On This Page
2018.05
Feature Enhancements
Feature Enhancement | Expected in Preview Orgs | Expected in Production Orgs |
---|---|---|
App User Schema API is Generally Available | Available Now | Available Now |
Special HTML Characters in state for okta_post_message | January 31, 2018 | February 7, 2018 |
Custom Scopes in Metadata Endpoints | January 31, 2018 | February 7, 2018 |
Improved Enforcement of Authorization Server Policies | January 31, 2018 | February 7, 2018 |
Functions for Including Groups in Tokens | January 31, 2018 | February 7, 2018 |
New System Log Messages | January 31, 2018 | February 7, 2018 |
New Version of the Sign-In Widget | Available Now | Available Now |
Generally Available: App User Schema API
Use the App User Schema API to work with App User profiles, typically for apps that have features for provisioning users.
Special HTML Characters in state
for okta_post_message
You can include HTML special characters in the state
parameter for okta_post_message
.
Note that state
in the main request body already allows these characters.
Custom Scopes in Metadata Endpoints
You can specify whether or not to include custom scopes in the metadata endpoints for OAuth 2.0 and OpenID Connect.
Existing custom scopes are not exposed by default. Set the metadataPublish
attribute to ALL_CLIENTS
to change the behavior.
Improved Enforcement of Authorization Server Policies
When a client application tries to redeem an authorization token from a refresh token issued by a custom authorization server, policies are evaluated again. This ensures any changes since the time the refresh token was issued are checked.
Functions for Including Groups in Tokens
Use the new EL functions Group.contains
, Group.startsWith
, and Group.endsWith
to define a set of dynamic groups to be included in tokens minted from Okta's authorization servers.
These functions complement the existing EL function getFilteredGroups
which helps you create a static list of groups for inclusion in a token.
New System Log Messages
User account updates have two new events written to the system log ( /api/v1/events
and /api/v1/logs
):
- The
user.account.unlock_by_admin
event complements the existinguser.account.unlock
event which is triggered only by self-service unlock or automatic unlock. Theuser.account.unlock_by_admin
event is triggered when an administrator unlocks an account. - The
user.account.update_primary_email
event is triggered only when a primary email is updated. It's not triggered by profile sync or other automated processes.
New Version of the Sign-In Widget
Version 2.6.0 of the Okta Sign-In Widget (opens new window) is available. Check out the new features and bug fixes!
Bugs Fixed
The following bugs have been fixed and are expected in preview orgs January 31, 2018 and production orgs starting February 7, 2018.
- Client applications could redeem an access token from a refresh token if it contained a deleted scope. (OKTA-154738)
- The exception thrown when creating a zone without the correct features enabled was incorrect
501: unsupported operation
. Now the correct exception is thrown:401: You do not have permission to access the feature you are requesting.
(OKTA-154940) - Requests to
/api/v1/authn
withdeviceToken
in the body of the request incorrectly prompted the user for MFA, even after successfully verifying the factor the first time, if:- The org had MFA enabled ( Sign On Policy > Prompt for Factor > Per Device ).
- The user was assigned to an app that had password sync enabled. (OKTA-156826)