondition)
connection
string (PolicyNetworkConnection)

Network selection mode

Enum: "ANYWHERE" "ZONE"
exclude
Array of strings
include
Array of strings
object (PolicyPeopleCondition)

Identifies Users and Groups that are used together

object (GroupCondition)

Specifies a set of Groups whose Users are to be included or excluded

object (UserCondition)

Specifies a set of Users to be included or excluded

object (PlatformPolicyRuleCondition)
Array of objects (PlatformConditionEvaluatorPlatform)
Array of objects (PlatformConditionEvaluatorPlatform)
object (RiskPolicyRuleCondition)
behaviors
Array of strings unique
object (RiskScorePolicyRuleCondition)
level
string
object (OAuth2ScopesMediationPolicyRuleCondition)

Array of scopes that the condition includes

include
Array of strings
object (UserIdentifierPolicyRuleCondition)
attribute
string
Array of objects (UserIdentifierConditionEvaluatorPattern)
type
string (UserIdentifierType)
Enum: "ATTRIBUTE" "IDENTIFIER"
object (UserPolicyRuleCondition)

Specifies a set of Users to be included or excluded

exclude
Array of strings

Users to be excluded

object (InactivityPolicyRuleCondition)
include
Array of strings

Users to be included

object (LifecycleExpirationPolicyRuleCondition)
object (PasswordExpirationPolicyRuleCondition)
object (UserLifecycleAttributePolicyRuleCondition)
object (UserStatusPolicyRuleCondition)
value
string (PolicyUserStatus)
Enum: "ACTIVATING" "ACTIVE" "DELETED" "DELETING" "EXPIRED_PASSWORD" "INACTIVE" "PENDING" "SUSPENDED"
object (AccessPolicyRuleCustomCondition)
condition
string
object (UserTypeCondition)
exclude
Array of strings
include
Array of strings
Responses
201

Created

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules
Request samples
application/json
{
  • "id": "string",
  • "name": "string",
  • "priority": 0,
  • "status": "ACTIVE",
  • "system": false,
  • "type": "ACCESS_POLICY",
  • "actions": {
    • "appSignOn": {
      }
    },
  • "conditions": {
    • "app": {
      },
    • "apps": {
      },
    • "authContext": {
      },
    • "authProvider": {
      },
    • "beforeScheduledAction": {
      },
    • "clients": {
      },
    • "context": {
      },
    • "device": {
      },
    • "grantTypes": {
      },
    • "groups": {
      },
    • "identityProvider": {
      },
    • "mdmEnrollment": {
      },
    • "network": {
      },
    • "people": {
      },
    • "platform": {
      },
    • "risk": {
      },
    • "riskScore": {
      },
    • "scopes": {
      },
    • "userIdentifier": {
      },
    • "users": {
      },
    • "userStatus": {
      },
    • "elCondition": {
      },
    • "userType": {
      }
    }
}
Response samples
application/json
{
  • "created": "2019-08-24T14:15:22Z",
  • "id": "string",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "name": "string",
  • "priority": 0,
  • "status": "ACTIVE",
  • "system": false,
  • "type": "ACCESS_POLICY",
  • "actions": {
    • "appSignOn": {
      }
    },
  • "conditions": {
    • "app": {
      },
    • "apps": {
      },
    • "authContext": {
      },
    • "authProvider": {
      },
    • "beforeScheduledAction": {
      },
    • "clients": {
      },
    • "context": {
      },
    • "device": {
      },
    • "grantTypes": {
      },
    • "groups": {
      },
    • "identityProvider": {
      },
    • "mdmEnrollment": {
      },
    • "network": {
      },
    • "people": {
      },
    • "platform": {
      },
    • "risk": {
      },
    • "riskScore": {
      },
    • "scopes": {
      },
    • "userIdentifier": {
      },
    • "users": {
      },
    • "userStatus": {
      },
    • "elCondition": {
      },
    • "userType": {
      }
    }
}

Retrieve a Policy Rule
OAuth 2.0: okta.authorizationServers.read

Retrieves a policy rule by ruleId

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
policyId
required
string

id of the Policy

Example: 00plrilJ7jZ66Gn0X0g3
ruleId
required
string

id of the Policy Rule

Example: ruld3hJ7jZh4fn0st0g3
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}
Request samples
Response samples
application/json
{
  • "created": "2019-08-24T14:15:22Z",
  • "id": "string",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "name": "string",
  • "priority": 0,
  • "status": "ACTIVE",
  • "system": false,
  • "type": "ACCESS_POLICY",
  • "actions": {
    • "appSignOn": {
      }
    },
  • "conditions": {
    • "app": {
      },
    • "apps": {
      },
    • "authContext": {
      },
    • "authProvider": {
      },
    • "beforeScheduledAction": {
      },
    • "clients": {
      },
    • "context": {
      },
    • "device": {
      },
    • "grantTypes": {
      },
    • "groups": {
      },
    • "identityProvider": {
      },
    • "mdmEnrollment": {
      },
    • "network": {
      },
    • "people": {
      },
    • "platform": {
      },
    • "risk": {
      },
    • "riskScore": {
      },
    • "scopes": {
      },
    • "userIdentifier": {
      },
    • "users": {
      },
    • "userStatus": {
      },
    • "elCondition": {
      },
    • "userType": {
      }
    }
}

Replace a Policy Rule
OAuth 2.0: okta.authorizationServers.manage

Replaces the configuration of the Policy Rule defined in the specified Custom Authorization Server and Policy

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
policyId
required
string

id of the Policy

Example: 00plrilJ7jZ66Gn0X0g3
ruleId
required
string

id of the Policy Rule

Example: ruld3hJ7jZh4fn0st0g3
Request Body schema: application/json
required
id
string

Identifier for the rule

name
string

Name of the rule

priority
integer

Priority of the rule

status
string (LifecycleStatus)
Enum: "ACTIVE" "INACTIVE"
system
boolean
Default: false

Specifies whether Okta created the Policy Rule (system=true). You can't delete Policy Rules that have system set to true.

type
string (PolicyRuleType)

Rule type

object (AccessPolicyRuleActions)
object (AccessPolicyRuleApplicationSignOn)
access
string
object (VerificationMethod)
object (AccessPolicyRuleConditions)
object (AppAndInstancePolicyRuleCondition)
Array of objects (AppAndInstanceConditionEvaluatorAppOrInstance)
Array of objects (AppAndInstanceConditionEvaluatorAppOrInstance)
object (AppInstancePolicyRuleCondition)
exclude
Array of strings
include
Array of strings
object (PolicyRuleAuthContextCondition)
authType
string (PolicyRuleAuthContextType)
Enum: "ANY" "RADIUS"
object (PasswordPolicyAuthenticationProviderCondition)
include
Array of strings
provider
string (PasswordPolicyAuthenticationProviderType)
Enum: "ACTIVE_DIRECTORY" "ANY" "LDAP" "OKTA"
object (BeforeScheduledActionPolicyRuleCondition)
object (Duration)
object (ScheduledUserLifecycleAction)
object (ClientPolicyCondition)

Specifies which clients are included in the Policy

include
Array of strings

Which clients are included in the Policy

object (ContextPolicyRuleCondition)
migrated
boolean
object (DevicePolicyRuleConditionPlatform)
rooted
boolean
trustLevel
string (DevicePolicyTrustLevel)
Enum: "ANY" "TRUSTED"
expression
string
object (DeviceAccessPolicyRuleCondition)
migrated
boolean
object
rooted
boolean
trustLevel
string
Enum: "ANY" "TRUSTED"
object (DevicePolicyRuleConditionAssurance)
managed
boolean
registered
boolean
object (GrantTypePolicyRuleCondition)

Array of grant types that this condition includes. Determines the mechanism that Okta uses to authorize the creation of the tokens.

include
Array of strings

Array of grant types thagt this condition includes.

object (GroupPolicyRuleCondition)

Specifies a set of Groups whose Users are to be included or excluded

exclude
Array of strings

Groups to be excluded

include
Array of strings

Groups to be included

object (IdentityProviderPolicyRuleCondition)
idpIds
Array of strings
provider
string (IdentityProviderPolicyProvider)
Enum: "ANY" "OKTA" "SPECIFIC_IDP"
object (MDMEnrollmentPolicyRuleCondition)
blockNonSafeAndroid
boolean
enrollment
string (MDMEnrollmentPolicyEnrollment)
Enum: "ANY_OR_NONE" "OMM"
object (PolicyNetworkCondition)
connection
string (PolicyNetworkConnection)

Network selection mode

Enum: "ANYWHERE" "ZONE"
exclude
Array of strings
include
Array of strings
object (PolicyPeopleCondition)

Identifies Users and Groups that are used together

object (GroupCondition)

Specifies a set of Groups whose Users are to be included or excluded

object (UserCondition)

Specifies a set of Users to be included or excluded

object (PlatformPolicyRuleCondition)
Array of objects (PlatformConditionEvaluatorPlatform)
Array of objects (PlatformConditionEvaluatorPlatform)
object (RiskPolicyRuleCondition)
behaviors
Array of strings unique
object (RiskScorePolicyRuleCondition)
level
string
object (OAuth2ScopesMediationPolicyRuleCondition)

Array of scopes that the condition includes

include
Array of strings
object (UserIdentifierPolicyRuleCondition)
attribute
string
Array of objects (UserIdentifierConditionEvaluatorPattern)
type
string (UserIdentifierType)
Enum: "ATTRIBUTE" "IDENTIFIER"
object (UserPolicyRuleCondition)

Specifies a set of Users to be included or excluded

exclude
Array of strings

Users to be excluded

object (InactivityPolicyRuleCondition)
include
Array of strings

Users to be included

object (LifecycleExpirationPolicyRuleCondition)
object (PasswordExpirationPolicyRuleCondition)
object (UserLifecycleAttributePolicyRuleCondition)
object (UserStatusPolicyRuleCondition)
value
string (PolicyUserStatus)
Enum: "ACTIVATING" "ACTIVE" "DELETED" "DELETING" "EXPIRED_PASSWORD" "INACTIVE" "PENDING" "SUSPENDED"
object (AccessPolicyRuleCustomCondition)
condition
string
object (UserTypeCondition)
exclude
Array of strings
include
Array of strings
Responses
200

Success

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

put/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}
Request samples
application/json
{
  • "id": "string",
  • "name": "string",
  • "priority": 0,
  • "status": "ACTIVE",
  • "system": false,
  • "type": "ACCESS_POLICY",
  • "actions": {
    • "appSignOn": {
      }
    },
  • "conditions": {
    • "app": {
      },
    • "apps": {
      },
    • "authContext": {
      },
    • "authProvider": {
      },
    • "beforeScheduledAction": {
      },
    • "clients": {
      },
    • "context": {
      },
    • "device": {
      },
    • "grantTypes": {
      },
    • "groups": {
      },
    • "identityProvider": {
      },
    • "mdmEnrollment": {
      },
    • "network": {
      },
    • "people": {
      },
    • "platform": {
      },
    • "risk": {
      },
    • "riskScore": {
      },
    • "scopes": {
      },
    • "userIdentifier": {
      },
    • "users": {
      },
    • "userStatus": {
      },
    • "elCondition": {
      },
    • "userType": {
      }
    }
}
Response samples
application/json
{
  • "created": "2019-08-24T14:15:22Z",
  • "id": "string",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "name": "string",
  • "priority": 0,
  • "status": "ACTIVE",
  • "system": false,
  • "type": "ACCESS_POLICY",
  • "actions": {
    • "appSignOn": {
      }
    },
  • "conditions": {
    • "app": {
      },
    • "apps": {
      },
    • "authContext": {
      },
    • "authProvider": {
      },
    • "beforeScheduledAction": {
      },
    • "clients": {
      },
    • "context": {
      },
    • "device": {
      },
    • "grantTypes": {
      },
    • "groups": {
      },
    • "identityProvider": {
      },
    • "mdmEnrollment": {
      },
    • "network": {
      },
    • "people": {
      },
    • "platform": {
      },
    • "risk": {
      },
    • "riskScore": {
      },
    • "scopes": {
      },
    • "userIdentifier": {
      },
    • "users": {
      },
    • "userStatus": {
      },
    • "elCondition": {
      },
    • "userType": {
      }
    }
}

Delete a Policy Rule
OAuth 2.0: okta.authorizationServers.manage

Deletes a Policy Rule defined in the specified Custom Authorization Server and Policy

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
policyId
required
string

id of the Policy

Example: 00plrilJ7jZ66Gn0X0g3
ruleId
required
string

id of the Policy Rule

Example: ruld3hJ7jZh4fn0st0g3
Responses
204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

delete/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}
Request samples
Response samples
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}

Activate a Policy Rule
OAuth 2.0: okta.authorizationServers.manage

Activates an authorization server policy rule

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
policyId
required
string

id of the Policy

Example: 00plrilJ7jZ66Gn0X0g3
ruleId
required
string

id of the Policy Rule

Example: ruld3hJ7jZh4fn0st0g3
Responses
204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}/lifecycle/activate
Request samples
Response samples
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}

Deactivate a Policy Rule
OAuth 2.0: okta.authorizationServers.manage

Deactivates an authorization server policy rule

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
policyId
required
string

id of the Policy

Example: 00plrilJ7jZ66Gn0X0g3
ruleId
required
string

id of the Policy Rule

Example: ruld3hJ7jZh4fn0st0g3
Responses
204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate
Request samples
Response samples
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}