On This Page
We are making rate limits more granular and will roll the changes out over the next few months:
- Shortly after February 8, 2017, we'll provide system log alerts to let you know that you would have exceeded any of these new API rate limits.
- Sometime in February, 2017, we'll treat authenticated end-user interactions on a per-user basis. Interactions like SSO after login won't apply to your org-wide API rate limits.
- Shortly after March 8, 2017, the new, more granular rate limits will be enforced. At that point, the warnings in the System Log will change to error notifications.
Of course, as each change is released, we'll announced the change here.
For a full description of the rate limit changes, see API Rate Limits.
You can now search (exact match) for an authorization server name or resource URI: To see the new search box, log into your Okta org, click the Admin button, and visit Security > API > Authorization Servers.
In the administrator UI, you can set an authorization server to manually rotate keys. Keys are rotated automatically by default.
Important: Automatic key rotation is more secure than manual key rotation. Use manual key rotation only if you can't use automatic key rotation.
To change an authorization server configuration to use manual key rotation:
- Log into the Okta org.
- Choose Admin.
- Choose Security > API.
- Open an authorization server for editing.
- Change the value of Signing Key Rotation to Manual and save.
- In the authorization server Settings tab, click the Rotate Signing Keys button to rotate the keys manually. This button doesn't display when Signing Key Rotation is set to Automatic.
- Requesting an authorization code with
okta_post_messagefailed to return the error message ("The authorization server does not support the requested response mode") in the response. Instead it redirected the error response to the URI specified in
- The one-time
sessionTokenin the response from the POST
/api/v1/authnrequest with username and password was valid for two hours after issuance. It is now valid for 5 minutes for added security. (OKTA-109907)
- Modifying the rule conditions (attributes) of a default rule that affects policy evaluation didn't return a read-only attribute error. If you modified one of these read-only attributes previously, and need to change the attribute back to its initial value, contact Support. (OKTA-110155)
- Using the
searchparameter with GET
/api/v1/userswhen the user is federated returned an incorrect value for
- When authentication fails because of the user's sign-on policy, the HTTP code returned was 403 but is now 401. (OKTA-111888)