On This Page
|Feature Enhancement||Expected in Preview Orgs||Expected in Production Orgs|
|App User Schema API is Generally Available||Available Now||Available Now|
|Special HTML Characters in ||January 31, 2018||February 7, 2018|
|Custom Scopes in Metadata Endpoints||January 31, 2018||February 7, 2018|
|Improved Enforcement of Authorization Server Policies||January 31, 2018||February 7, 2018|
|Functions for Including Groups in Tokens||January 31, 2018||February 7, 2018|
|New System Log Messages||January 31, 2018||February 7, 2018|
|New Version of the Sign-In Widget||Available Now||Available Now|
Use the App User Schema API to work with App User profiles, typically for apps that have features for provisioning users.
You can include HTML special characters in the
state parameter for
state in the main request body already allows these characters.
You can specify whether or not to include custom scopes in the metadata endpoints for OAuth 2.0 and OpenID Connect.
Existing custom scopes are not exposed by default. Set the
metadataPublish attribute to
ALL_CLIENTS to change the behavior.
When a client application tries to redeem an authorization token from a refresh token issued by a custom authorization server, policies are evaluated again. This ensures any changes since the time the refresh token was issued are checked.
Use the new EL functions
Group.endsWith to define a set of dynamic groups to be included in tokens minted from Okta's authorization servers.
These functions complement the existing EL function
getFilteredGroups which helps you create a static list of groups for inclusion in a token.
User account updates have two new events written to the system log (
user.account.unlock_by_adminevent complements the existing
user.account.unlockevent which is triggered only by self-service unlock or automatic unlock. The
user.account.unlock_by_adminevent is triggered when an administrator unlocks an account.
user.account.update_primary_emailevent is triggered only when a primary email is updated. It's not triggered by profile sync or other automated processes.
Version 2.6.0 of the Okta Sign-In Widget (opens new window) is available. Check out the new features and bug fixes!
The following bugs have been fixed and are expected in preview orgs January 31, 2018 and production orgs starting February 7, 2018.
- Client applications could redeem an access token from a refresh token if it contained a deleted scope. (OKTA-154738)
- The exception thrown when creating a zone without the correct features enabled was incorrect
501: unsupported operation. Now the correct exception is thrown:
401: You do not have permission to access the feature you are requesting.(OKTA-154940)
- Requests to
deviceTokenin the body of the request incorrectly prompted the user for MFA, even after successfully verifying the factor the first time, if:
- The org had MFA enabled ( Sign On Policy > Prompt for Factor > Per Device ).
- The user was assigned to an app that had password sync enabled. (OKTA-156826)