Okta is changing system log data retention. System log data is available from
The new data retention policy starts:
Preview and production orgs created on July 17, 2017 and later will retain this log data for three months.
For the full data retention policy, see our Data Retention Policy.
You can export data before Okta deletes it. We recommend using Security Information and Event Management (SIEM) technology or Okta's API.
Logged information about key rotation and generation for apps and identity providers is available by using GET requests to either of the following endpoints:
For more information, see Identity Provider Signing Key Store Operations
or Update Key Credential for Application.
Here is a response from
The Auth Clients API provides operations to register and manage client applications for use with Okta's OAuth 2.0 and OpenID Connect endpoints.
Logged information about OAuth 2.0 client updates is now available by using GET requests to
either log endpoint:
Okta supports RP-intiated logout from OpenID Connect client apps in both the administrator UI and Okta API. You can specify a logout redirect URI, or accept the default behavior of returning to the Okta Login page. You can access this feature on the Create OpenID Connect Integration page (under Applications) in the UI.
Okta returns the
registration_endpoint in OAuth 2.0 and OpenID Connect
credentials.signing.kid property of an app was available even if its sign-on mode does not support
certificates. Only apps using the following sign-on mode types support certificates: SAML 2.0, SAML 1.1,
WS-Fed, or OpenID Connect. For more information,
see: Application Key Store Operations (OKTA-76439)
When a call to the token, introspect, or revocation endpoint of OpenID Connect or API Access Management encountered an invalid_client error, the response did not include the WWWAuthenticate header. (OKTA-127653)