On This Page
2018.05
Feature Enhancements
| Feature Enhancement | Expected in Preview Orgs | Expected in Production Orgs |
|---|---|---|
| App User Schema API is Generally Available | Available Now | Available Now |
Special HTML Characters in state for okta_post_message | January 31, 2018 | February 7, 2018 |
| Custom Scopes in Metadata Endpoints | January 31, 2018 | February 7, 2018 |
| Improved Enforcement of Authorization Server Policies | January 31, 2018 | February 7, 2018 |
| Functions for Including Groups in Tokens | January 31, 2018 | February 7, 2018 |
| New System Log Messages | January 31, 2018 | February 7, 2018 |
| New Version of the Sign-In Widget | Available Now | Available Now |
Generally Available: App User Schema API
Use the App User Schema API to work with App User profiles, typically for apps that have features for provisioning users.
Special HTML Characters in state for okta_post_message
You can include HTML special characters in the state parameter for okta_post_message.
Note that state in the main request body already allows these characters.
Custom Scopes in Metadata Endpoints
You can specify whether or not to include custom scopes in the metadata endpoints for OAuth 2.0 and OpenID Connect.
Existing custom scopes are not exposed by default. Set the metadataPublish attribute to ALL_CLIENTS to change the behavior.
Improved Enforcement of Authorization Server Policies
When a client application tries to redeem an authorization token from a refresh token issued by a custom authorization server, policies are evaluated again. This ensures any changes since the time the refresh token was issued are checked.
Functions for Including Groups in Tokens
Use the new EL functions Group.contains, Group.startsWith, and Group.endsWith to define a set of dynamic groups to be included in tokens minted from Okta's authorization servers.
These functions complement the existing EL function getFilteredGroups which helps you create a static list of groups for inclusion in a token.
New System Log Messages
User account updates have two new events written to the system log ( /api/v1/events and /api/v1/logs):
- The
user.account.unlock_by_adminevent complements the existinguser.account.unlockevent which is triggered only by self-service unlock or automatic unlock. Theuser.account.unlock_by_adminevent is triggered when an administrator unlocks an account. - The
user.account.update_primary_emailevent is triggered only when a primary email is updated. It's not triggered by profile sync or other automated processes.
New Version of the Sign-In Widget
Version 2.6.0 of the Okta Sign-In Widget is available. Check out the new features and bug fixes!
Bugs Fixed
The following bugs have been fixed and are expected in preview orgs January 31, 2018 and production orgs starting February 7, 2018.
- Client applications could redeem an access token from a refresh token if it contained a deleted scope. (OKTA-154738)
- The exception thrown when creating a zone without the correct features enabled was incorrect
501: unsupported operation. Now the correct exception is thrown:401: You do not have permission to access the feature you are requesting.(OKTA-154940) - Requests to
/api/v1/authnwithdeviceTokenin the body of the request incorrectly prompted the user for MFA, even after successfully verifying the factor the first time, if:- The org had MFA enabled ( Sign On Policy > Prompt for Factor > Per Device ).
- The user was assigned to an app that had password sync enabled. (OKTA-156826)