On This Page
Okta is changing system log data retention. System log data is available from
- For orgs created before July 17th, data will be retained for 6 months.
- For orgs created on and after July 17th, data will be retained for 3 months.
The new data retention policy starts:
- June 7, 2017 for existing preview orgs
- July 17, 2017 for existing production orgs
Preview and production orgs created on July 17, 2017 and later will retain this log data for three months.
For the full data retention policy, see our Data Retention Policy (opens new window).
You can export data before Okta deletes it. We recommend using Security Information and Event Management (SIEM) technology or Okta's API.
- System Logs Track Key Rotation and Generation
- Client Registration API Is an Early Access Feature
- Create OAuth 2.0 and OpenID Connect Clients with the Apps API
- OAuth 2.0 and OpenID Connect Client App Updates Available in System Log
- Support for RP-Initiated Logout
- OAuth 2.0 and OpenID Connect .well-known Response Includes Registration Endpoint
Logged information about key rotation and generation for apps and identity providers is available by using GET requests to either of the following endpoints:
For more information, see Identity Provider Signing Key Store Operations
or Update Key Credential for Application.
Here is a response from
The Auth Clients API provides operations to register and manage client applications for use with Okta's OAuth 2.0 and OpenID Connect endpoints.
Logged information about OAuth 2.0 client updates is now available by using GET requests to
either log endpoint:
Okta supports RP-intiated logout (opens new window) from OpenID Connect client apps in both the administrator UI and Okta API. You can specify a logout redirect URI, or accept the default behavior of returning to the Okta Login page. You can access this feature on the Create OpenID Connect Integration page (under Applications) in the UI.
Okta returns the
registration_endpoint in OAuth 2.0 and OpenID Connect
credentials.signing.kid property of an app was available even if its sign-on mode does not support
certificates. Only apps using the following sign-on mode types support certificates: SAML 2.0, SAML 1.1,
WS-Fed, or OpenID Connect. For more information,
see: Application Key Store Operations (OKTA-76439)
When a call to the token, introspect, or revocation endpoint of OpenID Connect or API Access Management encountered an invalid_client error, the response did not include the WWWAuthenticate header. (OKTA-127653)