The Inline Hooks API provides operations to manage inline hooks for your organization.
For general information on inline hooks and how to create and use them, see inline hooks. The following documentation is only for the management API, which provides a CRUD interface for registering inline hooks.
okta.inlineHooks.read
Lists all inline hooks or all inline hooks of a specific type.
When listing a specific inline hook, you need to specify its type. The following types are currently supported:
Type Value | Name |
---|---|
com.okta.import.transform |
User import inline hook |
com.okta.oauth2.tokens.transform |
Token inline hook |
com.okta.saml.tokens.transform |
SAML assertion inline hook |
com.okta.telephony.provider |
Telephony inline hook |
com.okta.user.credential.password.import |
Password import inline hook |
com.okta.user.pre-registration |
Registration inline hook |
Success
Forbidden
Too Many Requests
[- {
- "id": "calb7gacafgwgE7hc5e4",
- "status": "ACTIVE",
- "name": "Token hook with HTTP authentication",
- "type": "com.okta.oauth2.tokens.transform",
- "version": "1.0.0",
- "channel": {
- "type": "HTTP",
- "version": "1.0.0",
- "config": {
- "headers": [ ],
- "method": "POST",
- "authScheme": {
- "type": "header",
- "key": "authorization"
}
}
}, - "created": "2024-08-22T21:01:09.000Z",
- "lastUpdated": "2024-09-05T16:06:09.000Z",
- "_links": {
- "activate": {
- "hints": {
- "allow": [
- "POST"
]
}
}, - "delete": {
- "hints": {
- "allow": [
- "DELETE"
]
}
}
}
}, - {
- "id": "calj4fythrqj5Bxol5e5",
- "status": "ACTIVE",
- "name": "Registration hook with OAuth 2.0 Client Secret Post",
- "type": "com.okta.user.pre-registration",
- "version": "1.0.0",
- "channel": {
- "type": "OAUTH",
- "version": "1.0.0",
- "config": {
- "headers": [ ],
- "method": "POST",
- "authScheme": null,
- "clientId": "0oaj43vkrq7wKxZSI5e6",
- "tokenUrl": "https:/subdomain.okta.com/oauth2/default/v1/token\"",
- "authType": "client_secret_post",
- "scope": null
}
}, - "created": "2024-08-22T21:01:09.000Z",
- "lastUpdated": "2024-09-05T16:06:09.000Z",
- "_links": {
- "execute": {
- "hints": {
- "allow": [
- "POST"
]
}
}, - "deactivate": {
- "hints": {
- "allow": [
- "POST"
]
}
}
}
}, - {
- "id": "calj4fythrqj5Bxol4ai6",
- "status": "ACTIVE",
- "name": "Token Hook with OAuth 2.0 Private Key JWT",
- "type": "com.okta.oauth2.tokens.transform",
- "version": "1.0.0",
- "channel": {
- "type": "OAUTH",
- "version": "1.0.0",
- "config": {
- "headers": [ ],
- "method": "POST",
- "authScheme": null,
- "clientId": "0oaj43vkrq7wKxZSI5d7",
- "tokenUrl": "https:/subdomain.okta.com/oauth2/default/v1/token\"",
- "authType": "private_key_jwt",
- "scope": null,
- "hookKeyId": "HKYj4ft1a3fjmwZg05d6"
}, - "created": "2024-08-22T21:01:09.000Z"
}, - "lastUpdated": "2024-09-05T16:06:09.000Z",
- "_links": {
- "execute": {
- "hints": {
- "allow": [
- "POST"
]
}
}, - "deactivate": {
- "hints": {
- "allow": [
- "POST"
]
}
}
}
}
]
okta.inlineHooks.manage
Creates an inline hook
This endpoint creates an inline hook for your org in an ACTIVE
status. You need to pass an inline hooks object in the JSON payload of your request.
That object represents the set of required information about the inline hook that you're registering, including:
There are two authentication options that you can configure for your inline hook: HTTP headers and OAuth 2.0 tokens.
HTTP headers let you specify a secret API key that you want Okta to pass to your external service endpoint (so that your external service can check for its presence as a security measure).
Note: The API key that you set here is unrelated to the Okta API token you must supply when making calls to Okta APIs.
You can also optionally specify extra headers that you want Okta to pass to your external service with each call.
To configure HTTP header authentication, see parameters for the config
object.
OAuth 2.0 tokens provide enhanced security between Okta and your external service. You can configure these tokens for the following types—client secret and private key.
Note: Your external service's endpoint needs to be a valid HTTPS endpoint. The URI you specify should always begin with
https://
.
The total number of inline hooks that you can create in an Okta org is limited to 50, which is a combined total for any combination of inline hook types.
Success
Bad Request
Forbidden
Too Many Requests
{- "name": "Token hook with HTTP authentication",
- "type": "com.okta.oauth2.tokens.transform",
- "version": "1.0.0",
- "channel": {
- "type": "HTTP",
- "version": "1.0.0",
- "config": {
- "headers": [
- {
- "key": "x-any-key",
- "value": "my-header-value"
}
], - "method": "POST",
- "authScheme": {
- "type": "HEADER",
- "key": "Authorization",
- "value": "my-shared-secret"
}
}
}
}
{- "id": "calb7gacafgwgE7hc5e4",
- "status": "ACTIVE",
- "name": "Token hook with HTTP authentication",
- "type": "com.okta.oauth2.tokens.transform",
- "version": "1.0.0",
- "channel": {
- "type": "HTTP",
- "version": "1.0.0",
- "config": {
- "headers": [ ],
- "method": "POST",
- "authScheme": {
- "type": "header",
- "key": "authorization"
}
}
}, - "created": "2024-08-22T21:01:09.000Z",
- "lastUpdated": "2024-09-05T16:06:09.000Z",
- "_links": {
- "activate": {
- "hints": {
- "allow": [
- "POST"
]
}
}, - "delete": {
- "hints": {
- "allow": [
- "DELETE"
]
}
}
}
}
okta.inlineHooks.read
Retrieves an inline hook by inlineHookId
Success
Forbidden
Not Found
Too Many Requests
{- "id": "calb7gacafgwgE7hc5e4",
- "status": "ACTIVE",
- "name": "Token hook with HTTP authentication",
- "type": "com.okta.oauth2.tokens.transform",
- "version": "1.0.0",
- "channel": {
- "type": "HTTP",
- "version": "1.0.0",
- "config": {
- "headers": [ ],
- "method": "POST",
- "authScheme": {
- "type": "header",
- "key": "authorization"
}
}
}, - "created": "2024-08-22T21:01:09.000Z",
- "lastUpdated": "2024-09-05T16:06:09.000Z",
- "_links": {
- "activate": {
- "hints": {
- "allow": [
- "POST"
]
}
}, - "delete": {
- "hints": {
- "allow": [
- "DELETE"
]
}
}
}
}
okta.inlineHooks.manage
Updates an inline hook by inlineHookId
object (InlineHookChannelCreate) | |||||||||||||||||
| |||||||||||||||||
name | string [ 1 .. 255 ] The display name of the inline hook | ||||||||||||||||
version | string Version of the inline hook type. The currently supported version is |
Success
Bad Request
Forbidden
Not Found
Too Many Requests
{- "name": "New name token hook with HTTP authentication",
- "version": "1.0.0",
- "channel": {
- "type": "HTTP",
- "version": "1.0.0",
- "config": {
- "headers": [
- {
- "key": "x-any-key",
- "value": "my-header-value"
}
], - "method": "POST",
- "authScheme": {
- "type": "HEADER",
- "key": "Authorization",
- "value": "my-shared-secret"
}
}
}
}
{- "id": "calb7gacafgwgE7hc5e4",
- "status": "ACTIVE",
- "name": "New name token hook with HTTP authentication",
- "type": "com.okta.oauth2.tokens.transform",
- "version": "1.0.0",
- "channel": {
- "type": "HTTP",
- "version": "1.0.0",
- "config": {
- "headers": [ ],
- "method": "POST",
- "authScheme": {
- "type": "header",
- "key": "authorization"
}
}
}, - "created": "2024-08-22T21:01:09.000Z",
- "lastUpdated": "2024-09-05T16:06:09.000Z",
- "_links": {
- "activate": {
- "hints": {
- "allow": [
- "POST"
]
}
}, - "delete": {
- "hints": {
- "allow": [
- "DELETE"
]
}
}
}, - "description": "Inline hook response with a new name"
}
okta.inlineHooks.manage
Replaces an inline hook by inlineHookId
. The submitted inline hook properties replace the existing properties after passing validation.
Note: Some properties are immutable and can't be updated.
object (InlineHookChannelCreate) | |||||||||||||||||
| |||||||||||||||||
name | string [ 1 .. 255 ] The display name of the inline hook | ||||||||||||||||
version | string Version of the inline hook type. The currently supported version is |
Success
Bad Request
Forbidden
Not Found
Too Many Requests
{- "name": "New name token hook with HTTP authentication",
- "version": "1.0.0",
- "channel": {
- "type": "HTTP",
- "version": "1.0.0",
- "config": {
- "headers": [
- {
- "key": "x-any-key",
- "value": "my-header-value"
}
], - "method": "POST",
- "authScheme": {
- "type": "HEADER",
- "key": "Authorization",
- "value": "my-shared-secret"
}
}
}
}
{- "id": "calb7gacafgwgE7hc5e4",
- "status": "ACTIVE",
- "name": "New name token hook with HTTP authentication",
- "type": "com.okta.oauth2.tokens.transform",
- "version": "1.0.0",
- "channel": {
- "type": "HTTP",
- "version": "1.0.0",
- "config": {
- "headers": [ ],
- "method": "POST",
- "authScheme": {
- "type": "header",
- "key": "authorization"
}
}
}, - "created": "2024-08-22T21:01:09.000Z",
- "lastUpdated": "2024-09-05T16:06:09.000Z",
- "_links": {
- "activate": {
- "hints": {
- "allow": [
- "POST"
]
}
}, - "delete": {
- "hints": {
- "allow": [
- "DELETE"
]
}
}
}, - "description": "Inline hook response with a new name"
}
okta.inlineHooks.manage
Deletes an inline hook by inlineHookId
. After it's deleted, the inline hook is unrecoverable. As a safety precaution, only inline hooks with a status of INACTIVE
are eligible for deletion.
No Content
Forbidden
Not Found
Too Many Requests
{- "errorCode": "E0000006",
- "errorSummary": "You do not have permission to perform the requested action",
- "errorLink": "E0000006",
- "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
- "errorCauses": [ ]
}
okta.inlineHooks.manage
Executes the inline hook that matches the provided inlineHookId
by using the request body as the input. This inline hook sends the provided
data through the channel
object and returns a response if it matches the correct data contract. Otherwise it returns an error. You need to
construct a JSON payload that matches the payloads that Okta would send to your external service for this inline hook type.
A timeout of three seconds is enforced on all outbound requests, with one retry in the event of a timeout or an error response from the remote system. If a successful response isn't received after the request, a 400 error is returned with more information about what failed.
Note: This execution endpoint isn't tied to any other functionality in Okta, and you should only use it for testing purposes.
Password import inline hook request
cloudEventVersion | string The inline hook cloud version | ||||||||||||
contentType | string The inline hook request header content | ||||||||||||
eventId | string The individual inline hook request ID | ||||||||||||
eventTime | string The time the inline hook request was sent | ||||||||||||
eventTypeVersion | string The inline hook version | ||||||||||||
object (PasswordImportRequestData) | |||||||||||||
| |||||||||||||
eventType | string The type of inline hook. The password import inline hook type is | ||||||||||||
source | string The ID and URL of the password import inline hook |
Success
Bad Request
Forbidden
Not Found
Too Many Requests
{- "eventId": "3o9jBzq1SmOGmmsDsqyyeQ",
- "eventTime": "2020-01-17T21:23:56.000Z",
- "eventType": "com.okta.user.credential.password.import",
- "eventTypeVersion": "1.0",
- "contentType": "application/json",
- "cloudEventVersion": "0.1",
- "data": {
- "context": {
- "request": {
- "id": "XiIl6wn7005Rr@fjYqeC7CCDBxw",
- "method": "POST",
- "url": {
- "value": "/idp/idx/challenge/answer"
}, - "ipAddress": "66.124.153.138"
}, - "credential": {
- "username": "isaac.brock@example.com",
- "password": "Okta"
}
}, - "action": {
- "credential": "UNVERIFIED"
}
}
}
{- "commands": [
- {
- "type": "com.okta.action.update",
- "value": {
- "credential": "VERIFIED"
}
}
]
}
okta.inlineHooks.manage
Activates the inline hook by inlineHookId
Success
Forbidden
Not Found
Too Many Requests
{- "id": "calj4fythrqj5Bxol5e5",
- "status": "ACTIVE",
- "name": "Registration hook with OAuth 2.0 Client Secret Post",
- "type": "com.okta.user.pre-registration",
- "version": "1.0.0",
- "channel": {
- "type": "OAUTH",
- "version": "1.0.0",
- "config": {
- "headers": [ ],
- "method": "POST",
- "authScheme": null,
- "clientId": "0oaj43vkrq7wKxZSI5e6",
- "tokenUrl": "https:/subdomain.okta.com/oauth2/default/v1/token\"",
- "authType": "client_secret_post",
- "scope": null
}
}, - "created": "2024-08-22T21:01:09.000Z",
- "lastUpdated": "2024-09-05T16:06:09.000Z",
- "_links": {
- "execute": {
- "hints": {
- "allow": [
- "POST"
]
}
}, - "deactivate": {
- "hints": {
- "allow": [
- "POST"
]
}
}
}
}
okta.inlineHooks.manage
Deactivates the inline hook by inlineHookId
Success
Forbidden
Not Found
Too Many Requests
{- "id": "calb7gacafgwgE7hc5e4",
- "status": "INACTIVE",
- "name": "Token hook with HTTP authentication",
- "type": "com.okta.oauth2.tokens.transform",
- "version": "1.0.0",
- "channel": {
- "type": "HTTP",
- "version": "1.0.0",
- "config": {
- "headers": [ ],
- "method": "POST",
- "authScheme": {
- "type": "header",
- "key": "authorization"
}
}
}, - "created": "2024-08-22T21:01:09.000Z",
- "lastUpdated": "2024-09-05T16:06:09.000Z",
- "_links": {
- "activate": {
- "hints": {
- "allow": [
- "POST"
]
}
}, - "delete": {
- "hints": {
- "allow": [
- "DELETE"
]
}
}
}
}
Creates an Okta Telephony inline hook request. This is an automated request from Okta to your third-party service endpoint.
The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute.
Note: The size of your response payload must be less than 256 KB.
See also:
The Okta telephony inline hook allows you to integrate your own custom code into Okta flows that send SMS or voice call messages. You can integrate this hook with enrollment, authentication, and recovery flows that involve the phone authenticator. Okta uses your external provider to deliver the one-time passcode (OTP) to the Requester. The provider can respond with commands that indicate if the delivery was successful or not.
You can have only one active telephony inline hook per org.
When you create a telephony inline hook, you must include the authScheme
parameter. See Create inline hook and the authScheme object.
If the provider response times out, Okta attempts to send the OTP using the Okta telephony providers. See Troubleshoot.
Note: The failover mechanism that uses the Okta telephony providers is heavily rate-limited.
This section explains several common causes of failure for telephony inline hooks.
Note: Administrators can use the Okta System Log to view errors. See the Troubleshooting section in the inline hooks topic for details on events captured by the Okta System Log.
Issue | Impact | Error Visibility |
---|---|---|
External service fails to communicate or times out | Inline hook operation is skipped, OTP is sent to the Requester using an Okta telephony provider | Administrators only |
External service responds with any HTTP status code besides 200 |
Inline hook operation is skipped, OTP is sent to the Requester using an Okta telephony provider | Administrators only |
External service returns an error object | Inline hook operation fails, OTP is sent to the Requester using an Okta telephony provider | Administrators, developers, and end users |
Hook response is malformed or can't be mapped to the expected API response | Inline hook operation is skipped | Administrators only |
Request header doesn't include an authScheme |
Inline hook operation is skipped | Administrators only |
Response uses an invalid status | Inline hook operation is skipped | Administrators only |
Operation adds an active telephony inline hook when a hook exists | Inline hook operation is skipped | Administrators only |
cloudEventVersion | string The inline hook cloud version | ||||||||||||||||||||||||||
contentType | string The inline hook request header content | ||||||||||||||||||||||||||
eventId | string The individual inline hook request ID | ||||||||||||||||||||||||||
eventTime | string The time the inline hook request was sent | ||||||||||||||||||||||||||
eventTypeVersion | string The inline hook version | ||||||||||||||||||||||||||
object (TelephonyRequestData) | |||||||||||||||||||||||||||
| |||||||||||||||||||||||||||
eventType | string The type of inline hook. The Telephony inline hook type is | ||||||||||||||||||||||||||
requestType | string The type of inline hook request. For example, | ||||||||||||||||||||||||||
source | string The ID and URL of the Telephony inline hook |
Successful response
Forbidden
{- "eventId": "uS5871kJThSsU8qlA1LTcg",
- "eventTime": "2020-01-17T21:23:56.000Z",
- "eventType": "com.okta.telephony.provider",
- "eventTypeVersion": "1.0",
- "contentType": "application/json",
- "cloudEventVersion": "0.1",
- "data": {
- "context": {
- "request": {
- "id": "reqRgSk8IBBRhuo0YdlEDTmUw",
- "method": "POST",
- "url": {
- "value": "/api/internal/v1/inlineHooks/com.okta.telephony.provider/generatePreview"
}, - "ipAddress": "127.0.0.1"
}
}, - "userProfile": {
- "firstName": "test",
- "lastName": "user",
- "login": "test.user@okta.com",
- "userId": "00uyxxSknGtK8022w0g3"
}, - "messageProfile": {
- "msgTemplate": "(HOOK)Your code is 11111",
- "phoneNumber": 9876543210,
- "otpExpires": "2022-01-28T21:48:34.321Z",
- "deliveryChannel": "SMS",
- "otpCode": 11111,
- "locale": "EN-US"
}
}
}
{- "commands": [
- {
- "type": "com.okta.telephony.action"
}, - {
- "value": {
- "status": "FAILURE",
- "provider": "VONAGE",
- "transactionId": "SM49a8ece2822d44e4adaccd7ed268f954",
- "transactionMetadata": "Duration=300ms"
}
}
]
}
Creates a password import inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute.
Note: The size of your response payload must be less than 256 KB.
The password import inline hook allows you to migrate users from another data store where you want the users to retain their current passwords. Use this hook with the Create user with password import inline hook flow that's described in the Users API.
The password import inline hook is triggered when the user tries to sign in to Okta for the first time. Okta sends your external service the password that the user supplied. Your external service then needs to send a response to Okta indicating whether the password supplied by the end user is valid.
If your service returns a response that indicates that the password is valid, Okta sets the password for the user. The password import inline hook won't need to call your service again. However, if the Okta service is in read-only mode, it might not be possible to set the password. Okta then needs to call your service again the next time the user attempts to sign in. See Password inline hook and Okta read-only mode and Removing password from existing user store.
Notes:
- Password policies don't apply to the password import inline hook. That is, if your external service validates the password, the password is imported even if it doesn't meet the Okta password policy requirements.
- You can create only one password import inline hook per org.
See also:
To enable a password import inline hook, you first need to register your external service endpoint with Okta and configure it as an inline hook of type com.okta.user.credential.password.import
.
You can enable the hook using the Admin Console, see Add an inline hook or through the Inline Hooks management API.
When creating a user with the Users API, you need to use the Create User with password import inline hook use case.
This involves specifying a credentials.password.hook
property in the request body.
When the user that you have added attempts to sign in to Okta for the first time, the hook is triggered and Okta calls your external service. The call sends the credentials that the end user provided. Your service can check the credentials and respond with a command to indicate whether the credentials are valid or not.
If your external service responds to Okta indicating that the credentials are valid, Okta saves the password and can authenticate the user independently from then on. However, if your Okta org is in a special read-only mode at the time the user signs in, then saving the password might not be possible. The next time the end user attempts to sign in, the password import inline hook needs to be called again.
Because of the possibility of your org being in a special service mode, you shouldn't attempt to permanently delete user passwords from your existing user store until you can verify the success of the password import . An Okta System Log Event, user.import.password
, is available for this purpose. An event of this type is created every time a password import inline hook is fired, with its Event.Outcome
property providing a status of FAILURE
or SUCCESS
for the password import operation.
If the status is SUCCESS
, Okta has successfully saved the end user's password, and it's safe to delete it from your previous user store.
You can configure an Event hook to send this event type to you for use when triggering automated cleanup of end-user passwords after successful migration.
cloudEventVersion | string The inline hook cloud version | ||||||||||||
contentType | string The inline hook request header content | ||||||||||||
eventId | string The individual inline hook request ID | ||||||||||||
eventTime | string The time the inline hook request was sent | ||||||||||||
eventTypeVersion | string The inline hook version | ||||||||||||
object (PasswordImportRequestData) | |||||||||||||
| |||||||||||||
eventType | string The type of inline hook. The password import inline hook type is | ||||||||||||
source | string The ID and URL of the password import inline hook |
Successful response
No content - Unverified user response
Forbidden
{- "eventId": "3o9jBzq1SmOGmmsDsqyyeQ",
- "eventTime": "2020-01-17T21:23:56.000Z",
- "eventType": "com.okta.user.credential.password.import",
- "eventTypeVersion": "1.0",
- "contentType": "application/json",
- "cloudEventVersion": "0.1",
- "data": {
- "context": {
- "request": {
- "id": "XiIl6wn7005Rr@fjYqeC7CCDBxw",
- "method": "POST",
- "url": {
- "value": "/idp/idx/challenge/answer"
}, - "ipAddress": "66.124.153.138"
}, - "credential": {
- "username": "isaac.brock@example.com",
- "password": "Okta"
}
}, - "action": {
- "credential": "UNVERIFIED"
}
}
}
{- "commands": [
- {
- "type": "com.okta.action.update",
- "value": {
- "credential": "VERIFIED"
}
}
]
}
Creates a registration inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute.
The Okta registration inline hook allows you to integrate your own custom code into Okta's Profile Enrollment flow. The hook is triggered after Okta receives the registration or profile update request. Your custom code can:
Note: Profile Enrollment and self-service registration (SSR) inline hooks only work with the Okta Sign-In Widget version 4.5 or later.
See also:
cloudEventVersion | string The inline hook cloud version | ||||||||||||
contentType | string The inline hook request header content | ||||||||||||
eventId | string The individual inline hook request ID | ||||||||||||
eventTime | string The time the inline hook request was sent | ||||||||||||
eventTypeVersion | string The inline hook version | ||||||||||||
eventType | string The type of inline hook. The registration inline hook type is | ||||||||||||
requestType | string (RegistrationInlineHookRequestType) The type of registration hook. Use either | ||||||||||||
source | string The ID of the registration inline hook | ||||||||||||
object | |||||||||||||
|
Successful response
No content - Allow registration to proceed without any update.
{- "eventId": "04Dmt8BcT_aEgM",
- "eventTime": "2022-04-25T17:35:27.000Z",
- "eventType": "com.okta.user.pre-registration",
- "eventTypeVersion": 1,
- "contentType": "application/json",
- "cloudEventVersion": 0.1,
- "source": "regt4qeBKU29vSoPz0g3",
- "requestType": "self.service.registration",
- "data": {
- "context": {
- "request": {
- "method": "POST",
- "ipAddress": "127.0.0.1",
- "id": "123testId456",
- "url": {
- "value": "/idp/idx/enroll/new"
}
}
}, - "userProfile": {
- "firstName": "Rosario",
- "lastName": "Jones",
- "login": "rosario.jones@example.com",
- "email": "rosario.jones@example.com"
}, - "action": "ALLOW"
}
}
{- "commands": [
- {
- "type": "com.action.update",
- "value": {
- "registration": "ALLOW"
}
}
]
}
Creates a user import inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute.
The user import inline hook enables you to add custom logic to the process of importing new users into Okta from an app. You can resolve conflicts in user name or other profile attributes, modify values of profile attributes, and control whether the imported user is treated as a match for an existing user or not. The hook is invoked for each user being imported, at the point immediately after any applicable profile attribute mappings have been applied, and any potential matches with existing users have been found, but before the Okta user profile is created.
Note: If the external service times out after receiving an Okta request, the Okta process flow continues and the user is created.
See also:
Note: The procedure for associating a user import inline hook with an app using the Admin Console can't be used with AD or LDAP.
cloudEventVersion | string The inline hook cloud version | ||||||||||||||||||||||||||||||||||||||
contentType | string The inline hook request header content | ||||||||||||||||||||||||||||||||||||||
eventId | string The individual inline hook request ID | ||||||||||||||||||||||||||||||||||||||
eventTime | string The time the inline hook request was sent | ||||||||||||||||||||||||||||||||||||||
eventTypeVersion | string The inline hook version | ||||||||||||||||||||||||||||||||||||||
object (UserImportRequestData) | |||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||
eventType | string The type of inline hook. The user import inline hook type is | ||||||||||||||||||||||||||||||||||||||
source | string The ID of the user import inline hook |
Successful response
No content - Use the default action
Forbidden
{- "source": "cal7eyxOsnb20oWbZ0g4",
- "eventId": "JUGOUiYZTaKPmH6db0nDag",
- "eventTime": "2019-02-27T20:59:04.000Z",
- "eventTypeVersion": "1.0",
- "cloudEventVersion": "0.1",
- "eventType": "com.okta.import.transform",
- "contentType": "application/json",
- "data": {
- "context": {
- "conflicts": [
- "login"
], - "application": {
- "name": "test_app",
- "id": "0oa7ey7aLRuBvcYUD0g4",
- "label": "Test App",
- "status": "ACTIVE"
}, - "job": {
- "id": "ij17ez2AWtMZRfCZ60g4",
- "type": "import:users"
}, - "matches": [ ],
- "policy": [
- "EMAIL",
- "FIRST_AND_LAST_NAME"
]
}, - "action": {
- "result": "CREATE_USER"
}, - "appUser": {
- "profile": {
- "firstName": "Sally2",
- "lastName": "Admin2",
- "mobilePhone": null,
- "accountType": "PRO",
- "secondEmail": null,
- "failProvisioning": null,
- "failDeprovisioning": null,
- "externalId": "user221",
- "groups": [
- "everyone@examplee.net",
- "tech@example.net"
], - "userName": "administrator2",
- "email": "sally.admin@example.net"
}
}, - "user": {
- "profile": {
- "lastName": "Admin2",
- "zipCode": null,
- "city": null,
- "secondEmail": null,
- "postAddress": null,
- "login": "sally.admin@example.net",
- "firstName": "Sally2",
- "primaryPhone": null,
- "mobilePhone": null,
- "streetAddress": null,
- "countryCode": null,
- "typeId": null,
- "state": null,
- "email": "sally.admin@example.net"
}
}
}
}
{- "commands": [
- {
- "type": "com.okta.appUser.profile.update",
- "value": {
- "firstName": "Stan"
}
}
]
}
Creates a SAML Assertion inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute.
This type of inline hook is triggered when Okta generates a SAML assertion in response to an authentication request. Before sending the SAML assertion to the app that will consume it, Okta calls out to your external service. Your external service can respond with commands to add attributes to the assertion or to modify its existing attributes.
You can use this functionality to add data to assertions, which might be data that is sensitive, calculated at runtime, or complexly-structured and not appropriate for storing in Okta user profiles. Data added this way is never logged or stored by Okta. As an example, SAML assertions generated for a medical app could be augmented with confidential patient data provided by your external service and not stored in Okta.
This inline hook works only when using custom SAML apps, not apps from the OIN.
See also:
Specify the location within the assertion where you want to apply your operation using a slash-delimited path, which follows JSON Patch conventions.
When you perform an add
op to add a new attribute statement, begin with /claims/
and follow that with the name of the new attribute that you're adding.
When you modify an existing assertions statement, begin the path with /subject/
, /authentication/
, /conditions/
, or /claims/
, depending on which part of the assertion you want to modify. You then look deeper within the child elements using slash-delimited element names, for example, /claims/array/attributeValues/1/value
. (The /1/
in the path indicates the index of the array, using zero-based indexing.)
Okta supports URI claims with SAML assertion hooks. When you need to replace or add a URI claim, encode the claim name within the command per the JavaScript Object Notation (JSON) Pointer specification. Specifically, this replaces ~
with ~0
and /
with ~1
.
In some scenarios, your service provider may require the SessionNotOnOrAfter
attribute for the <saml:AuthnStatement>
in the SAML assertion, which sets the provider session time correctly. Use add
op with the path /authentication/sessionLifetime
and a value for session lifetime in seconds to add this attribute. Okta calculates SessionNotOnOrAfter
by adding the /authentication/sessionLifetime
value to the issueInstant
attribute and returns it in the SAML `data.assertion.
cloudEventVersion | string The inline hook cloud version | ||||||||||||||||||||||||||
contentType | string The inline hook request header content | ||||||||||||||||||||||||||
eventId | string The individual inline hook request ID | ||||||||||||||||||||||||||
eventTime | string The time the inline hook request was sent | ||||||||||||||||||||||||||
eventTypeVersion | string The inline hook version | ||||||||||||||||||||||||||
object | |||||||||||||||||||||||||||
| |||||||||||||||||||||||||||
eventType | string The type of inline hook. The SAML assertion inline hook type is | ||||||||||||||||||||||||||
source | string The ID and URL of the SAML assertion inline hook |
Successful response
No content - Use the default action
Forbidden
{- "eventId": "XMFoHCM1S4Wi_SGWzL8T9A",
- "eventTime": "2019-03-28T19:15:23.000Z",
- "data": {
- "context": {
- "request": {
- "id": "reqqXypjzYJRSu2j1G1imUovA",
- "method": "GET",
- "ipAddress": "127.0.0.1"
}, - "protocol": {
- "type": "SAML2.0",
- "issuer": {
- "id": "0oath92zlO60urQOP0g3",
- "name": "SAML 2.0 App",
}
}, - "session": {
- "id": "102LN9Bnuc4S_ewfc9BYwageA",
- "userId": "00uq8tMo3zV0OfJON0g3",
- "login": "user@example.com",
- "createdAt": "2019-03-28T16:45:55.000Z",
- "expiresAt": "2019-03-28T21:15:23.000Z",
- "status": "ACTIVE",
- "lastPasswordVerification": "2019-03-28T16:45:55.000Z",
- "amr": [
- "PASSWORD"
], - "idp": {
- "id": "00oq6kcVwvrDY2YsS0g3",
- "type": "OKTA"
}, - "mfaActive": false
}, - "user": {
- "id": "00uq8tMo3zV0OfJON0g3",
- "passwordChanged": "2018-09-11T23:19:12.000Z",
- "profile": {
- "login": "user@example.com",
- "firstName": "Admin",
- "lastName": "Last",
- "locale": "en",
- "timeZone": "America/Los_Angeles"
}, - "_links": {
}
}
}, - "assertion": {
- "subject": {
- "nameId": "user@example.com",
- "nameFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
- "confirmation": {
- "method": "urn:oasis:names:tc:SAML:2.0:cm:bearer",
}
}, - "authentication": {
- "sessionIndex": "id1553800523546.312669168",
- "authnContext": {
- "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
}
}, - "conditions": {
- "audienceRestriction": [
- "urn:example:sp"
]
}, - "claims": {
- "extPatientId": {
- "attributes": {
- "NameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
}, - "attributeValues": [
- {
- "attributes": {
- "xsi:type": "xs:integer"
}, - "value": "4321"
}
]
}, - "array": {
- "attributes": {
- "NameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
}, - "attributeValues": [
- {
- "attributes": {
- "xsi:type": "xs:string"
}, - "value": "Array 1"
}, - {
- "attributes": {
- "xsi:type": "xs:string"
}, - "value": "Array2"
}, - {
- "attributes": {
- "xsi:type": "xs:string"
}, - "value": "Array3"
}
]
}, - "middle": {
- "attributes": {
- "NameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
}, - "attributeValues": [
- {
- "attributes": {
- "xsi:type": "xs:string"
}, - "value": "admin"
}
]
}, - "firstAndLast": {
- "attributes": {
- "NameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
}, - "attributeValues": [
- {
- "attributes": {
- "xsi:type": "xs:string"
}, - "value": "7d6a50c8-4d7e-4058-9c5b-2cc98cecd294"
}
]
}
}, - "lifetime": {
- "expiration": 300
}
}
}, - "eventTypeVersion": "1.0",
- "cloudEventVersion": "0.1",
- "eventType": "com.okta.saml.tokens.transform",
- "contentType": "application/json"
}
{- "commands": [
- {
- "type": "com.okta.assertion.patch",
- "value": [
- {
- "op": "replace",
- "path": "/claims/array/attributeValues/1/value",
- "value": "replacementValue"
}, - {
- "op": "replace",
- "path": "/authentication/authnContext",
- "value": {
- "authnContextClassRef": "replacementValue"
}
}, - {
- "op": "add",
- "path": "/claims/extPatientId",
- "value": {
- "attributes": {
- "NameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
}, - "attributeValues": [
- {
- "attributes": {
- "xsi:type": "xs:string"
}, - "value": "4321"
}
]
}
}, - {
- "op": "add",
- "path": "/authentication/sessionLifetime",
- "value": 300
}
]
}, - {
- "type": "com.okta.assertion.patch",
- "value": [
- {
- "op": "replace",
- "path": "/authentication/sessionIndex",
- "value": "exampleSession"
}
]
}
]
}
Creates a Token inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response.
This type of inline hook is triggered when OAuth 2.0 and OpenID Connect (OIDC) tokens are minted by your Okta custom authorization server. Before sending the token to the requester, Okta calls out to your external service. Your service can then respond with commands to add custom claims to the token or to modify existing claims.
Use this functionality to add data that is sensitive, calculated at runtime, or complexly structured and not appropriate for storing in Okta user profiles. Okta never logs nor stores data that is added this way. As an example, tokens minted for a medical app could be augmented with confidential patient data provided by your external service and not stored in Okta.
In addition to adding custom claims, you can modify or remove an existing custom claim or an OIDC standard profile claim. You can also update how long an access token or an ID token is valid.
This inline hook works only when using an Okta custom authorization server, not the built-in Okta org authorization server.
See also:
After receiving the Okta request, if there's a response timeout, the Okta process flow proceeds with the original token returned.
To activate the inline hook, you first need to register your external service endpoint with Okta using the Inline Hooks Management API. You then need to associate the registered inline hook with a custom authorization server policy rule by completing the following steps:
Note: You can associate only one inline hook with each rule.
This section covers what happens when a token inline hook flow fails either due to the external inline hook service returning an error object or not returning a successful response, or the inline hook patch fails.
Note: Administrators can use the Okta System Log to view errors. See the Troubleshooting section in the inline hooks concept piece for more information on the events related to inline hooks that the Okta System Log captures.
When there's a communication failure with the external service, a timeout for example, the inline hook operation is skipped. The token is generated without any modification from the inline hook.
Who can see this error? Administrators
When the external service returns a response with any other HTTP status code besides 200
, the inline hook operation is skipped. The token is generated without any modification from the inline hook.
Who can see this error? Administrators
When the external service returns an error object in the response, the entire token inline hook flow fails with no token generated.
Who can see this error? Administrators, developers, and end users. When the OAuth 2.0 client receives the error, the client developer can see that error if the client has the debug information. What the end user sees depends on how errors are handled within the client.
Note: See the error section on this page for more information on what to include in the error object of your response and what the OAuth 2.0 error includes that Okta returns to the requestor of the token.
When a hook command (for example, updating, adding, and deleting claims) can't be performed, the inline hook operation is skipped. The token is generated without any modification from the inline hook.
Who can see this error? Administrators
The following actions result in an error:
commands
array shouldn't contain commands of the type com.okta.access.patch
.cloudEventVersion | string The inline hook cloud version | ||||||||||||||||||||||||||||||||||||
contentType | string The inline hook request header content | ||||||||||||||||||||||||||||||||||||
eventId | string The individual inline hook request ID | ||||||||||||||||||||||||||||||||||||
eventTime | string The time the inline hook request was sent | ||||||||||||||||||||||||||||||||||||
eventTypeVersion | string The inline hook version | ||||||||||||||||||||||||||||||||||||
object | |||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||
eventType | string The type of inline hook. The token inline hook type is | ||||||||||||||||||||||||||||||||||||
source | string The URL of the token inline hook |
Successful response
No content - Unverified user response
Forbidden
An example token inline hook request body
{- "eventId": "3OWo4oo-QQ-rBWfRyTmQYw",
- "eventTime": "2019-01-15T23:20:47.000Z",
- "eventTypeVersion": "1.0",
- "cloudEventVersion": "0.1",
- "contentType": "application/json",
- "eventType": "com.okta.oauth2.tokens.transform",
- "data": {
- "context": {
- "request": {
- "id": "reqv66CbCaCStGEFc8AdfS0ng",
- "method": "GET",
- "ipAddress": "127.0.0.1"
}, - "protocol": {
- "type": "OAUTH2.0",
- "request": {
- "scope": "openid profile email",
- "state": "foobareere",
- "response_mode": "fragment",
- "response_type": "token id_token",
- "client_id": "customClientIdNative"
}, - "client": {
- "id": "customClientIdNative",
- "name": "Native client",
- "type": "PUBLIC"
}
}, - "session": {
- "id": "102Qoe7t5PcRnSxr8j3I8I6pA",
- "userId": "00uq8tMo3zV0OfJON0g3",
- "login": "administrator1@clouditude.net",
- "createdAt": "2019-01-15T23:17:09.000Z",
- "expiresAt": "2019-01-16T01:20:46.000Z",
- "status": "ACTIVE",
- "lastPasswordVerification": "2019-01-15T23:17:09.000Z",
- "amr": [
- "PASSWORD"
], - "idp": {
- "id": "00oq6kcVwvrDY2YsS0g3",
- "type": "OKTA"
}, - "mfaActive": false
}, - "user": {
- "id": "00uq8tMo3zV0OfJON0g3",
- "passwordChanged": "2018-09-11T23:19:12.000Z",
- "profile": {
- "login": "administrator1@clouditude.net",
- "firstName": "Add-Min",
- "lastName": "O'Cloudy Tud",
- "locale": "en",
- "timeZone": "America/Los_Angeles"
}, - "_links": {
}
}, - "policy": {
- "id": "00pq8lGaLlI8APuqY0g3",
- "rule": {
- "id": "0prq8mLKuKAmavOvq0g3"
}
}
}, - "identity": {
- "claims": {
- "sub": "00uq8tMo3zV0OfJON0g3",
- "name": "Add-Min O'Cloudy Tud",
- "email": "administrator1@clouditude.net",
- "ver": 1,
- "aud": "customClientIdNative",
- "jti": "ID.YxF2whJfB3Eu4ktG_7aClqtCgjDq6ab_hgpiV7-ZZn0",
- "amr": [
- "pwd"
], - "idp": "00oq6kcVwvrDY2YsS0g3",
- "nonce": "asf",
- "preferred_username": "administrator1@clouditude.net",
- "auth_time": 1547594229
}, - "token": {
- "lifetime": {
- "expiration": 3600
}
}
}, - "access": {
- "claims": {
- "ver": 1,
- "jti": "AT.W-rrB-z-kkZQmHW0e6VS3Or...QfEN_YvoWJa46A7HAA",
- "aud": "api://default",
- "cid": "customClientIdNative",
- "uid": "00uq8tMo3zV0OfJON0g3",
- "sub": "administrator1@clouditude.net",
- "firstName": "Add-Min",
- "preferred_username": "administrator1@clouditude.net"
}, - "token": {
- "lifetime": {
- "expiration": 3600
}
}, - "scopes": {
- "openid": {
- "id": "scpq7bW1cp6dcvrz80g3",
- "action": "GRANT"
}, - "profile": {
- "id": "scpq7cWJ81CIP5Qkr0g3",
- "action": "GRANT"
}, - "email": {
- "id": "scpq7dxsoz6LQlRj00g3",
- "action": "GRANT"
}
}
}, - "refresh_token": {
- "jti": "oarob4a0tckCkGcyo1d6"
}
}
}
{- "commands": [
- {
- "type": "com.okta.identity.patch",
- "value": [
- {
- "op": "add",
- "path": "/claims/extPatientId",
- "value": "1234"
}
]
}, - {
- "type": "com.okta.access.patch",
- "value": [
- {
- "op": "add",
- "path": "/claims/external_guid",
- "value": "F0384685-F87D-474B-848D-2058AC5655A7"
}
]
}
]
}