Inline Hooks

The Inline Hooks API provides operations to manage inline hooks for your organization.

For general information on inline hooks and how to create and use them, see inline hooks. The following documentation is only for the management API, which provides a CRUD interface for registering inline hooks.

List all inline hooks
OAuth 2.0: okta.inlineHooks.read

Lists all inline hooks or all inline hooks of a specific type.

When listing a specific inline hook, you need to specify its type. The following types are currently supported:

Type Value Name
com.okta.import.transform User import inline hook
com.okta.oauth2.tokens.transform Token inline hook
com.okta.saml.tokens.transform SAML assertion inline hook
com.okta.telephony.provider Telephony inline hook
com.okta.user.credential.password.import Password import inline hook
com.okta.user.pre-registration Registration inline hook
Request
query Parameters
type
string

One of the supported inline hook types

Enum: "com.okta.import.transform" "com.okta.oauth2.tokens.transform" "com.okta.saml.tokens.transform" "com.okta.user.credential.password.import" "com.okta.user.pre-registration" "com.okta.telephony.provider"
Responses
200

Success

403

Forbidden

429

Too Many Requests

get/api/v1/inlineHooks
Request samples 
Response samples 
application/json
[]
Create an inline hook
OAuth 2.0: okta.inlineHooks.manage
Creates an inline hook


This endpoint creates an inline hook for your org in an ACTIVE status. You need to pass an inline hooks object in the JSON payload of your request. 
That object represents the set of required information about the inline hook that you're registering, including:


    

  • The URI of your external service endpoint
    • 

  • The type of inline hook you're registering
    • 

  • The type of authentication you're registering
    • 



There are two authentication options that you can configure for your inline hook: HTTP headers and OAuth 2.0 tokens.


HTTP headers let you specify a secret API key that you want Okta to pass to your external service endpoint (so that your external service can check for its presence as a security measure).




Note: The API key that you set here is unrelated to the Okta API token you must supply when making calls to Okta APIs.




You can also optionally specify extra headers that you want Okta to pass to your external service with each call.


To configure HTTP header authentication, see parameters for the config object.


OAuth 2.0 tokens provide enhanced security between Okta and your external service. You can configure these tokens for the following types—client secret and private key.




Note: Your external service's endpoint needs to be a valid HTTPS endpoint. The URI you specify should always begin with https://.




The total number of inline hooks that you can create in an Okta org is limited to 50, which is a combined total for any combination of inline hook types.


Request 
Request Body schema: application/json
required
object (InlineHookChannelCreate) 
 
type
string (InlineHookChannelType) 
 
version
string
Version of the inline hook type. The currently supported version is 1.0.0.


 
object (InlineHookHttpConfigCreate) 
Properties of the communications channel that are used to contact your external service


 
object or null (InlineHookChannelConfigAuthSchemeBody) 
The authentication scheme to use for this request


 
Array of objects (InlineHookChannelConfigHeaders) 
An optional list of key/value pairs for headers that you can send with the request to the external service.


 
method
string
The method of the Okta inline hook request


 
uri
string  <= 1024 
The external service endpoint that executes the inline hook handler. It must begin with https:// and be reachable by Okta. No white space is allowed in the URI.


 
name
string  [ 1 .. 255 ] 
The display name of the inline hook


 
type
string (InlineHookType) 
One of the inline hook types


 Enum: "com.okta.import.transform" "com.okta.oauth2.tokens.transform" "com.okta.saml.tokens.transform" "com.okta.telephony.provider" "com.okta.user.credential.password.import" "com.okta.user.pre-registration"  
version
string
Version of the inline hook type. The currently supported version is 1.0.0.


 
Responses 
200
Success


400
Bad Request


403
Forbidden


429
Too Many Requests


post/api/v1/inlineHooks
Request samples 
application/json
{
  • "name": "Token hook with HTTP authentication",
  • "type": "com.okta.oauth2.tokens.transform",
  • "version": "1.0.0",
  • "channel": {
    • "type": "HTTP",
    • "version": "1.0.0",
    • "config": {
      }
    }
}
Response samples 
application/json
{}
Retrieve an Inline Hook
OAuth 2.0: okta.inlineHooks.read
Retrieves an inline hook by inlineHookId


Request 
path Parameters
inlineHookId
required
string
id of the Inline Hook


 
 Example:  Y7Rzrd4g4xj6WdKzrBHH
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/inlineHooks/{inlineHookId}
Request samples 
Response samples 
application/json
{}
Update an Inline Hook
OAuth 2.0: okta.inlineHooks.manage
Updates an inline hook by inlineHookId


Request 
path Parameters
inlineHookId
required
string
id of the Inline Hook


 
 Example:  Y7Rzrd4g4xj6WdKzrBHH
Request Body schema: application/json
required
object (InlineHookChannelCreate) 
 
type
string (InlineHookChannelType) 
 
version
string
Version of the inline hook type. The currently supported version is 1.0.0.


 
object (InlineHookHttpConfigCreate) 
Properties of the communications channel that are used to contact your external service


 
object or null (InlineHookChannelConfigAuthSchemeBody) 
The authentication scheme to use for this request


 
Array of objects (InlineHookChannelConfigHeaders) 
An optional list of key/value pairs for headers that you can send with the request to the external service.


 
method
string
The method of the Okta inline hook request


 
uri
string  <= 1024 
The external service endpoint that executes the inline hook handler. It must begin with https:// and be reachable by Okta. No white space is allowed in the URI.


 
name
string  [ 1 .. 255 ] 
The display name of the inline hook


 
version
string
Version of the inline hook type. The currently supported version is 1.0.0.


 
Responses 
200
Success


400
Bad Request


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/inlineHooks/{inlineHookId}
Request samples 
application/json
{
  • "name": "New name token hook with HTTP authentication",
  • "version": "1.0.0",
  • "channel": {
    • "type": "HTTP",
    • "version": "1.0.0",
    • "config": {
      }
    }
}
Response samples 
application/json
{}
Replace an inline hook
OAuth 2.0: okta.inlineHooks.manage
Replaces an inline hook by inlineHookId. The submitted inline hook properties replace the existing properties after passing validation.




Note: Some properties are immutable and can't be updated.




Request 
path Parameters
inlineHookId
required
string
id of the Inline Hook


 
 Example:  Y7Rzrd4g4xj6WdKzrBHH
Request Body schema: application/json
required
object (InlineHookChannelCreate) 
 
type
string (InlineHookChannelType) 
 
version
string
Version of the inline hook type. The currently supported version is 1.0.0.


 
object (InlineHookHttpConfigCreate) 
Properties of the communications channel that are used to contact your external service


 
object or null (InlineHookChannelConfigAuthSchemeBody) 
The authentication scheme to use for this request


 
Array of objects (InlineHookChannelConfigHeaders) 
An optional list of key/value pairs for headers that you can send with the request to the external service.


 
method
string
The method of the Okta inline hook request


 
uri
string  <= 1024 
The external service endpoint that executes the inline hook handler. It must begin with https:// and be reachable by Okta. No white space is allowed in the URI.


 
name
string  [ 1 .. 255 ] 
The display name of the inline hook


 
version
string
Version of the inline hook type. The currently supported version is 1.0.0.


 
Responses 
200
Success


400
Bad Request


403
Forbidden


404
Not Found


429
Too Many Requests


put/api/v1/inlineHooks/{inlineHookId}
Request samples 
application/json
{
  • "name": "New name token hook with HTTP authentication",
  • "version": "1.0.0",
  • "channel": {
    • "type": "HTTP",
    • "version": "1.0.0",
    • "config": {
      }
    }
}
Response samples 
application/json
{}
Delete an inline hook
OAuth 2.0: okta.inlineHooks.manage
Deletes an inline hook by inlineHookId. After it's deleted, the inline hook is unrecoverable. As a safety precaution, only inline hooks with a status of INACTIVE are eligible for deletion.


Request 
path Parameters
inlineHookId
required
string
id of the Inline Hook


 
 Example:  Y7Rzrd4g4xj6WdKzrBHH
Responses 
204
No Content


403
Forbidden


404
Not Found


429
Too Many Requests


delete/api/v1/inlineHooks/{inlineHookId}
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}
Execute an inline hook
OAuth 2.0: okta.inlineHooks.manage
Executes the inline hook that matches the provided inlineHookId by using the request body as the input. This inline hook sends the provided 
data through the channel object and returns a response if it matches the correct data contract. Otherwise it returns an error. You need to 
construct a JSON payload that matches the payloads that Okta would send to your external service for this inline hook type.


A timeout of three seconds is enforced on all outbound requests, with one retry in the event of a timeout or an error response from the remote system. 
If a successful response isn't received after the request, a 400 error is returned with more information about what failed.




Note: This execution endpoint isn't tied to any other functionality in Okta, and you should only use it for testing purposes.




Request 
path Parameters
inlineHookId
required
string
id of the Inline Hook


 
 Example:  Y7Rzrd4g4xj6WdKzrBHH
Request Body schema: application/json
required
One of:
Password import inline hook request


cloudEventVersion
string
The inline hook cloud version


 
contentType
string
The inline hook request header content


 
eventId
string
The individual inline hook request ID


 
eventTime
string
The time the inline hook request was sent


 
eventTypeVersion
string
The inline hook version


 
object (PasswordImportRequestData) 
 
object
This object specifies the default action Okta is set to take. Okta takes this action if your external service sends an empty HTTP 204 response. You can override the default action by returning a commands object in your response specifying the action to take.


 
credential
string
 Default:  "UNVERIFIED"
The status of the user credential, either UNVERIFIED or VERIFIED


 
object
 
object (InlineHookRequestObject) 
The API request that triggered the inline hook


 
object
 
eventType
string
The type of inline hook. The password import inline hook type is com.okta.user.credential.password.import.


 
source
string
The ID and URL of the password import inline hook


 
Responses 
200
Success


400
Bad Request


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/inlineHooks/{inlineHookId}/execute
Request samples 
application/json
{
  • "eventId": "3o9jBzq1SmOGmmsDsqyyeQ",
  • "eventTime": "2020-01-17T21:23:56.000Z",
  • "eventType": "com.okta.user.credential.password.import",
  • "eventTypeVersion": "1.0",
  • "contentType": "application/json",
  • "cloudEventVersion": "0.1",
  • "source": "https://${yourOktaDomain}/api/v1/inlineHooks/cbl2ad6phv9fsPLcF0g7",
  • "data": {
    • "context": {
      },
    • "action": {
      }
    }
}
Response samples 
application/json
{
  • "commands": [
    • {
      }
    ]
}
Activate an Inline Hook
OAuth 2.0: okta.inlineHooks.manage
Activates the inline hook by inlineHookId


Request 
path Parameters
inlineHookId
required
string
id of the Inline Hook


 
 Example:  Y7Rzrd4g4xj6WdKzrBHH
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/inlineHooks/{inlineHookId}/lifecycle/activate
Request samples 
Response samples 
application/json
{}
Deactivate an Inline Hook
OAuth 2.0: okta.inlineHooks.manage
Deactivates the inline hook by inlineHookId


Request 
path Parameters
inlineHookId
required
string
id of the Inline Hook


 
 Example:  Y7Rzrd4g4xj6WdKzrBHH
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/inlineHooks/{inlineHookId}/lifecycle/deactivate
Request samples 
Response samples 
application/json
{}
Create a Telephony Inline Hook
Webhook 
Creates an Okta Telephony inline hook request. This is an automated request from Okta to your third-party service endpoint.


The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects,
which specify the Okta commands to execute.




Note: The size of your response payload must be less than 256 KB.




See also:



About


The Okta telephony inline hook allows you to integrate your own custom code into Okta flows that send SMS or voice call messages. You can integrate this hook with enrollment, authentication, and recovery flows that involve the phone authenticator. Okta uses your external provider to deliver the one-time passcode (OTP) to the Requester. The provider can respond with commands that indicate if the delivery was successful or not.


You can have only one active telephony inline hook per org.


When you create a telephony inline hook, you must include the authScheme parameter. See Create inline hook and the authScheme object.


Time-out behavior


If the provider response times out, Okta attempts to send the OTP using the Okta telephony providers. See Troubleshoot.




Note: The failover mechanism that uses the Okta telephony providers is heavily rate-limited.




Troubleshoot


This section explains several common causes of failure for telephony inline hooks.


Note: Administrators can use the Okta System Log to view errors. See the Troubleshooting section in the inline hooks topic for details on events captured by the Okta System Log.






Issue
Impact
Error Visibility





External service fails to communicate or times out
Inline hook operation is skipped, OTP is sent to the Requester using an Okta telephony provider
Administrators only




External service responds with any HTTP status code besides 200
Inline hook operation is skipped, OTP is sent to the Requester using an Okta telephony provider
Administrators only




External service returns an error object
Inline hook operation fails, OTP is sent to the Requester using an Okta telephony provider
Administrators, developers, and end users




Hook response is malformed or can't be mapped to the expected API response
Inline hook operation is skipped
Administrators only




Request header doesn't include an authScheme
Inline hook operation is skipped
Administrators only




Response uses an invalid status
Inline hook operation is skipped
Administrators only




Operation adds an active telephony inline hook when a hook exists
Inline hook operation is skipped
Administrators only





Request 
Request Body schema: application/json
required
cloudEventVersion
string
The inline hook cloud version


 
contentType
string
The inline hook request header content


 
eventId
string
The individual inline hook request ID


 
eventTime
string
The time the inline hook request was sent


 
eventTypeVersion
string
The inline hook version


 
object (TelephonyRequestData) 
 
object
 
object (InlineHookRequestObject) 
The API request that triggered the inline hook


 
object
Message profile specifies information about the telephony (sms/voice) message to be sent to the Okta user


 
msgTemplate
string
Default or Okta org configured sms or voice message template


 
phoneNumber
string
The Okta's user's phone number


 
otpExpires
string
The time when OTP expires


 
deliveryChannel
string
The channel for OTP delivery - SMS or voice


 
otpCode
string
The OTP code requested by the Okta user


 
locale
string
The locale associated with the Okta user


 
object
User profile specifies information about the Okta user


 
firstName
string
The user's first name


 
lastName
string
The user's last name


 
login
string
The user's Okta login


 
userId
string
The user's Okta user ID


 
eventType
string
The type of inline hook. The Telephony inline hook type is com.okta.telephony.provider.


 
requestType
string
The type of inline hook request. For example, com.okta.user.telephony.pre-enrollment.


 
source
string
The ID and URL of the Telephony inline hook


 
Responses 
200
Successful response


403
Forbidden


Request samples 
application/json
{
  • "eventId": "uS5871kJThSsU8qlA1LTcg",
  • "eventTime": "2020-01-17T21:23:56.000Z",
  • "eventType": "com.okta.telephony.provider",
  • "eventTypeVersion": "1.0",
  • "contentType": "application/json",
  • "cloudEventVersion": "0.1",
  • "source": "https://${yourOktaDomain}/api/v1/inlineHooks/cbl2ad6phv9fsPLcF0g7",
  • "data": {
    • "context": {
      },
    • "userProfile": {
      },
    • "messageProfile": {
      }
    }
}
Response samples 
application/json
{
  • "commands": [
    • {
      },
    • {
      }
    ]
}
Create a Password Import Inline Hook
Webhook 
Creates a password import inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service,
and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects,
which specify the Okta commands to execute.




Note: The size of your response payload must be less than 256 KB.




The password import inline hook allows you to migrate users from another data store where you want the users to retain their current passwords.
Use this hook with the Create user with password import inline hook flow that's described in the Users API.


The password import inline hook is triggered when the user tries to sign in to Okta for the first time. Okta sends your external service the password that the user supplied. Your external service then needs to send a response to Okta indicating whether the password supplied by the end user is valid.


If your service returns a response that indicates that the password is valid, Okta sets the password for the user. The password import inline hook won't need to call your service again.
However, if the Okta service is in read-only mode, it might not be possible to set the password. Okta then needs to call your service again the next time the user attempts to sign in.
See Password inline hook and Okta read-only mode and Removing password from existing user store.




Notes:


    

  • Password policies don't apply to the password import inline hook. That is, if your external service validates the password, the password is imported even if it doesn't meet the Okta password policy requirements.
    • 

  • You can create only one password import inline hook per org.
    • 





See also:



Enable a password import inline hook


To enable a password import inline hook, you first need to register your external service endpoint with Okta and configure it as an inline hook of type com.okta.user.credential.password.import.
You can enable the hook using the Admin Console, see Add an inline hook or through the Inline Hooks management API.
When creating a user with the Users API, you need to use the Create User with password import inline hook use case.
This involves specifying a credentials.password.hook property in the request body.


When the user that you have added attempts to sign in to Okta for the first time, the hook is triggered and Okta calls your external service. The call sends the credentials that the end user provided. Your service can check
the credentials and respond with a command to indicate whether the credentials are valid or not.


Password inline hook and Okta read-only mode


If your external service responds to Okta indicating that the credentials are valid, Okta saves the password and can authenticate the user independently from then on. However, if your Okta org is in a special read-only mode
at the time the user signs in, then saving the password might not be possible. The next time the end user attempts to sign in, the password import inline hook needs to be called again.


Password removal from an existing user store


Because of the possibility of your org being in a special service mode, you shouldn't attempt to permanently delete user passwords from your existing user store until you can verify the success of the password import . An Okta System Log Event, user.import.password, is available for this purpose. An event of this type is created every time a password import inline hook is fired, with its Event.Outcome property providing a status of FAILURE or SUCCESS for the password import operation. 
If the status is SUCCESS, Okta has successfully saved the end user's password, and it's safe to delete it from your previous user store.


You can configure an Event hook to send this event type to you for use when triggering automated cleanup of end-user
passwords after successful migration.


Request 
Request Body schema: application/json
required
cloudEventVersion
string
The inline hook cloud version


 
contentType
string
The inline hook request header content


 
eventId
string
The individual inline hook request ID


 
eventTime
string
The time the inline hook request was sent


 
eventTypeVersion
string
The inline hook version


 
object (PasswordImportRequestData) 
 
object
This object specifies the default action Okta is set to take. Okta takes this action if your external service sends an empty HTTP 204 response. You can override the default action by returning a commands object in your response specifying the action to take.


 
credential
string
 Default:  "UNVERIFIED"
The status of the user credential, either UNVERIFIED or VERIFIED


 
object
 
object (InlineHookRequestObject) 
The API request that triggered the inline hook


 
object
 
eventType
string
The type of inline hook. The password import inline hook type is com.okta.user.credential.password.import.


 
source
string
The ID and URL of the password import inline hook


 
Responses 
200
Successful response


204
No content - Unverified user response


403
Forbidden


Request samples 
application/json
{
  • "eventId": "3o9jBzq1SmOGmmsDsqyyeQ",
  • "eventTime": "2020-01-17T21:23:56.000Z",
  • "eventType": "com.okta.user.credential.password.import",
  • "eventTypeVersion": "1.0",
  • "contentType": "application/json",
  • "cloudEventVersion": "0.1",
  • "source": "https://${yourOktaDomain}/api/v1/inlineHooks/cbl2ad6phv9fsPLcF0g7",
  • "data": {
    • "context": {
      },
    • "action": {
      }
    }
}
Response samples 
application/json
{
  • "commands": [
    • {
      }
    ]
}
Create a Registration Inline Hook
Webhook 
Creates a registration inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service,
and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects,
which specify the Okta commands to execute.


The Okta registration inline hook allows you to integrate your own custom code into Okta's Profile Enrollment flow. The hook is triggered after Okta receives the registration or profile update request. Your custom code can:


    

  • Allow or deny the registration attempt, based on your own validation of the information the user has submitted
    • 

  • Set or override the values that are populated in attributes of the user's Okta profile
    

    Note: Profile Enrollment and self-service registration (SSR) inline hooks only work with the Okta Sign-In Widget version 4.5 or later.
    

    

    • 



See also:



Request 
Request Body schema: application/json
required
cloudEventVersion
string
The inline hook cloud version


 
contentType
string
The inline hook request header content


 
eventId
string
The individual inline hook request ID


 
eventTime
string
The time the inline hook request was sent


 
eventTypeVersion
string
The inline hook version


 
eventType
string
The type of inline hook. The registration inline hook type is com.okta.user.pre-registration.


 
requestType
string (RegistrationInlineHookRequestType) 
The type of registration hook. Use either self.service.registration or progressive.profile.


 
object
 
object
 
object (InlineHookRequestObject) 
The API request that triggered the inline hook


 
action
string
The default action the system will take. Will be ALLOW. DENY will never be sent to your external service.


 
object
The name-value pairs for each registration-related attribute supplied by the user in the Profile Enrollment form.


 
property name*
additional property
any
 
Responses 
200
Successful response


204
No content - Allow registration to proceed without any update.


Request samples 
application/json
{
  • "eventId": "04Dmt8BcT_aEgM",
  • "eventTime": "2022-04-25T17:35:27.000Z",
  • "eventType": "com.okta.user.pre-registration",
  • "eventTypeVersion": 1,
  • "contentType": "application/json",
  • "cloudEventVersion": 0.1,
  • "source": "regt4qeBKU29vSoPz0g3",
  • "requestType": "self.service.registration",
  • "data": {
    • "context": {
      },
    • "userProfile": {
      },
    • "action": "ALLOW"
    }
}
Response samples 
application/json
{
  • "commands": [
    • {
      }
    ]
}
Create a User Import Inline Hook
Webhook 
Creates a user import inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. 
This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include 
in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute.


The user import inline hook enables you to add custom logic to the process of importing new users into Okta from an app. You can resolve conflicts in user name or other profile attributes, 
modify values of profile attributes, and control whether the imported user is treated as a match for an existing user or not. The hook is invoked for each user being imported, 
at the point immediately after any applicable profile attribute mappings have been applied, and any potential matches with existing users have been found, but before the Okta user profile is created.




Note: If the external service times out after receiving an Okta request, the Okta process flow continues and the user is created.




See also:





Note: The procedure for associating a user import inline hook with an app using the Admin Console can't be used with AD or LDAP.




Request 
Request Body schema: application/json
required
cloudEventVersion
string
The inline hook cloud version


 
contentType
string
The inline hook request header content


 
eventId
string
The individual inline hook request ID


 
eventTime
string
The time the inline hook request was sent


 
eventTypeVersion
string
The inline hook version


 
object (UserImportRequestData) 
 
object
The object that specifies the default action Okta is set to take


 
result
string
The current default action that results when Okta imports a user. The two possible values are CREATE_USER and LINK_USER. You 
can change the action that is taken by means of the commands object you return.


 Enum: Description
CREATE_USER
A new Okta user profile is created for the user


LINK_USER
The user is treated as a match for the existing Okta user identified by the value of data.user.id


 
object
The app user profile being imported


 
object
Provides the name-value pairs of the attributes contained in the app user profile of the user who is being imported. You can change 
the values of attributes in the user's app profile by means of the commands object you return. If you change attributes in the app 
profile, they then flow through to the Okta user profile, based on matching and mapping rules.


 
object
 
conflicts
Array of strings
An array of user profile attributes that are in conflict


 
object
Details of the app from which the user is being imported


 
object
The details of the running import job


 
matches
Array of strings
The list of Okta users currently matched to the app user based on import matching. There can be more than one match.


 
policy
Array of strings
The list of any policies that apply to the import matching


 
object
Provides information on the Okta user profile currently set to be used for the user who is being imported, based on the matching 
rules and attribute mappings that were applied.


 
object
The data.user.profile contains the name-value pairs of the attributes in the user profile. If the user has been matched to an existing
Okta user, a data.user.id object is included, containing the unique identifier of the Okta user profile.


You can change the values of the attributes by means of the commands object you return.


 
eventType
string
The type of inline hook. The user import inline hook type is com.okta.import.transform.


 
source
string
The ID of the user import inline hook


 
Responses 
200
Successful response


204
No content - Use the default action


403
Forbidden


Request samples 
application/json
{
  • "source": "cal7eyxOsnb20oWbZ0g4",
  • "eventId": "JUGOUiYZTaKPmH6db0nDag",
  • "eventTime": "2019-02-27T20:59:04.000Z",
  • "eventTypeVersion": "1.0",
  • "cloudEventVersion": "0.1",
  • "eventType": "com.okta.import.transform",
  • "contentType": "application/json",
  • "data": {
    • "context": {
      },
    • "action": {
      },
    • "appUser": {
      },
    • "user": {
      }
    }
}
Response samples 
application/json
{
  • "commands": [
    • {
      }
    ]
}
Create a SAML Assertion Inline Hook
Webhook 
Creates a SAML Assertion inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute.


This type of inline hook is triggered when Okta generates a SAML assertion in response to an authentication request. Before sending the SAML assertion to the app that will consume it, Okta calls out to your external service. Your external service can respond with commands to add attributes to the assertion or to modify its existing attributes.


You can use this functionality to add data to assertions, which might be data that is sensitive, calculated at runtime, or complexly-structured and not appropriate for storing in Okta user profiles. Data added this way is never logged or stored by Okta. As an example, SAML assertions generated for a medical app could be augmented with confidential patient data provided by your external service and not stored in Okta.


This inline hook works only when using custom SAML apps, not apps from the OIN.


See also:



Specify location within the assertion


Specify the location within the assertion where you want to apply your operation using a slash-delimited path, which follows JSON Patch conventions.


When you perform an add op to add a new attribute statement, begin with /claims/ and follow that with the name of the new attribute that you're adding.


When you modify an existing assertions statement, begin the path with /subject/, /authentication/, /conditions/, or /claims/, depending on which part of the assertion you want to modify. You then look deeper within the child elements using slash-delimited element names, for example, /claims/array/attributeValues/1/value. (The /1/ in the path indicates the index of the array, using zero-based indexing.)


URI claims


Okta supports URI claims with SAML assertion hooks. When you need to replace or add a URI claim, encode the claim name within the command per the JavaScript Object Notation (JSON) Pointer specification. Specifically, this replaces ~ with ~0 and / with ~1.


SessionNotOnOrAfter support


In some scenarios, your service provider may require the SessionNotOnOrAfter attribute for the <saml:AuthnStatement> in the SAML assertion, which sets the provider session time correctly. Use add op with the path /authentication/sessionLifetime and a value for session lifetime in seconds to add this attribute. Okta calculates SessionNotOnOrAfter by adding the /authentication/sessionLifetime value to the issueInstant attribute and returns it in the SAML `data.assertion.


Request 
Request Body schema: application/json
required
cloudEventVersion
string
The inline hook cloud version


 
contentType
string
The inline hook request header content


 
eventId
string
The individual inline hook request ID


 
eventTime
string
The time the inline hook request was sent


 
eventTypeVersion
string
The inline hook version


 
object
 
object
This object contains a number of sub-objects, each of which provide some type of contextual information.


 
object (InlineHookRequestObject) 
The API request that triggered the inline hook


 
object
Details of the user session


 
object
Identifies the Okta user that the token was generated to authenticate and provides details of their Okta user profile


 
object
Details of the assertion protocol being used


 
object
Details of the SAML assertion that was generated


 
object
Provides a JSON representation of the <saml:Subject> element of the SAML assertion


 
object
Provides a JSON representation of the <saml:AuthnStatement> element of the SAML assertion


 
object
Provides a JSON representation of the <saml:Conditions> element of the SAML assertion


 
object
Provides a JSON representation of the <saml:AttributeStatement> element contained in the generated SAML assertion. Contains any optional SAML attribute statements that you have defined for the app using the Admin Console's SAML Settings.


 
object
Specifies the expiration time, in seconds, of the SAML assertion


 
Responses 
200
Successful response


204
No content - Use the default action


403
Forbidden


Request samples 
application/json
{
  • "source": "https://${yourOktaDomain}/app/saml20app_1/exkth8lMzFm0HZOTU0g3/sso/saml",
  • "eventId": "XMFoHCM1S4Wi_SGWzL8T9A",
  • "eventTime": "2019-03-28T19:15:23.000Z",
  • "data": {
    • "context": {},
    • "assertion": {
      }
    },
  • "eventTypeVersion": "1.0",
  • "cloudEventVersion": "0.1",
  • "eventType": "com.okta.saml.tokens.transform",
  • "contentType": "application/json"
}
Response samples 
application/json
{
  • "commands": [
    • {
      },
    • {
      }
    ]
}
Create a Token inline hook
Webhook 
Creates a Token inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response.


This type of inline hook is triggered when OAuth 2.0 and OpenID Connect (OIDC) tokens are minted by your Okta custom authorization server. Before sending the token to the requester, Okta calls out to your external service. Your service can then respond with commands to add custom claims to the token or to modify existing claims.


Use this functionality to add data that is sensitive, calculated at runtime, or complexly structured and not appropriate for storing in Okta user profiles. Okta never logs nor stores data that is added this way. As an example, tokens minted for a medical app could be augmented with confidential patient data provided by your external service and not stored in Okta.


In addition to adding custom claims, you can modify or remove an existing custom claim or an OIDC standard profile claim. You can also update how long an access token or an ID token is valid.


This inline hook works only when using an Okta custom authorization server, not the built-in Okta org authorization server.


See also:



Timeout behavior


After receiving the Okta request, if there's a response timeout, the Okta process flow proceeds with the original token returned.


Enabling a token inline hook


To activate the inline hook, you first need to register your external service endpoint with Okta using the Inline Hooks Management API.
You then need to associate the registered inline hook with a custom authorization server policy rule by completing the following steps:


    

  1. Go to Security > API > Authorization Servers.
    2. 

  2. Select a custom authorization server from the list.
    3. 

  3. Select Access Policies and select a policy to use with the hook. In most cases, pick the Default Policy.
    4. 

  4. One of the policy's rules needs to trigger the inline hook. Click the pencil icon for a rule to edit it. If you only have one rule, edit the Default Policy Rule.
    5. 

  5. Click the Use this Inline Hook dropdown menu. Any inline hooks that you have registered are listed. Select the hook that you would like to use.
    6. 

  6. Click Update Rule.
    7. 





Note: You can associate only one inline hook with each rule.




Troubleshoot


This section covers what happens when a token inline hook flow fails either due to the external inline hook service returning an error object or not returning a successful response, or the inline hook patch fails.




Note: Administrators can use the Okta System Log to view errors. See the Troubleshooting section in the inline hooks concept piece for more information on the events related to inline hooks that the Okta System Log captures.




    

  • When there's a communication failure with the external service, a timeout for example, the inline hook operation is skipped. The token is generated without any modification from the inline hook.
    

    Who can see this error? Administrators
    

    • 

  • When the external service returns a response with any other HTTP status code besides 200, the inline hook operation is skipped. The token is generated without any modification from the inline hook.
    

    Who can see this error? Administrators
    

    • 

  • When the external service returns an error object in the response, the entire token inline hook flow fails with no token generated.
    

    Who can see this error? Administrators, developers, and end users. When the OAuth 2.0 client receives the error, the client developer can see that error if the client has the debug information. What the end user sees depends on how errors are handled within the client.
    

    

    Note: See the error section on this page for more information on what to include in the error object of your response and what the OAuth 2.0 error includes that Okta returns to the requestor of the token.
    

    

    • 

  • When a hook command (for example, updating, adding, and deleting claims) can't be performed, the inline hook operation is skipped. The token is generated without any modification from the inline hook.
    

    Who can see this error? Administrators
    

    The following actions result in an error:
    

      

    • Using an invalid command. For example, if only an ID token is requested, the commands array shouldn't contain commands of the type com.okta.access.patch.
      • 

    • Using an invalid operation
      • 

    • Attempting to remove a system-specific claim
      • 

    • Attempting to update a claim that doesn't exist
      • 

    • Attempting to update an element within an array that doesn't exist or specifying an invalid index
      • 

    • Attempting to remove a claim that doesn't exist
      • 

    

    • 



Request 
Request Body schema: application/json
required
cloudEventVersion
string
The inline hook cloud version


 
contentType
string
The inline hook request header content


 
eventId
string
The individual inline hook request ID


 
eventTime
string
The time the inline hook request was sent


 
eventTypeVersion
string
The inline hook version


 
object
 
object
This object contains a number of sub-objects, each of which provide some type of contextual information.


 
object (InlineHookRequestObject) 
The API request that triggered the inline hook


 
object
Details of the user session


 
object
Identifies the Okta user that the token was generated to authenticate and provides details of their Okta user profile


 
object
Details of the authentication protocol


 
object
The authorization server policy used to mint the token


 
object
Provides information on the properties of the ID token that Okta has generated, including the existing claims that it contains


 
claims
object
Claims included in the token. Consists of name-value pairs for each included claim. For descriptions of the claims that you can include, see the Okta OpenID Connect and OAuth 2.0 API reference.


 
object
Lifetime of the token


 
object
Provides information on the properties of the access token that Okta has generated, including the existing claims that it contains


 
claims
object
Claims included in the token. Consists of name-value pairs for each included claim. For descriptions of the claims that you can include, see the Okta OpenID Connect and OAuth 2.0 API reference.


 
object
Lifetime of the token


 
scopes
object
The scopes contained in the token. For descriptions of the scopes that you can include, see the Okta OpenID Connect and OAuth 2.0 API reference.


 
object (RefreshToken) 
The refresh token


 
jti
string
The refresh token ID


 
Responses 
200
Successful response


204
No content - Unverified user response


403
Forbidden


Request samples 
application/json
An example token inline hook request body


{
  • "source": "https://{yourOktaDomain}/oauth2/default/v1/authorize",
  • "eventId": "3OWo4oo-QQ-rBWfRyTmQYw",
  • "eventTime": "2019-01-15T23:20:47.000Z",
  • "eventTypeVersion": "1.0",
  • "cloudEventVersion": "0.1",
  • "contentType": "application/json",
  • "eventType": "com.okta.oauth2.tokens.transform",
  • "data": null,
  • "context": {},
  • "identity": {
    • "claims": {
      },
    • "token": {
      }
    },
  • "access": {
    • "claims": {
      },
    • "token": {
      },
    • "scopes": {
      }
    },
  • "refresh_token": {
    • "jti": "oarob4a0tckCkGcyo1d6"
    }
}
Response samples 
application/json
Token inline hook response


{
  • "commands": [
    • {
      },
    • {
      }
    ]
}