Inline Hooks

The Inline Hooks API provides operations to manage inline hooks for your organization.

For general information on inline hooks and how to create and use them, see inline hooks. The following documentation is only for the management API, which provides a CRUD interface for registering inline hooks.

List all inline hooks
OAuth 2.0: okta.inlineHooks.read

Lists all inline hooks or all inline hooks of a specific type.

When listing a specific inline hook, you need to specify its type. The following types are currently supported:

Type Value Name
com.okta.import.transform User import inline hook
com.okta.oauth2.tokens.transform Token inline hook
com.okta.saml.tokens.transform SAML assertion inline hook
com.okta.telephony.provider Telephony inline hook
com.okta.user.credential.password.import Password import inline hook
com.okta.user.pre-registration Registration inline hook
Request
query Parameters
type
string

One of the supported inline hook types

Enum: "com.okta.import.transform" "com.okta.oauth2.tokens.transform" "com.okta.saml.tokens.transform" "com.okta.user.credential.password.import" "com.okta.user.pre-registration" "com.okta.telephony.provider"
Responses
200

Success

403

Forbidden

429

Too Many Requests

get/api/v1/inlineHooks
Request samples
Response samples
application/json
[]

Create an inline hook
OAuth 2.0: okta.inlineHooks.manage

Creates an inline hook

This endpoint creates an inline hook for your org in an ACTIVE status. You need to pass an inline hooks object in the JSON payload of your request. That object represents the set of required information about the inline hook that you're registering, including:

  • The URI of your external service endpoint
  • The type of inline hook you're registering
  • The type of authentication you're registering

There are two authentication options that you can configure for your inline hook: HTTP headers and OAuth 2.0 tokens.

HTTP headers let you specify a secret API key that you want Okta to pass to your external service endpoint (so that your external service can check for its presence as a security measure).

Note: The API key that you set here is unrelated to the Okta API token you must supply when making calls to Okta APIs.

You can also optionally specify extra headers that you want Okta to pass to your external service with each call.

To configure HTTP header authentication, see parameters for the config object.

OAuth 2.0 tokens provide enhanced security between Okta and your external service. You can configure these tokens for the following types—client secret and private key.

Note: Your external service's endpoint needs to be a valid HTTPS endpoint. The URI you specify should always begin with https://.

The total number of inline hooks that you can create in an Okta org is limited to 50, which is a combined total for any combination of inline hook types.

Request
Request Body schema: application/json
required
object (InlineHookChannelCreate)
type
string (InlineHookChannelType)
version
string

Version of the inline hook type. The currently supported version is 1.0.0.

object (InlineHookHttpConfigCreate)

Properties of the communications channel that are used to contact your external service

object or null (InlineHookChannelConfigAuthSchemeBody)

The authentication scheme to use for this request

Array of objects (InlineHookChannelConfigHeaders)

An optional list of key/value pairs for headers that you can send with the request to the external service.

method
string

The method of the Okta inline hook request

uri
string <= 1024

The external service endpoint that executes the inline hook handler. It must begin with https:// and be reachable by Okta. No white space is allowed in the URI.

name
string [ 1 .. 255 ]

The display name of the inline hook

type
string (InlineHookType)

One of the inline hook types

Enum: "com.okta.import.transform" "com.okta.oauth2.tokens.transform" "com.okta.saml.tokens.transform" "com.okta.telephony.provider" "com.okta.user.credential.password.import" "com.okta.user.pre-registration"
version
string

Version of the inline hook type. The currently supported version is 1.0.0.

Responses
200

Success

400

Bad Request

403

Forbidden

429

Too Many Requests

post/api/v1/inlineHooks
Request samples
application/json
{
  • "name": "Token hook with HTTP authentication",
  • "type": "com.okta.oauth2.tokens.transform",
  • "version": "1.0.0",
  • "channel": {
    • "type": "HTTP",
    • "version": "1.0.0",
    • "config": {
      }
    }
}
Response samples
application/json
{}

Retrieve an inline hook
OAuth 2.0: okta.inlineHooks.read

Retrieves an inline hook by inlineHookId

Request
path Parameters
inlineHookId
required
string

id of the Inline Hook

Example: Y7Rzrd4g4xj6WdKzrBHH
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/inlineHooks/{inlineHookId}
Request samples
Response samples
application/json
{}

Update an inline hook
OAuth 2.0: okta.inlineHooks.manage

Updates an inline hook by inlineHookId

Request
path Parameters
inlineHookId
required
string

id of the Inline Hook

Example: Y7Rzrd4g4xj6WdKzrBHH
Request Body schema: application/json
required
object (InlineHookChannelCreate)
type
string (InlineHookChannelType)
version
string

Version of the inline hook type. The currently supported version is 1.0.0.

object (InlineHookHttpConfigCreate)

Properties of the communications channel that are used to contact your external service

object or null (InlineHookChannelConfigAuthSchemeBody)

The authentication scheme to use for this request

Array of objects (InlineHookChannelConfigHeaders)

An optional list of key/value pairs for headers that you can send with the request to the external service.

method
string

The method of the Okta inline hook request

uri
string <= 1024

The external service endpoint that executes the inline hook handler. It must begin with https:// and be reachable by Okta. No white space is allowed in the URI.

name
string [ 1 .. 255 ]

The display name of the inline hook

version
string

Version of the inline hook type. The currently supported version is 1.0.0.

Responses
200

Success

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/inlineHooks/{inlineHookId}
Request samples
application/json
{
  • "name": "New name token hook with HTTP authentication",
  • "version": "1.0.0",
  • "channel": {
    • "type": "HTTP",
    • "version": "1.0.0",
    • "config": {
      }
    }
}
Response samples
application/json
{}

Replace an inline hook
OAuth 2.0: okta.inlineHooks.manage

Replaces an inline hook by inlineHookId. The submitted inline hook properties replace the existing properties after passing validation.

Note: Some properties are immutable and can't be updated.

Request
path Parameters
inlineHookId
required
string

id of the Inline Hook

Example: Y7Rzrd4g4xj6WdKzrBHH
Request Body schema: application/json
required
object (InlineHookChannelCreate)
type
string (InlineHookChannelType)
version
string

Version of the inline hook type. The currently supported version is 1.0.0.

object (InlineHookHttpConfigCreate)

Properties of the communications channel that are used to contact your external service

object or null (InlineHookChannelConfigAuthSchemeBody)

The authentication scheme to use for this request

Array of objects (InlineHookChannelConfigHeaders)

An optional list of key/value pairs for headers that you can send with the request to the external service.

method
string

The method of the Okta inline hook request

uri
string <= 1024

The external service endpoint that executes the inline hook handler. It must begin with https:// and be reachable by Okta. No white space is allowed in the URI.

name
string [ 1 .. 255 ]

The display name of the inline hook

version
string

Version of the inline hook type. The currently supported version is 1.0.0.

Responses
200

Success

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

put/api/v1/inlineHooks/{inlineHookId}
Request samples
application/json
{
  • "name": "New name token hook with HTTP authentication",
  • "version": "1.0.0",
  • "channel": {
    • "type": "HTTP",
    • "version": "1.0.0",
    • "config": {
      }
    }
}
Response samples
application/json
{}

Delete an inline hook
OAuth 2.0: okta.inlineHooks.manage

Deletes an inline hook by inlineHookId. After it's deleted, the inline hook is unrecoverable. As a safety precaution, only inline hooks with a status of INACTIVE are eligible for deletion.

Request
path Parameters
inlineHookId
required
string

id of the Inline Hook

Example: Y7Rzrd4g4xj6WdKzrBHH
Responses
204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

delete/api/v1/inlineHooks/{inlineHookId}
Request samples
Response samples
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}

Execute an Inline Hook
OAuth 2.0: okta.inlineHooks.manage

Executes the inline hook that matches the provided inlineHookId by using the request body as the input. This inline hook sends the provided data through the channel object and returns a response if it matches the correct data contract. Otherwise it returns an error. You need to construct a JSON payload that matches the payloads that Okta would send to your external service for this inline hook type.

A timeout of three seconds is enforced on all outbound requests, with one retry in the event of a timeout or an error response from the remote system. If a successful response isn't received after the request, a 400 error is returned with more information about what failed.

Note: This execution endpoint isn't tied to any other functionality in Okta, and you should only use it for testing purposes.

Request
path Parameters
inlineHookId
required
string

id of the Inline Hook

Example: Y7Rzrd4g4xj6WdKzrBHH
Request Body schema: application/json
required
One of:

Password import inline hook request

cloudEventVersion
string

The inline hook cloud version

contentType
string

The inline hook request header content

eventId
string

The individual inline hook request ID

eventTime
string

The time the inline hook request was sent

eventTypeVersion
string

The inline hook version

object (PasswordImportRequestData)
object

This object specifies the default action Okta is set to take. Okta takes this action if your external service sends an empty HTTP 204 response. You can override the default action by returning a commands object in your response specifying the action to take.

credential
string
Default: "UNVERIFIED"

The status of the user credential, either UNVERIFIED or VERIFIED

object
object (InlineHookRequestObject)

The API request that triggered the inline hook

object
eventType
string

The type of inline hook. The password import inline hook type is com.okta.user.credential.password.import.

source
string

The ID and URL of the password import inline hook

Responses
200

Success

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/inlineHooks/{inlineHookId}/execute
Request samples
application/json
{
  • "eventId": "3o9jBzq1SmOGmmsDsqyyeQ",
  • "eventTime": "2020-01-17T21:23:56.000Z",
  • "eventType": "com.okta.user.credential.password.import",
  • "eventTypeVersion": "1.0",
  • "contentType": "application/json",
  • "cloudEventVersion": "0.1",
  • "data": {
    • "context": {
      },
    • "action": {
      }
    }
}
Response samples
application/json
{
  • "commands": [
    • {
      }
    ]
}

Activate an inline hook
OAuth 2.0: okta.inlineHooks.manage

Activates the inline hook by inlineHookId

Request
path Parameters
inlineHookId
required
string

id of the Inline Hook

Example: Y7Rzrd4g4xj6WdKzrBHH
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/inlineHooks/{inlineHookId}/lifecycle/activate
Request samples
Response samples
application/json
{}

Deactivate an inline hook
OAuth 2.0: okta.inlineHooks.manage

Deactivates the inline hook by inlineHookId

Request
path Parameters
inlineHookId
required
string

id of the Inline Hook

Example: Y7Rzrd4g4xj6WdKzrBHH
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/inlineHooks/{inlineHookId}/lifecycle/deactivate
Request samples
Response samples
application/json
{}

Create a telephony inline hookWebhook

Creates an Okta Telephony inline hook request. This is an automated request from Okta to your third-party service endpoint.

The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute.

Note: The size of your response payload must be less than 256 KB.

See also:

About

The Okta telephony inline hook allows you to integrate your own custom code into Okta flows that send SMS or voice call messages. You can integrate this hook with enrollment, authentication, and recovery flows that involve the phone authenticator. Okta uses your external provider to deliver the one-time passcode (OTP) to the Requester. The provider can respond with commands that indicate if the delivery was successful or not.

You can have only one active telephony inline hook per org.

When you create a telephony inline hook, you must include the authScheme parameter. See Create inline hook and the authScheme object.

Time-out behavior

If the provider response times out, Okta attempts to send the OTP using the Okta telephony providers. See Troubleshoot.

Note: The failover mechanism that uses the Okta telephony providers is heavily rate-limited.

Troubleshoot

This section explains several common causes of failure for telephony inline hooks.

Note: Administrators can use the Okta System Log to view errors. See the Troubleshooting section in the inline hooks topic for details on events captured by the Okta System Log.

Issue Impact Error Visibility
External service fails to communicate or times out Inline hook operation is skipped, OTP is sent to the Requester using an Okta telephony provider Administrators only
External service responds with any HTTP status code besides 200 Inline hook operation is skipped, OTP is sent to the Requester using an Okta telephony provider Administrators only
External service returns an error object Inline hook operation fails, OTP is sent to the Requester using an Okta telephony provider Administrators, developers, and end users
Hook response is malformed or can't be mapped to the expected API response Inline hook operation is skipped Administrators only
Request header doesn't include an authScheme Inline hook operation is skipped Administrators only
Response uses an invalid status Inline hook operation is skipped Administrators only
Operation adds an active telephony inline hook when a hook exists Inline hook operation is skipped Administrators only
Request
Request Body schema: application/json
required
cloudEventVersion
string

The inline hook cloud version

contentType
string

The inline hook request header content

eventId
string

The individual inline hook request ID

eventTime
string

The time the inline hook request was sent

eventTypeVersion
string

The inline hook version

object (TelephonyRequestData)
object
object (InlineHookRequestObject)

The API request that triggered the inline hook

object

Message profile specifies information about the telephony (sms/voice) message to be sent to the Okta user

msgTemplate
string

Default or Okta org configured sms or voice message template

phoneNumber
string

The Okta's user's phone number

otpExpires
string

The time when OTP expires

deliveryChannel
string

The channel for OTP delivery - SMS or voice

otpCode
string

The OTP code requested by the Okta user

locale
string

The locale associated with the Okta user

object

User profile specifies information about the Okta user

firstName
string

The user's first name

lastName
string

The user's last name

login
string

The user's Okta login

userId
string

The user's Okta user ID

eventType
string

The type of inline hook. The Telephony inline hook type is com.okta.telephony.provider.

requestType
string

The type of inline hook request. For example, com.okta.user.telephony.pre-enrollment.

source
string

The ID and URL of the Telephony inline hook

Responses
200

Successful response

403

Forbidden

Request samples
application/json
{
  • "eventId": "uS5871kJThSsU8qlA1LTcg",
  • "eventTime": "2020-01-17T21:23:56.000Z",
  • "eventType": "com.okta.telephony.provider",
  • "eventTypeVersion": "1.0",
  • "contentType": "application/json",
  • "cloudEventVersion": "0.1",
  • "data": {
    • "context": {
      },
    • "userProfile": {
      },
    • "messageProfile": {
      }
    }
}
Response samples
application/json
{
  • "commands": [
    • {
      },
    • {
      }
    ]
}

Create a password import inline hookWebhook

Creates a password import inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute.

Note: The size of your response payload must be less than 256 KB.

The password import inline hook allows you to migrate users from another data store where you want the users to retain their current passwords. Use this hook with the Create user with password import inline hook flow that's described in the Users API.

The password import inline hook is triggered when the user tries to sign in to Okta for the first time. Okta sends your external service the password that the user supplied. Your external service then needs to send a response to Okta indicating whether the password supplied by the end user is valid.

If your service returns a response that indicates that the password is valid, Okta sets the password for the user. The password import inline hook won't need to call your service again. However, if the Okta service is in read-only mode, it might not be possible to set the password. Okta then needs to call your service again the next time the user attempts to sign in. See Password inline hook and Okta read-only mode and Removing password from existing user store.

Notes:

  • Password policies don't apply to the password import inline hook. That is, if your external service validates the password, the password is imported even if it doesn't meet the Okta password policy requirements.
  • You can create only one password import inline hook per org.

See also:

Enable a password import inline hook

To enable a password import inline hook, you first need to register your external service endpoint with Okta and configure it as an inline hook of type com.okta.user.credential.password.import. You can enable the hook using the Admin Console, see Add an inline hook or through the Inline Hooks management API. When creating a user with the Users API, you need to use the Create User with password import inline hook use case. This involves specifying a credentials.password.hook property in the request body.

When the user that you have added attempts to sign in to Okta for the first time, the hook is triggered and Okta calls your external service. The call sends the credentials that the end user provided. Your service can check the credentials and respond with a command to indicate whether the credentials are valid or not.

Password inline hook and Okta read-only mode

If your external service responds to Okta indicating that the credentials are valid, Okta saves the password and can authenticate the user independently from then on. However, if your Okta org is in a special read-only mode at the time the user signs in, then saving the password might not be possible. The next time the end user attempts to sign in, the password import inline hook needs to be called again.

Password removal from an existing user store

Because of the possibility of your org being in a special service mode, you shouldn't attempt to permanently delete user passwords from your existing user store until you can verify the success of the password import . An Okta System Log Event, user.import.password, is available for this purpose. An event of this type is created every time a password import inline hook is fired, with its Event.Outcome property providing a status of FAILURE or SUCCESS for the password import operation. If the status is SUCCESS, Okta has successfully saved the end user's password, and it's safe to delete it from your previous user store.

You can configure an Event hook to send this event type to you for use when triggering automated cleanup of end-user passwords after successful migration.

Request
Request Body schema: application/json
required
cloudEventVersion
string

The inline hook cloud version

contentType
string

The inline hook request header content

eventId
string

The individual inline hook request ID

eventTime
string

The time the inline hook request was sent

eventTypeVersion
string

The inline hook version

object (PasswordImportRequestData)
object

This object specifies the default action Okta is set to take. Okta takes this action if your external service sends an empty HTTP 204 response. You can override the default action by returning a commands object in your response specifying the action to take.

credential
string
Default: "UNVERIFIED"

The status of the user credential, either UNVERIFIED or VERIFIED

object
object (InlineHookRequestObject)

The API request that triggered the inline hook

object
eventType
string

The type of inline hook. The password import inline hook type is com.okta.user.credential.password.import.

source
string

The ID and URL of the password import inline hook

Responses
200

Successful response

204

No content - Unverified user response

403

Forbidden

Request samples
application/json
{
  • "eventId": "3o9jBzq1SmOGmmsDsqyyeQ",
  • "eventTime": "2020-01-17T21:23:56.000Z",
  • "eventType": "com.okta.user.credential.password.import",
  • "eventTypeVersion": "1.0",
  • "contentType": "application/json",
  • "cloudEventVersion": "0.1",
  • "data": {
    • "context": {
      },
    • "action": {
      }
    }
}
Response samples
application/json
{
  • "commands": [
    • {
      }
    ]
}

Create a registration inline hookWebhook

Creates a registration inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute.

The Okta registration inline hook allows you to integrate your own custom code into Okta's Profile Enrollment flow. The hook is triggered after Okta receives the registration or profile update request. Your custom code can:

  • Allow or deny the registration attempt, based on your own validation of the information the user has submitted
  • Set or override the values that are populated in attributes of the user's Okta profile

    Note: Profile Enrollment and self-service registration (SSR) inline hooks only work with the Okta Sign-In Widget version 4.5 or later.

See also:

Request
Request Body schema: application/json
required
cloudEventVersion
string

The inline hook cloud version

contentType
string

The inline hook request header content

eventId
string

The individual inline hook request ID

eventTime
string

The time the inline hook request was sent

eventTypeVersion
string

The inline hook version

eventType
string

The type of inline hook. The registration inline hook type is com.okta.user.pre-registration.

requestType
string (RegistrationInlineHookRequestType)

The type of registration hook. Use either self.service.registration or progressive.profile.

source
string

The ID of the registration inline hook

object
object
object (InlineHookRequestObject)

The API request that triggered the inline hook

action
string

The default action the system will take. Will be ALLOW. DENY will never be sent to your external service.

object

The name-value pairs for each registration-related attribute supplied by the user in the Profile Enrollment form.

property name*
additional property
any
Responses
200

Successful response

204

No content - Allow registration to proceed without any update.

Request samples
application/json
{
  • "eventId": "04Dmt8BcT_aEgM",
  • "eventTime": "2022-04-25T17:35:27.000Z",
  • "eventType": "com.okta.user.pre-registration",
  • "eventTypeVersion": 1,
  • "contentType": "application/json",
  • "cloudEventVersion": 0.1,
  • "source": "regt4qeBKU29vSoPz0g3",
  • "requestType": "self.service.registration",
  • "data": {
    • "context": {
      },
    • "userProfile": {
      },
    • "action": "ALLOW"
    }
}
Response samples
application/json
{
  • "commands": [
    • {
      }
    ]
}

Create a user import inline hookWebhook

Creates a user import inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute.

The user import inline hook enables you to add custom logic to the process of importing new users into Okta from an app. You can resolve conflicts in user name or other profile attributes, modify values of profile attributes, and control whether the imported user is treated as a match for an existing user or not. The hook is invoked for each user being imported, at the point immediately after any applicable profile attribute mappings have been applied, and any potential matches with existing users have been found, but before the Okta user profile is created.

Note: If the external service times out after receiving an Okta request, the Okta process flow continues and the user is created.

See also:

Note: The procedure for associating a user import inline hook with an app using the Admin Console can't be used with AD or LDAP.

Request
Request Body schema: application/json
required
cloudEventVersion
string

The inline hook cloud version

contentType
string

The inline hook request header content

eventId
string

The individual inline hook request ID

eventTime
string

The time the inline hook request was sent

eventTypeVersion
string

The inline hook version

object (UserImportRequestData)
object

The object that specifies the default action Okta is set to take

result
string

The current default action that results when Okta imports a user. The two possible values are CREATE_USER and LINK_USER. You can change the action that is taken by means of the commands object you return.

Enum: Description
CREATE_USER

A new Okta user profile is created for the user

LINK_USER

The user is treated as a match for the existing Okta user identified by the value of data.user.id

object

The app user profile being imported

object

Provides the name-value pairs of the attributes contained in the app user profile of the user who is being imported. You can change the values of attributes in the user's app profile by means of the commands object you return. If you change attributes in the app profile, they then flow through to the Okta user profile, based on matching and mapping rules.

object
conflicts
Array of strings

An array of user profile attributes that are in conflict

object

Details of the app from which the user is being imported

object

The details of the running import job

matches
Array of strings

The list of Okta users currently matched to the app user based on import matching. There can be more than one match.

policy
Array of strings

The list of any policies that apply to the import matching

object

Provides information on the Okta user profile currently set to be used for the user who is being imported, based on the matching rules and attribute mappings that were applied.

object

The data.user.profile contains the name-value pairs of the attributes in the user profile. If the user has been matched to an existing Okta user, a data.user.id object is included, containing the unique identifier of the Okta user profile.

You can change the values of the attributes by means of the commands object you return.

eventType
string

The type of inline hook. The user import inline hook type is com.okta.import.transform.

source
string

The ID of the user import inline hook

Responses
200

Successful response

204

No content - Use the default action

403

Forbidden

Request samples
application/json
{
  • "source": "cal7eyxOsnb20oWbZ0g4",
  • "eventId": "JUGOUiYZTaKPmH6db0nDag",
  • "eventTime": "2019-02-27T20:59:04.000Z",
  • "eventTypeVersion": "1.0",
  • "cloudEventVersion": "0.1",
  • "eventType": "com.okta.import.transform",
  • "contentType": "application/json",
  • "data": {
    • "context": {
      },
    • "action": {
      },
    • "appUser": {
      },
    • "user": {
      }
    }
}
Response samples
application/json
{
  • "commands": [
    • {
      }
    ]
}

Create a SAML assertion inline hookWebhook

Creates a SAML Assertion inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute.

This type of inline hook is triggered when Okta generates a SAML assertion in response to an authentication request. Before sending the SAML assertion to the app that will consume it, Okta calls out to your external service. Your external service can respond with commands to add attributes to the assertion or to modify its existing attributes.

You can use this functionality to add data to assertions, which might be data that is sensitive, calculated at runtime, or complexly-structured and not appropriate for storing in Okta user profiles. Data added this way is never logged or stored by Okta. As an example, SAML assertions generated for a medical app could be augmented with confidential patient data provided by your external service and not stored in Okta.

This inline hook works only when using custom SAML apps, not apps from the OIN.

See also:

Specify location within the assertion

Specify the location within the assertion where you want to apply your operation using a slash-delimited path, which follows JSON Patch conventions.

When you perform an add op to add a new attribute statement, begin with /claims/ and follow that with the name of the new attribute that you're adding.

When you modify an existing assertions statement, begin the path with /subject/, /authentication/, /conditions/, or /claims/, depending on which part of the assertion you want to modify. You then look deeper within the child elements using slash-delimited element names, for example, /claims/array/attributeValues/1/value. (The /1/ in the path indicates the index of the array, using zero-based indexing.)

URI claims

Okta supports URI claims with SAML assertion hooks. When you need to replace or add a URI claim, encode the claim name within the command per the JavaScript Object Notation (JSON) Pointer specification. Specifically, this replaces ~ with ~0 and / with ~1.

SessionNotOnOrAfter support

In some scenarios, your service provider may require the SessionNotOnOrAfter attribute for the <saml:AuthnStatement> in the SAML assertion, which sets the provider session time correctly. Use add op with the path /authentication/sessionLifetime and a value for session lifetime in seconds to add this attribute. Okta calculates SessionNotOnOrAfter by adding the /authentication/sessionLifetime value to the issueInstant attribute and returns it in the SAML `data.assertion.

Request
Request Body schema: application/json
required
cloudEventVersion
string

The inline hook cloud version

contentType
string

The inline hook request header content

eventId
string

The individual inline hook request ID

eventTime
string

The time the inline hook request was sent

eventTypeVersion
string

The inline hook version

object
object

This object contains a number of sub-objects, each of which provide some type of contextual information.

object (InlineHookRequestObject)

The API request that triggered the inline hook

object

Details of the user session

object

Identifies the Okta user that the token was generated to authenticate and provides details of their Okta user profile

object

Details of the assertion protocol being used

object

Details of the SAML assertion that was generated

object

Provides a JSON representation of the <saml:Subject> element of the SAML assertion

object

Provides a JSON representation of the <saml:AuthnStatement> element of the SAML assertion

object

Provides a JSON representation of the <saml:Conditions> element of the SAML assertion

object

Provides a JSON representation of the <saml:AttributeStatement> element contained in the generated SAML assertion. Contains any optional SAML attribute statements that you have defined for the app using the Admin Console's SAML Settings.

object

Specifies the expiration time, in seconds, of the SAML assertion

eventType
string

The type of inline hook. The SAML assertion inline hook type is com.okta.saml.tokens.transform.

source
string

The ID and URL of the SAML assertion inline hook

Responses
200

Successful response

204

No content - Use the default action

403

Forbidden

Request samples
application/json
{
  • "eventId": "XMFoHCM1S4Wi_SGWzL8T9A",
  • "eventTime": "2019-03-28T19:15:23.000Z",
  • "data": {
    • "context": {},
    • "assertion": {
      }
    },
  • "eventTypeVersion": "1.0",
  • "cloudEventVersion": "0.1",
  • "eventType": "com.okta.saml.tokens.transform",
  • "contentType": "application/json"
}
Response samples
application/json
{
  • "commands": [
    • {
      },
    • {
      }
    ]
}

Create a token inline hookWebhook

Creates a Token inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response.

This type of inline hook is triggered when OAuth 2.0 and OpenID Connect (OIDC) tokens are minted by your Okta custom authorization server. Before sending the token to the requester, Okta calls out to your external service. Your service can then respond with commands to add custom claims to the token or to modify existing claims.

Use this functionality to add data that is sensitive, calculated at runtime, or complexly structured and not appropriate for storing in Okta user profiles. Okta never logs nor stores data that is added this way. As an example, tokens minted for a medical app could be augmented with confidential patient data provided by your external service and not stored in Okta.

In addition to adding custom claims, you can modify or remove an existing custom claim or an OIDC standard profile claim. You can also update how long an access token or an ID token is valid.

This inline hook works only when using an Okta custom authorization server, not the built-in Okta org authorization server.

See also:

Timeout behavior

After receiving the Okta request, if there's a response timeout, the Okta process flow proceeds with the original token returned.

Enabling a token inline hook

To activate the inline hook, you first need to register your external service endpoint with Okta using the Inline Hooks Management API. You then need to associate the registered inline hook with a custom authorization server policy rule by completing the following steps:

  1. Go to Security > API > Authorization Servers.
  2. Select a custom authorization server from the list.
  3. Select Access Policies and select a policy to use with the hook. In most cases, pick the Default Policy.
  4. One of the policy's rules needs to trigger the inline hook. Click the pencil icon for a rule to edit it. If you only have one rule, edit the Default Policy Rule.
  5. Click the Use this Inline Hook dropdown menu. Any inline hooks that you have registered are listed. Select the hook that you would like to use.
  6. Click Update Rule.

Note: You can associate only one inline hook with each rule.

Troubleshoot

This section covers what happens when a token inline hook flow fails either due to the external inline hook service returning an error object or not returning a successful response, or the inline hook patch fails.

Note: Administrators can use the Okta System Log to view errors. See the Troubleshooting section in the inline hooks concept piece for more information on the events related to inline hooks that the Okta System Log captures.

  • When there's a communication failure with the external service, a timeout for example, the inline hook operation is skipped. The token is generated without any modification from the inline hook.

    Who can see this error? Administrators

  • When the external service returns a response with any other HTTP status code besides 200, the inline hook operation is skipped. The token is generated without any modification from the inline hook.

    Who can see this error? Administrators

  • When the external service returns an error object in the response, the entire token inline hook flow fails with no token generated.

    Who can see this error? Administrators, developers, and end users. When the OAuth 2.0 client receives the error, the client developer can see that error if the client has the debug information. What the end user sees depends on how errors are handled within the client.

    Note: See the error section on this page for more information on what to include in the error object of your response and what the OAuth 2.0 error includes that Okta returns to the requestor of the token.

  • When a hook command (for example, updating, adding, and deleting claims) can't be performed, the inline hook operation is skipped. The token is generated without any modification from the inline hook.

    Who can see this error? Administrators

    The following actions result in an error:

    • Using an invalid command. For example, if only an ID token is requested, the commands array shouldn't contain commands of the type com.okta.access.patch.
    • Using an invalid operation
    • Attempting to remove a system-specific claim
    • Attempting to update a claim that doesn't exist
    • Attempting to update an element within an array that doesn't exist or specifying an invalid index
    • Attempting to remove a claim that doesn't exist
Request
Request Body schema: application/json
required
cloudEventVersion
string

The inline hook cloud version

contentType
string

The inline hook request header content

eventId
string

The individual inline hook request ID

eventTime
string

The time the inline hook request was sent

eventTypeVersion
string

The inline hook version

object
object

This object contains a number of sub-objects, each of which provide some type of contextual information.

object (InlineHookRequestObject)

The API request that triggered the inline hook

object

Details of the user session

object

Identifies the Okta user that the token was generated to authenticate and provides details of their Okta user profile

object

Details of the authentication protocol

object

The authorization server policy used to mint the token

object

Provides information on the properties of the ID token that Okta has generated, including the existing claims that it contains

claims
object

Claims included in the token. Consists of name-value pairs for each included claim. For descriptions of the claims that you can include, see the Okta OpenID Connect and OAuth 2.0 API reference.

object

The token

object

Provides information on the properties of the access token that Okta has generated, including the existing claims that it contains

claims
object

Claims included in the token. Consists of name-value pairs for each included claim. For descriptions of the claims that you can include, see the Okta OpenID Connect and OAuth 2.0 API reference.

object

The token

scopes
object

The scopes contained in the token. For descriptions of the scopes that you can include, see the Okta OpenID Connect and OAuth 2.0 API reference.

object (RefreshToken)

The refresh token

jti
string

The refresh token ID

eventType
string

The type of inline hook. The token inline hook type is com.okta.oauth2.tokens.transform.

source
string

The URL of the token inline hook

Responses
200

Successful response

204

No content - Unverified user response

403

Forbidden

Request samples
application/json

An example token inline hook request body

{
  • "eventId": "3OWo4oo-QQ-rBWfRyTmQYw",
  • "eventTime": "2019-01-15T23:20:47.000Z",
  • "eventTypeVersion": "1.0",
  • "cloudEventVersion": "0.1",
  • "contentType": "application/json",
  • "eventType": "com.okta.oauth2.tokens.transform",
  • "data": {
    • "context": {},
    • "identity": {
      },
    • "access": {
      },
    • "refresh_token": {
      }
    }
}
Response samples
application/json
{
  • "commands": [
    • {
      },
    • {
      }
    ]
}