On This Page


Advance Notice: Data Retention Changes

Okta is changing system log data retention. System log data is available from /api/v1/events or Okta SDK EventsAPIClient.

  • For orgs created before July 17th, data will be retained for 6 months.
  • For orgs created on and after July 17th, data will be retained for 3 months.

The new data retention policy starts:

  • June 7, 2017 for existing preview orgs
  • July 17, 2017 for existing production orgs

Preview and production orgs created on July 17, 2017 and later will retain this log data for three months.

For the full data retention policy, see our Data Retention Policy (opens new window).

You can export data before Okta deletes it. We recommend using Security Information and Event Management (SIEM) technology or Okta's API.

Platform Enhancements

System Logs Track Key Rotation and Generation

Logged information about key rotation and generation for apps and identity providers is available by using GET requests to either of the following endpoints: /api/v1/events or /api/v1/logs. For more information, see Identity Provider Signing Key Store Operations or Update Key Credential for Application.

Here is a response from /api/v1/logs Logged Key Rotation Event

Client Registration API Is an Early Access Feature

The Auth Clients API provides operations to register and manage client applications for use with Okta's OAuth 2.0 and OpenID Connect endpoints.

Create OAuth 2.0 and OpenID Connect Clients with Apps API

The Apps API supports creating and configuring OAuth 2.0 or OpenID Connect clients. Alternatively, you can use Client Registration API (RFC 7591 and RFC 7592) to create and manage clients.

OAuth 2.0 and OpenID Connect Client App Updates Available in System Log

Logged information about OAuth 2.0 client updates is now available by using GET requests to either log endpoint: /api/v1/events or /api/v1/logs.

Logged Key Rotation Event

Support for RP-Initiated Logout

Okta supports RP-intiated logout (opens new window) from OpenID Connect client apps in both the administrator UI and Okta API. You can specify a logout redirect URI, or accept the default behavior of returning to the Okta Login page. You can access this feature on the Create OpenID Connect Integration page (under Applications) in the UI.

OAuth 2.0 and OpenID Connect .well-known Response Includes Registration Endpoint

Okta returns the registration_endpoint in OAuth 2.0 and OpenID Connect .well-known responses.

Platform Bugs Fixed

Invalid Availability of credentials.signing.kid

The credentials.signing.kid property of an app was available even if its sign-on mode does not support certificates. Only apps using the following sign-on mode types support certificates: SAML 2.0, SAML 1.1, WS-Fed, or OpenID Connect. For more information, see: Application Key Store Operations (OKTA-76439)

WWW-Authenticate Header in HTTP 401 Response

When a call to the token, introspect, or revocation endpoint of OpenID Connect or API Access Management encountered an invalid_client error, the response did not include the WWW­Authenticate header. (OKTA-127653)