On this page
December
Weekly Release 2018.12.2
Note: Okta has changed our release model and version numbering. Under the old system, this would have been release 2018.52. For more information, see here: https://support.okta.com/help/s/article/New-Okta-Release-Model (opens new window)
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
Bugs Fixed in 2018.12.2 | December 27, 2018 | January 7, 2019 |
Previously Released Early Access Features 2018.12.2 Update | Available Now | Available Now |
Bugs Fixed in 2018.12.2
An error would be returned if the
/apps/${applicationId}
endpoint was called to update an app that did not not have a configurablesignOnMode
property.The Identity Providers API endpoints
GET /idps/${idpId}/users
,GET /idps/${idpId}/users/{userId}
, andDELETE /idps/${idpId}/users/${userId}
previously required the social authentication feature, even for users related to a non-social IdP. Additionally, non-Social IdPs were not included in the results returned byGET /users/${userId}/idps
.Instead of providing specific reasons for failure, Identity Providers operations failed with generic
error_description
values when the Social Auth provider required user attributes in the user's profile but the attributes were missing or invalid.The
/users/${userId}/factors/catalog
endpoint returnedemail
as a supported factor type even when Email Authentication was not enabled for the org in MFA settings.
Previously Released Early Access Features 2018.12.2 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Custom domains |
Custom Okta-hosted Sign-In Page |
Custom Error Page |
User Consent for OAuth 2.0 and OpenID Connect Flows |
Weekly Release 2018.12.1
Note: Okta has changed our release model and version numbering. Under the old system, this would have been release 2019.50. For more information, see here: https://support.okta.com/help/s/article/New-Okta-Release-Model (opens new window)
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
Bug Fixed in 2018.12.1 | December 12, 2018 | December 17, 2018 |
Previously Released Early Access Features 2018.12.1 Update | Available Now | Available Now |
Bug Fixed in 2018.12.1
- Requests to the same Okta Org Authorization Server's
/keys
endpoint failed if the requests originated from different domains in the same browser. (OKTA-156155)
Previously Released Early Access Features 2018.12.1 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Custom domains |
Custom Okta-hosted Sign-In Page |
Custom Error Page |
User Consent for OAuth 2.0 and OpenID Connect Flows |
Weekly Release 2018.12.0
Note: Okta has changed our release model and version numbering. Under the old system, this would have been release 2019.49. For more information, see here: https://support.okta.com/help/s/article/New-Okta-Release-Model (opens new window)
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
Bug Fixed in 2018.12.0 | December 5, 2018 | December 10, 2018 |
Previously Released Early Access Features 2018.12.0 Update | Available Now | Available Now |
Bug Fixed in 2018.12.0
- Queries to the
/logs
endpoint would return an HTTP 500 error if they contained encoded curly braces (%7B
or%7D
).
Previously Released Early Access Features 2018.12.0 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Custom domains |
Custom Okta-hosted Sign-In Page |
Custom Error Page |
User Consent for OAuth 2.0 and OpenID Connect Flows |
November
Weekly Release 2018.48
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
System Log API Returns Threat Insight Attribute | November 28, 2018 | December 3, 2018 |
Bugs Fixed in 2018.48 | November 28, 2018 | December 3, 2018 |
Previously Released Early Access Features 2018.48 Update | Available Now | Available Now |
System Log API Returns Threat Insight Attribute
The debugContext
object returned by the System Log API can now include an okta_threat_insight
attribute to indicate that an event has been identified as a security risk.
Bugs Fixed in 2018.48
Some customers could access log data outside of their allowed retention range through the System Log API.
Responses from the
/oauth2/${authServerId}/.well-known/oauth-authorization-server
endpoint did not include supported OpenID Connect response types in the content of theresponse_types_supported
property.
Previously Released Early Access Features 2018.48 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Custom domains |
Custom Okta-hosted Sign-In Page |
Custom Error Page |
Token Management API |
User Consent for OAuth 2.0 and OpenID Connect Flows |
Weekly Release 2018.45
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
Linked Objects API is Generally Available (GA) | November 6, 2018 | December 10, 2018 |
Bugs Fixed in 2018.45 | November 6, 2018 | November 12, 2018 |
Previously Released Early Access Features 2018.45 Update | Available Now | Available Now |
Linked Objects API is Generally Available (GA)
The Linked Objects API is now available to all orgs.
Bugs Fixed in 2018.45
- The set of roles allowed access to system log information by the Events API did not match the set of roles allowed access by the System Log API. (OKTA-194899)
- When a user tried to sign in using the Okta Sign-in Widget, they would not be prompted to enroll an optional factor, despite
multiOptionalFactorEnroll
being set totrue
. (OKTA-195195)
Previously Released Early Access Features 2018.45 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Custom domains |
Custom Okta-hosted Sign-In Page |
Custom Error Page |
Token Management API |
User Consent for OAuth 2.0 and OpenID Connect Flows |
October
Weekly Release 2018.44
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
Bugs Fixed in 2018.44 | October 31, 2018 | November 5, 2018 |
Previously Released Early Access Features 2018.44 Update | Available Now | Available Now |
Bugs Fixed in 2018.44
- Temporary passwords returned by the
/users/${userId}/lifecycle/expire_password
endpoint sometimes included hard-to-distinguish characters. - Queries to the
/logs
endpoint withsince
anduntil
values that were both earlier than the customer's data retention period would return an HTTP 500 error.
Previously Released Early Access Features 2018.44 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Custom domains |
Custom Okta-hosted Sign-In Page |
Custom Error Page |
Linked Objects API |
Token Management API |
User Consent for OAuth 2.0 and OpenID Connect Flows |
Weekly Release 2018.42
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
Bugs Fixed in 2018.42 | October 17, 2018 | October 22, 2018 |
Previously Released Early Access Features 2018.42 Update | Available Now | Available Now |
Bugs Fixed in 2018.42
- The
/clients
endpoint dropped thefilter
parameter for any paginated results returned after the first page. - Messages that were sent to devices using the Factors API would sometimes return a
500
error if the message could not be sent.
Previously Released Early Access Features 2018.42 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Custom domains |
Custom Okta-hosted Sign-In Page |
Custom Error Page |
Linked Objects API |
Token Management API |
User Consent for OAuth 2.0 and OpenID Connect Flows |
Weekly Release 2018.41
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
Rate Limit Notifications for One App and Enterprise | October 10, 2018 | October 15, 2018 |
OIDC Clients Can Initiate Logout with Expired Token | October 10, 2018 | October 15, 2018 |
Change to User Link Editing Permissions | October 10, 2018 | October 15, 2018 |
Bugs Fixed in 2018.41 | October 10, 2018 | October 15, 2018 |
Previously Released Early Access Features 2018.41 Update | Available Now | Available Now |
Rate Limit Notifications for One App and Enterprise
When an org reaches its rate limit, the admin console will display a banner and the admin(s) will receive an email notification. These notifications will only appear on One App and Enterprise organizations.
OIDC Clients Can Initiate Logout with Expired Token
Client-initiated logout now succeeds even when the ID token is no longer valid.
Change to User Link Editing Permissions
Editing the link between users now requires edit permissions for all users involved.
Bugs Fixed in 2018.41
- Queries to the
/logs
endpoint with values forsince
anduntil
that did not specify the time to milliseconds would sometimes return events outside of the specified time range. (OKTA-191533) - Responses from the
/events
endpoint would sometimes omit milliseconds from thepublished
field. (OKTA-192568)
Previously Released Early Access Features 2018.41 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Custom domains |
Custom Okta-hosted Sign-In Page |
Custom Error Page |
Linked Objects API |
Token Management API |
User Consent for OAuth 2.0 and OpenID Connect Flows |
Weekly Release 2018.40
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
Bugs Fixed in 2018.40 | October 3, 2018 | October 8, 2018 |
Previously Released Early Access Features 2018.40 Update | Available Now | Available Now |
Bugs Fixed in 2018.40
- Responses from the
/zones
endpoint (opens new window) included a duplicate of thetype
field. (OKTA-188605) - The
/idps/credentials/keys
endpoint was requiring requests to include extra parameters. (OKTA-189780)
Previously Released Early Access Features 2018.40 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Custom domains |
Custom Okta-hosted Sign-In Page |
Custom Error Page |
Linked Objects API |
Token Management API |
User Consent for OAuth 2.0 and OpenID Connect Flows |
September
Weekly Release 2018.39
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
Bugs Fixed in 2018.39 | September 26, 2018 | October 1, 2018 |
Previously Released Early Access Features 2018.39 Update | Available Now | Available Now |
Bugs Fixed in 2018.39
- Requests to the
/authorize
endpoint would incorrectly prioritize values from the URI query parameter, rather than the request JWT. For more information, see the documentation for that endpoint. (OKTA-187642) - When multiple attempts were simultaneously made to update a user's phone number for the SMS or Call Factor, an HTTP 500 error was sometimes returned. (OKTA-188112)
- In some situations SHA-256 password imports would not work. SHA-256 password import now requires the salt to be base64-encoded.
Previously Released Early Access Features 2018.39 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Custom domains |
Custom Okta-hosted Sign-In Page |
Custom Error Page |
Linked Objects API |
Token Management API |
User Consent for OAuth 2.0 and OpenID Connect Flows |
Weekly Release 2018.38
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
User Sessions Deleted after Password Reset | September 19, 2018 | October 15, 2018 |
Bugs Fixed in 2018.38 | September 19, 2018 | September 24, 2018 |
Previously Released Early Access Features 2018.38 Update | Available Now | Available Now |
User Sessions Deleted after Password Reset
We now delete all sessions for a user after a successful password reset as part of the forgot password flow.
Bugs Fixed in 2018.38
- An HTTP 500 error would occur if the JSON body sent to create a user contained a non-string value for the following user profile properties:
firstName
,lastName
,email
,login
,mobilePhone
, andsecondEmail
. Any non-string values for these properties will now be converted into strings after they are sent. (OKTA-170711)
Previously Released Early Access Features 2018.38 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Custom domains |
Custom Okta-hosted Sign-In Page |
Custom Error Page |
Linked Objects API |
Token Management API |
User Consent for OAuth 2.0 and OpenID Connect Flows |
Weekly Release 2018.36
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
New Device Notification Emails are Generally Available | September 5, 2018 | September 10, 2018 |
Email Rate Limiting | September 5, 2018 | September 10, 2018 |
New sendEmail Parameter for User Deletion and Deactivation | September 5, 2018 | October 15, 2018 |
Support for JWTs Signed with Private Keys | September 5, 2018 | September 10, 2018 |
System Log Event for Rate Limit Override Expiration | September 5, 2018 | September 10, 2018 |
Required Properties in App User Schema | September 5, 2018 | September 10, 2018 |
Previously Released Early Access Features 2018.36 Update | Available now | Available now |
New Device Notification Emails are Generally Available (GA)
When enabled, end users will receive a new device notification email when signing in to Okta from a new or unrecognized device. This feature is now generally available to all orgs. For more information about email notifications, refer to the New or Unknown Device Notification Emails section inGeneral Security (opens new window).
Email Rate Limiting
Okta is introducing new rate limits for emails that are sent to users. This will help with service protection.
New sendEmail Parameter for User Deletion and Deactivation
User deletion and deactivation requests now have an optional sendEmail
parameter. For more information see the documentation for those endpoints:
- DELETE /api/v1/apps/${applicationId}/users/${userId}
- DELETE /api/v1/users/${userId}
- POST /api/v1/users/${userId}/lifecycle/deactivate
Support for JWTs Signed with Private Keys
Requests to the /token
and /authorize
endpoints will now accept JWTs signed with a private key. For more information see the OIDC documentation for the token endpoint and the authorize endpoint.
System Log Event for Rate Limit Override Expiration
A System Log event will be generated exactly two days before a temporary API rate limit override is set to expire. The limit's expiration is set by customer support based on a window agreed upon when the override was requested. Once a limit has expired, it will no longer take effect and the customer will be subject to the default limit for that API endpoint.
Required Properties in App User Schema
API calls to modify an app user schema can no longer change the nullability (required
field) of a property if that property is shown as required in the default predefined schema for that app.
Previously Released Early Access Features 2018.36 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Custom domains |
Custom Okta-hosted Sign-In Page |
Custom Error Page |
Linked Objects API |
Token Management API |
User Consent for OAuth 2.0 and OpenID Connect Flows |
August
Weekly Release 2018.35
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
Bugs Fixed in 2018.35 | August 29, 2018 | September 4, 2018 |
Previously Released Early Access Features 2018.35 Update | Available now | Available now |
Bugs Fixed in 2018.35
- Search queries to the /user endpoint with an invalid
after
parameter would return an HTTP 500 error. (OKTA-185186)
Previously Released Early Access Features 2018.35 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Custom domains |
Custom Okta-hosted Sign-In Page |
Custom Error Page |
Linked Objects API |
Token Management API |
User Consent for OAuth 2.0 and OpenID Connect Flows |
Weekly Release 2018.33
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
Bugs Fixed in 2018.33 | August 15, 2018 | August 20, 2018 |
Previously Released Early Access Features 2018.33 Update | Available now | Available now |
Bugs Fixed in 2018.33
- If an SMS factor was used within 30 seconds of the factor being auto-activated, verification would fail. (OKTA-178568)
- In some instances, Org administrators would not be allowed to create new users, despite having the proper permissions. Additionally, the system log erroneously showed successful user creation. (OKTA-169709)
Previously Released Early Access Features 2018.33 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Custom domains |
Custom Okta-hosted Sign-In Page |
Custom Error Page |
Linked Objects API |
Token Management API |
User Consent for OAuth 2.0 and OpenID Connect Flows |
Weekly Release 2018.32
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
Interstitial Page Settings are Generally Available (GA) | August 8, 2018 | September 2018 |
New System Log Event Type for Denied Events | August 8, 2018 | August 13, 2018 |
Bugs Fixed in 2018.32 | August 8, 2018 | August 13, 2018 |
Previously Released Early Access Features 2018.32 Update | Available now | Available now |
Interstitial Page Settings are Generally Available
You can now disable the Okta loading animation that appears during a login redirect to your application. For more information, see Manage the Okta interstitial page (opens new window).
New System Log Event Type for Denied Events
The System Log now reports when requests are denied due to a blocklist rule (such as a IP network zone or location rule). These events are logged with the event type security.request.blocked
. (OKTA-178982)
Bugs Fixed in 2018.32
- Fixed a bug that affected delegated authentication users: in rare cases, the user appeared to be active when locked out, or vice versa. (OKTA-180932)
- The Apps API now returns an error if changing the Application's self-service assignment settings could result in an insecure state. (OKTA-182497)
Previously Released Early Access Features 2018.32 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Custom domains |
Custom Okta-hosted Sign-In Page |
Custom Error Page |
Linked Objects API |
Token Management API |
User Consent for OAuth 2.0 and OpenID Connect Flows |
Weekly Release 2018.31
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
Bugs Fixed in 2018.31 | August 1, 2018 | August 6, 2018 |
Previously Released Early Access Features 2018.31 Update | Available now | Available now |
Bugs Fixed in 2018.31
Fixed an issue in the OpenID Connect logout endpoint where performing logout with an expired session resulted in an error instead of following the
post_logout_redirect_uri
. (OKTA-180521)Removed System Logs entries for granting refresh tokens in token requests with the
refresh_token
grant type (since this grant type simply returns the original refresh token). This fix applies to both custom Authorization Servers and the Okta Org Authorization Server. (OKTA-178335)Fixed issues with the User-Consent Grant Management API: added missing value to
issuer
, removedissuerId
, removed HAL links for issuer and revoke, and added hints for self GET and DELETE. (OKTA-175296)Fixed a bug where SAML apps created using the API could not enable
honorForceAuthn
. (OKTA-166146)Fixed an issue where
login_hint
was ignored when using OAuth consent with a custom Authorization Server. (OKTA-164836)
Previously Released Early Access Features 2018.31 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Custom domains |
Custom Okta-hosted Sign-In Page |
Custom Error Page |
Linked Objects API |
Token Management API |
User Consent for OAuth 2.0 and OpenID Connect Flows |
July
Weekly Release 2018.29
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
Bugs Fixed in 2018.29 | July 18, 2018 | July 23, 2018 |
Previously Released Early Access Features 2018.29 Update | Available now | Available now |
Bugs Fixed in 2018.29
- Using the Zones API (opens new window) to modify an existing zone that is blocked, removed the zone from the blocklist and converted it to a normal IP Zone. (OKTA-176610)
- Using the Applications API to create an OAuth client caused an error if the
credentials.oauthClient
property was not provided, even though it is not required. (OKTA-179275) - The System Log CSV report did not contain a value for
AuthenticationContext.issuer
for the event typeuser.authentication.authenticate
. (OKTA-147165)
Previously Released Early Access Features 2018.29 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Custom domains |
Custom Okta-hosted Sign-In Page |
Custom Error Page |
Linked Objects API |
Token Management API |
User Consent for OAuth 2.0 and OpenID Connect Flows |
Weekly Release 2018.28
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
MFA Call Factor is Generally Available (GA) | July 11, 2018 | July 16, 2018 |
Bugs Fixed in 2018.28 | July 11, 2018 | July 16, 2018 |
Previously Released Early Access Features 2018.28 Update | Available now | Available now |
MFA Call Factor is Generally Available (GA)
The MFA call factor is now Generally Available (GA).
Bugs Fixed in 2018.28
Users received an incorrect error message when using the System Log API and specifying a sort order with an unbounded
until
statement. (OKTA-175411)Under certain circumstances, the System Log API did not return events on the first query, but did on subsequent queries. (OKTA-174660)
Previously Released Early Access Features 2018.28 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Custom domains |
Custom Okta-hosted Sign-In Page |
Custom Error Page |
Linked Objects API |
Token Management API |
User Consent for OAuth 2.0 and OpenID Connect Flows |
Weekly Release 2018.27
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
System Log API is Generally Available (GA) | July 5, 2018 | July 9, 2018 |
Bugs Fixed in 2018.27 | July 5, 2018 | July 9, 2018 |
Previously Released Early Access Features 2018.27 Update | Available now | Available now |
System Log API is Generally Available (GA)
The System Log API is now Generally Available. Developers of new projects are strongly recommended to use this in lieu of the Events API.
Bugs Fixed in 2018.27
- Users who clicked an Activation Link for an Okta Verify factor that had already been activated would get back an HTTP 500 error. (OKTA-146511)
- Attempting to add more than the maximum number of zones via the Zones API (opens new window) would result in an HTTP 500 error. (OKTA-175991)
Previously Released Early Access Features 2018.27 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Custom domains |
Custom Okta-hosted Sign-In Page |
Custom Error Page |
Linked Objects API |
Token Management API |
User Consent for OAuth 2.0 and OpenID Connect Flows |
June
Weekly Release 2018.25
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
Better /userinfo Errors | June 20, 2018 | June 25, 2018 |
Bugs Fixed in 2018.25 | June 20, 2018 | June 25, 2018 |
Previously Released Early Access Features 2018.25 Update | Available now | Available now |
Better /userinfo Errors
The following information has been added to the userinfo
endpoint's error response:
authorization_uri
realm
resource
- a list of required scopes in the
scope
parameter
Bugs Fixed in 2018.25
- In certain situations, if a call was made to the OAuth 2.0/OIDC /authorize endpoint with
response_mode
set tookta_post_message
, anHTTP 500
error would return. (OKTA-175326) - Removing all permissions on a schema attribute would return a
READ_ONLY
permission. The response now correctly contains aREAD_WRITE
permission. (OKTA-173030) - If an Authorization Server's
redirect_uri
was too long, anHTTP 500
error would return. (OKTA-171950) - The
phoneExtension
property would not be returned inGET
requests to the Factors API'scatalog
endpoint. (OKTA-108859)
Previously Released Early Access Features 2018.25 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Custom domains |
Custom Okta-hosted Sign-In Page |
Custom Error Page |
Linked Objects API |
Token Management API |
System Log API |
User Consent for OAuth 2.0 and OpenID Connect Flows |
Weekly Release 2018.24
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
User Login Pattern Validation | June 13, 2018 | June 18, 2018 |
Bugs Fixed in 2018.24 | June 13, 2018 | June 18, 2018 |
Previously Released Early Access Features 2018.24 Update | Available now | Available now |
User Login Pattern Validation
A user's login
no longer needs to be in the form of an email address. Instead the login is validated against a pattern
property stored in the User Schema, which can be set to certain Regular Expressions. If no pattern is set, the default validation requires email addresses. More information can be found in the User and Schema API references.
Bugs Fixed in 2018.24
- Queries to the
/logs
endpoint with asince
parameter value of less than 1 minute ago would return a500
error. (OKTA-174239) - It was possible to set an access policy rule with a
refreshTokenWindowMinutes
value of0
(infinite). (OKTA-171891) - The System Log would not display OpenID Connect App assignment and un-assignment events. (OKTA-168223)
Previously Released Early Access Features 2018.24 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Custom domains |
Custom Okta-hosted Sign-In Page |
Custom Error Page |
Linked Objects API |
Token Management API |
System Log API |
User Consent for OAuth 2.0 and OpenID Connect Flows |
Weekly Release 2018.23
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
Factors API Now Supports U2F | June 6, 2018 | June 11, 2018 |
Network Selection Modes Deprecated | June 6, 2018 | June 11, 2018 |
Better Signing Key Errors | June 6, 2018 | June 11, 2018 |
Previously Released Early Access Features 2018.23 Update | Available now | Available now |
Factors API Now Supports U2F
Enrollment, activation, and verification of U2F factors are now supported in the Factors API.
Network Selection Modes Deprecated
Two deprecated network selection modes (ON_NETWORK
and OFF_NETWORK
) have been removed from the Network Condition Object. They have been replaced by the ZONE
type.
Better Signing Key Errors
If signing keys cannot be generated for a new Authorization Server, a more descriptive error will be returned.
Previously Released Early Access Features 2018.23 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Custom domains |
Custom Okta-hosted Sign-In Page |
Custom Error Page |
Linked Objects API |
Token Management API |
System Log API |
User Consent for OAuth 2.0 and OpenID Connect Flows |
May
Weekly Release 2018.22
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
New Session Token Behavior is in Early Access | May 30, 2018 | June 4, 2018 |
System Log Events for New Device Notification Emails | May 30, 2018 | June 4, 2018 |
Bugs Fixed in 2018.22 | May 30, 2018 | June 4, 2018 |
Previously Released Early Access Features 2018.22 Update | Available now | Available now |
New Session Token Behavior is in Early Access
If a user has a valid session and passes a sessionToken
, this sessionToken
will override any existing session cookie. If the user has a valid session but passes an invalid sessionToken
, then their existing session will be invalidated. Currently, if a user has a valid session and passes a sessionToken
, the sessionToken
will be ignored. If this feature is not enabled, the current behavior will continue.
System Log Events for New Device Notification Emails
New device notification email events will now appear in the System Log.
Bugs Fixed in 2018.22
- Default password policy settings were sometimes incorrectly applied when creating a user with a password. (OKTA-127830)
- The
/userinfo
endpoint would return an empty JSON object in the response body when using an invalid access token. (OKTA-169553) - Some OAuth 2.0/OIDC refresh tokens would expire early. (OKTA-171056)
Previously Released Early Access Features 2018.22 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Custom domains |
Custom Okta-hosted Sign-In Page |
Custom Error Page |
Linked Objects API |
Token Management API |
System Log API |
User Consent for OAuth 2.0 and OpenID Connect Flows |
Weekly Release 2018.20
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
System Log Entry Delay Change | May 15, 2018 | May 29, 2018 |
Previously Released Early Access Features 2018.20 Update | Available now | Available now |
System Log Entry Delay Change
Events returned from the /logs
endpoint when using the until
parameter were previously delayed by up to 1 second. To improve the performance of our System Log, queries to the /logs
endpoint that include an until
parameter may now return results that are delayed up to 10 seconds. When making requests with an until
value that is near real-time, ensure that you allow enough of a buffer as to not miss events (e.g. 20s).
Bug Fixed in 2018.20
- Group search queries with underscores returned incorrect results. (OKTA-164390)
Previously Released Early Access Features 2018.20 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Custom domains |
Custom Okta-hosted Sign-In Page |
Custom Error Page |
Linked Objects API |
Token Management API |
System Log API |
User Consent for OAuth 2.0 and OpenID Connect Flows |
Weekly Release 2018.19
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
ID Tokens Can Be Refreshed | May 9, 2018 | May 14, 2018 |
Custom domains are in Early Access | May 9, 2018 | May 14, 2018 |
Custom Okta-hosted Sign-In Page is in Early Access | May 9, 2018 | May 14, 2018 |
Custom Error Page is in Early Access | May 9, 2018 | May 14, 2018 |
Bugs Fixed in 2018.19 | May 9, 2018 | May 14, 2018 |
Previously Released Early Access Features 2018.19 Update | Available now | Available now |
ID Tokens Can Be Refreshed
OpenID Connect ID tokens can now be retrieved using a refresh token. For more information, see our OpenID Connect Reference.
Custom URL Domains are in Early Access
You can customize your Okta org by replacing the Okta domain name with a custom URL domain name that you specify. For example, if the URL of your Okta org is https://${yourOktaDomain}
, you can configure a custom URL for the org such as https://id.example.com
. For details, see the Configure a custom URL domain (opens new window).
Custom Okta-hosted Sign-In Page is in Early Access
You can customize the text and the look and feel of the Okta-hosted sign-in page by using form controls and an embedded HTML editor. When this feature is used with custom URL domain (opens new window) (required) and custom Okta-hosted error page, it offers a fully customized end-user sign-in experience that is hosted by Okta. See Configure a custom Okta-hosted sign-in page for more information.
Custom Error Page is in Early Access
You can customize the text and the look and feel of error pages by using an embedded HTML editor. When the feature is used with custom URL domain (opens new window) (required) and custom Okta-hosted sign-in page, it offers a fully customized error page. See Configure a custom error page for more information.
Bugs Fixed in 2018.19
Delays were experienced when deleting users. As a result of the fix, one will notice a period of time between when the deletion was initiated and when it completes. During the period, the user will still be visible, but the deletion cannot be reversed. (OKTA-157884)
OAuth 2.0 and OIDC requests made with redirect URLs that contained underscores in the domain name would result in an error. (OKTA-167483)
Previously Released Early Access Features 2018.19 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Weekly Release 2018.18
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
Authentication Object for Step-up Authentication Is in Early Access | May 2, 2018 | May 7, 2018 |
New Version of the Okta Sign-In Widget | Available Now | Available Now |
Bug Fixed in 2018.18 | May 2, 2018 | May 7, 2018 |
Previously Released Early Access Features 2018.18 Update | Available now | Available now |
Authentication Object for Step-up Authentication Is in Early Access
During SP-initiated or IdP-initiated authentication, use the Authentication Object to represent details that the target resource is using.
The Authentication Object is an Early Access feature.
New Version of the Okta Sign-In Widget
Version 2.8.0 of the Okta Sign-In Widget (opens new window) provides new features, notable changes, and bug fixes. For details, visit the okta-signin-widget repository (opens new window).
Bug Fixed in 2018.18
If the configured default IdP was set to inactive, Okta still used the inactive IdP as the primary endpoint for user authentications, causing authentications to fail. (OKTA-137758)
Previously Released Early Access Features 2018.18 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
April
Weekly Release 2018.17
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
Bugs Fixed in 2018.17 | April 24, 2018 | May 1, 2018 |
Previously Released Early Access Features 2018.17 Update | Available now | Available now |
Bugs Fixed in 2018.17
If an incorrect
appInstanceId
was supplied as the IdP parameter in a request to the/authorize
endpoint, anHTTP 500
error was thrown. (OKTA-166417)When Okta parsed login names it failed to support addresses enclosed in double quotes as described in RFC 3696 (opens new window). (OKTA-164092)
Previously Released Early Access Features 2018.17 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Weekly Release 2018.17
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
Bugs Fixed in 2018.17 | April 24, 2018 | May 1, 2018 |
Previously Released Early Access Features 2018.17 Update | Available now | Available now |
Bugs Fixed in 2018.17
If an incorrect
appInstanceId
was supplied as the IdP parameter in a request to the/authorize
endpoint, anHTTP 500
error was thrown. (OKTA-166417)When Okta parsed login names it failed to support addresses enclosed in double quotes as described in RFC 3696 (opens new window). (OKTA-164092)
Previously Released Early Access Features 2018.17 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Weekly Release 2018.15
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
Enhanced Feature: API Support for Assigning App Instance to App Admins | April 11, 2018 | April 15, 2018 |
Bug Fixed in 2018.15 | April 11, 2018 | April 16, 2018 |
Previously Released Early Access Features 2018.15 Update | Available now | Available now |
Enhanced Feature: API Support for Assigning App Instance to App Admins
You can add an app instance target to an APP_ADMIN
role assignment via the API. Previously an app instance target could be added to the role assignment using the Okta administrators UI only.
When you assign an app instance target to this role assignment, the scope of the role assignment changes from all app targets to just the specified target. Thus you can use this feature to create different APP_ADMIN
role assignments for different apps in your org.
For details, visit the Roles API documentation.
Bug Fixed in 2018.15
This fix applies if the MFA soft lock for delegated authentication feature is enabled. When a user made multiple failed MFA attempts and was locked out, the user status
was updated to ACTIVE
instead of the correct value, LOCKED_OUT
. (OKTA-164900)
Previously Released Early Access Features 2018.15 Update
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Weekly Release 2018.14
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
Linked Objects API in Early Access (EA) | April 4, 2018 | April 9, 2018 |
Client SDKs Version 1.0 | Available Now | Available Now |
Bug Fixed for 2018.14 | April 4, 2018 | April 9, 2018 |
Previously Released Early Access Features | Available now | Available now |
Linked Objects API in Early Access (EA)
Users have relationships to each other, like manager and subordinate or customer and sales representative. You can create users with relationships by using the Linked Objects API.
Okta allows you to create up to 200 linked object definitions. These definitions are one-to-many:
- A manager has many subordinates
- A sales representative has many customers
- A case worker has many clients
Of course, most organizations have more than one manager or sales representative. You can create the linked object definition once, then assign the primary
relationship to as many users as you have people in that relationship.
You can assign the associated
relationship for a single primary
user to as many users as needed. The associated
user can be related to only one primary
per linked object definition. But a user can be assigned to more than one linked object definition.
For more details:
Client SDKs Version 1.0
We published the 1.0 version of the following client SDKs:
- React SDK (opens new window)
- Angular SDK (opens new window)
- Vue SDK (opens new window)
- iOS SDK (opens new window)
Visit each SDK for a complete list of new features, enhancements, and bug fixes.
Bug Fixed for 2018.14
- If someone was able to obtain a user's activation email or password reset email and attempt to log in before the real user completed logging in, that person could access the account at the same time as the real user. (OKTA-85691)
Previously Released Early Access Features
The following features have already been released as Early Access. To enable them, contact Support (opens new window).
Early Access Features Available Now |
---|
Token Management API Is in Early Access (EA) |
System Log API Is in Early Access (EA) |
User Consent for OAuth 2.0 and OpenID Connect Flows is in Early Access (EA) |
March
Weekly Release 2018.12
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
Change to App Variable Name Incrementing | March 21, 2018 | March 26, 2018 |
Token Management API Is in Early Access (EA) | March 21, 2018 | March 26, 2018 |
System Log API Is in Early Access (EA) | Available Now | Available Now |
Password Imports with Salted SHA-256 Algorithm is in Early Access (EA) | Available Now | Available Now |
Bug Fixed for 2018.12 | March 21, 2018 | March 26, 2018 |
Change to App Variable Name Incrementing
When creating multiple instances of the same app, each instance of the app has a unique Variable Name. This Variable Name is used as part of Okta Expression Language. Previously each instance was incrementally numbered (salesforce_1
, salesforce_2
, etc), but going forward each instance will instead have a 7-character alphanumeric string appended to its Variable Name. To find your app's Variable Name, go into the Profile Editor for that app. This change only affects newly created apps.
Token Management API Is in Early Access (EA)
Use the Token Management API to view and revoke OAuth 2.0 and OpenID Connect refresh tokens by end user, Custom Authorization Server, or client app.
Bug Fixed for 2018.12
GET
requests to the/authorize
endpoint withresponse_mode=form_post
would return an HTML page with a title<span>
. (OKTA-162709)
Weekly Release 2018.11
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
API Support for IdP-initiated Authentication | March 14 | March 19 |
New Powershell Module for TLS 1.2 Compatibility | Available Now | Available Now |
Rate Limit for System Log Increased | Available Now | Available Now |
New Version of Okta Sign-in Widget | Available Now | Available Now |
System Log API Is in Early Access (EA) | Available Now | Available Now |
Password Imports with Salted SHA-256 Algorithm is in Early Access (EA) | Available Now | Available Now |
Bugs Fixed for 2018.11 | March 14, 2018 | March 19, 2018 |
API Support for IdP-initiated Authentication
Use this feature to allow a client to specify the application right away during an authentication request, instead of taking the user through "step-up" authentication in a separate request. Documentation
New Powershell Module for TLS 1.2 Compatibility
The new version of Okta's Powershell module is compatible with TLS 1.2. Documentation (opens new window)
Rate Limit for System Log Increased
The rate limit for GET requests to /api/v1/logs
has been increased from 60 per minute to 120. Documentation
New Version of Okta Sign-in Widget
Version 2.7.0 of the Okta Sign-in Widget provides new features, notable changes, and bug fixes. For details, visit the okta-signin-widget
repository (opens new window).
Bugs Fixed for 2018.11
- An incorrect error message was returned when a blank password was specified in a password reset request. (OKTA-144982)
- If administrators in an org with the Admin Console enabled used the Classic user interface instead, and had no apps assigned, they couldn't access their own user home page. (OKTA-152324)
- For the System Log API, the
displayName
in the Target object was set toUnknown
if theeventType
wasuser.authentication.sso
and if the value didn't exist in the profile editor. This behavior matches the behavior in/events
. (OKTA-156484)
Weekly Release 2018.10
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
API Access Management is Generally Available (GA) in Production | Available now | March 12, 2018 |
System Log API Is in Early Access (EA) | March 7, 2018 | March 12, 2018 |
Password Imports with Salted SHA-256 Algorithm is in Early Access (EA) | March 7, 2018 | March 12, 2018 |
New Parameter for Authentication with Okta Verify with Auto-Push | March 7, 2018 | March 12, 2018 |
System Log Changes for 2018.10 | March 7, 2018 | March 12, 2018 |
Bugs Fixed for 2018.10 | March 7, 2018 | March 12, 2018 |
API Access Management is Generally Available (GA) in Production
Secure your APIs with API Access Management, Okta's implementation of the OAuth 2.0 authorization framework. API Access Management uses the Okta Identity platform to enable powerful control over access to your APIs. API Access Management can be controlled through the administrator UI as well as a rich set of APIs for client, user, and policy management.
Generally Available (GA) in preview orgs since February 7, 2018, API Access Management is scheduled to be GA in production orgs starting March 12, 2018.
For more information, see OAuth 2.0 and Okta.
System Log API is in Early Access (EA)
The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems.
The Okta System Log API provides near real-time read-only access to your organization's system log and is the programmatic counterpart of the System Log UI (opens new window).
Often the terms "event" and "log event" are used interchangeably. In the context of this API, an "event" is an occurrence of interest within the system and "log" or "log event" is the recorded fact.
Notes:
- The System Log API contains much more structured data than the Events API.
- The System Log API supports additional SCIM filters and the
q
query parameter, because of the presence of more structured data than the Events API.
Password Imports with Salted SHA-256 Algorithm is in Early Access (EA)
You can use the salted SHA-256 hash type when importing passwords.
New Parameter for Authentication with Okta Verify with Auto-Push
We have added an optional URL parameter, autoPush
that allows Okta to store the user's Auto-Push preference when verifying Okta Verify with Auto-Push. This parameter is only necessary when implementing custom login flows that do not use the Okta Sign-In Widget.
System Log Changes for 2018.10
- If a query to
/logs
timed out, an HTTP 504 error was returned. Now an HTTP 500 error will be returned. This aligns/logs
error responses with other Okta APIs, and ensures implementation details are not leaked to API consumers. (OKTA-159642) - The following changes to error codes related to the system log were made to make them consistent with Okta error codes:
MEDIA_TYPE_NOT_ACCEPTED_EXCEPTION
replaced byUNSUPPORTED_MEDIA_TYPE
OPP_INVALID_PAGINATION_PROPERTIES
replaced byINVALID_PAGING_EXCEPTION
OPP_INVALID_SCIM_FILTER
replaced byINVALID_SEARCH_CRITERIA_EXCEPTION
Bugs Fixed for 2018.10
- GET requests to list 200 or more apps were taking a long time to complete. (OKTA-158391)
- Invalid IP addresses in the
X-Forwarded-For
header caused a null pointer exception (HTTP 500NullPointerException
) during primary authentication. (OKTA-159414) - List User with Search requests in preview orgs failed to return pagination links. (OKTA-160424)
February
Weekly Release 2018.09
Change | Expected in Preview Orgs | Rollout to Production Orgs Expected to Start |
---|---|---|
API Access Management is Generally Available in Preview | February 7, 2018 | March 12, 2018 |
User Consent for OAuth 2.0 and OpenID Connect Flows in Early Availability (EA) | February 28, 2018 | March 5, 2018 |
Sessions API Supports HTTP Header Prefer | February 28, 2018 | March 5, 2018 |
User Schema API Allows Nullable firstName , lastName | February 28, 2018 | March 5, 2018 |
Improved Response Mode for OAuth 2.0 and OpenID Connect Requests | February 28, 2018 | March 5, 2018 |
Change to /authorize Response for prompt for OAuth 2.0 and OpenID Connect Requests | February 28, 2018 | March 5, 2018 |
Improved System Log Behavior for Date Queries | February 28, 2018 | March 5, 2018 |
System Log Message Changes Related to Authorization Servers | February 28, 2018 | March 5, 2018 |
Bugs Fixed for 2018.09 | February 28, 2018 | March 5, 2018 |
User Consent for OAuth 2.0 and OpenID Connect Flows in Early Availability (EA)
A consent represents a user's explicit permission to allow an application to access resources protected by scopes. As part of an OAuth 2.0 or OpenID Connect authentication flow, you can prompt the user with a page to approve your app's access to specified resources.
Consent grants are different from tokens because a consent can outlast a token, and there can be multiple tokens with varying sets of scopes derived from a single consent. When an application comes back and needs to get a new access token, it may not need to prompt the user for consent if they have already consented to the specified scopes. Consent grants remain valid until the user manually revokes them, or until the user, application, authorization server or scope is deactivated or deleted.
To configure an authorization or authentication flow to include a user consent page:
Verify that you have the API Access Management feature enabled, and request that User Consent also be enabled.
Create an app via the Apps API with the appropriate values for
tos_uri
,policy_uri
, andconsent_method
. (Details)Note: You can also configure an existing app in the administrator UI: Applications > [Application Name] > General > User Consent.
Ensure that your authentication or authorization flow is configured properly. The combination of
prompt
in the/authorize
request,consent_method
set on the app in the previous step, andconsent
, a property set on scopes, controls whether a user consent window is displayed during the authentication flow. Details
Sessions API Supports HTTP Header Prefer
Okta now supports the HTTP Header Prefer
(opens new window) in the Sessions API for refreshing sessions (opens new window). You can extend the session lifetime, but skip any processing work related to building the response body.
Example Request
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
"https://${yourOktaDomain}/api/v1/sessions/me/refresh"
Note: me
can also be an ID.
Example Response
HTTP/1.1 204 No Content
Preference-Applied: return=minimal
User Schema API Allows Nullable firstName
, lastName
You can set firstName
or lastName
to be nullable in the User Profile Base sub-schema. These properties are defined in a profile sub-schema with the resolution scope #base
.
Improved Response Mode for OAuth 2.0 and OpenID Connect Requests
For the form_post
response mode, we have reduced the HTML content returned in an OpenID Connect or OAuth 2.0 request. Now the response is only a form containing the requested tokens (access token, ID token, or both) and JavaScript to post the form.
Change to /authorize
Response for prompt
for OAuth 2.0 and OpenID Connect Requests
If you set prompt=none
for a request on /authorize
and the maximum age before sign-in is required (max_age
) is exceeded, an error is returned. This ensures the safest possible result when these two settings contradict each other.
This applies to /authorize
with either the Okta Org Authorization Server or a Custom Authorization Server (which requires API Access Management).
Example: Old Message Format
{
"errorCode": "E0000001",
"errorSummary": "Api validation failed: com.saasure.core.services.user.InvalidUserProfileException: Could not create user due to invalid profile: com.saasure.framework.validation.util.SimpleErrors: 1 errors\nError in object 'newUser': codes [password.passwordRequirementsNotMet.newUser,password.passwordRequirementsNotMet]; arguments [Password requirements: at least 8 characters, a lowercase letter, an uppercase letter, a number, no parts of your username.]; default message [Password requirements were not met. Password requirements: at least 8 characters, a lowercase letter, an uppercase letter, a number, no parts of your username.]",
"errorLink": "E0000001",
"errorId": "oaecNfS38enQ8KtWDvNfusWRw",
"errorCauses": [
{
"errorSummary": "Password requirements were not met. Password requirements: at least 8 characters, a lowercase letter, an uppercase letter, a number, no parts of your username."
}
]
}
Example: New Message Format
{
"errorCode": "E0000001",
"errorSummary": "Api validation failed: com.saasure.core.services.user.InvalidUserProfileException: Could not create user due to invalid profile: com.saasure.framework.validation.util.SimpleErrors: 3 errors\nField error in object 'newUser' on field 'password': rejected value [aaaa]; codes [password.minlength.newUser.password,password.minlength.password,password.minlength.java.lang.String,password.minlength]; arguments [8]; default message [Password requirements: at least 8 characters.]\nField error in object 'newUser' on field 'password': rejected value [aaaa]; codes [password.uppercase.newUser.password,password.uppercase.password,password.uppercase.java.lang.String,password.uppercase]; arguments [Password requirements: at least 0 characters, an uppercase letter.]; default message [Password requirements: at least 0 characters, an uppercase letter.]\nField error in object 'newUser' on field 'password': rejected value [aaaa]; codes [password.number.newUser.password,password.number.password,password.number.java.lang.String,password.number]; arguments [Password requirements: at least 0 characters, a number.]; default message [Password requirements: at least 0 characters, a number.]",
"errorLink": "E0000001",
"errorId": "oaeGZUg95w6SK2GbA44cXgtvA",
"errorCauses": [
{
"errorSummary": "password: Passwords must be at least 8 characters in length",
"reason": "LENGTH_MINIMUM",
"location": "credentials.password.value",
"locationType": "body",
"domain": "user"
},
{
"errorSummary": "password: Password requirements: at least 0 characters, an uppercase letter.",
"reason": "UPPER_CASE_REQUIRED",
"location": "credentials.password.value",
"locationType": "body",
"domain": "user"
},
{
"errorSummary": "password: Password requirements: at least 0 characters, a number.",
"reason": "NUMBER_REQUIRED",
"location": "credentials.password.value",
"locationType": "body",
"domain": "user"
}
]
}
If you don't want these changes, contact Support (opens new window) to opt out.
Improved System Log Behavior for Date Queries
For
/logs
, the request parameterssince
anduntil
require the RFC 3339 Internet Date/Time Format profile of ISO 8601 (opens new window). This allows queries to more accurately target date ranges.For /
logs
, the maximum page size is 1,000 messages (limit=1000
). The default remains at 100.
System Log Message Changes Related to Authorization Servers
The following message changes apply to either the Okta Org Authorization Server or a Custom Authorization Server including default
(which requires API Access Management), or both, as indicated in each section.
Simplified Failure Messages from /authorize
Requests for /events
System Log
The existing messages app.oauth2.authorize_failure
, app.oauth2.as.authorize_failure
and app.oauth2.as.authorize.scope_denied_failure
replace these messages:
app.oauth2.authorize.access_denied
app.oauth2.authorize.invalid_client_id
app.oauth2.authorize.invalid_cache_key
app.oauth2.authorize.no_existing_session
app.oauth2.authorize.login_failed
app.oauth2.authorize.mismatched_user_in_cache_and_session
app.oauth2.authorize.user_not_assigned
app.oauth2.authorize.scope_denied
app.oauth2.as.authorize.warn_failure
app.oauth2.as.authorize.scope_denied
Details about the nature of the failure are included, so no information has been lost with this simplification.
These system log changes affect responses from requests that involve either the Okta Org Authorization Server or a Custom Authorization Server including default
.
Simplified Failure Messages from /token
Requests for /events
System Log
Instead of supplying two different messages for token grant failures on /token
, the existing message app.oauth2.as.authorize.token.grant_failure
replaces
these messages:
app.oauth2.as.token.grant.warn_failure
app.oauth2.as.token.grant.scope_denied_failure
This system log change affects responses from requests that involve a Custom Authorization Server including default
.
Simplified Success Messages from /token
Requests for /events
System Log
Instead of supplying a different message for ID token and access token generation, there's just one message for each. The ID token or access token minted is included in the message as it was previously.
The existing message
app.oauth2.authorize.implicit_success
replaces:app.oauth2.authorize.implicit.id_token_success
app.oauth2.authorize.implicit.access_token_success
The existing message
app.oauth2.as.authorize.implicit_success
replaces:app.oauth2.as.authorize.implicit.id_token_success
app.oauth2.as.authorize.implicit.access_token_success
The _success
messages weren't being written to the System Log previously, but are now.
These system log changes affect responses from requests that involve either the Okta Org Authorization Server or a Custom Authorization Server including default
.
Simplified Messages from /token
Requests for /logs
System Log
Instead of supplying a different message for ID token and access token generation, there's just one message for each. The ID token or access token minted is included in the message as it was previously.
The existing message
app.oauth2.authorize.implicit
replaces:app.oauth2.authorize.implicit.id_token
app.oauth2.authorize.implicit.access_token
The existing message
app.oauth2.as.authorize.implicit
replaces:app.oauth2.as.authorize.implicit.id_token
app.oauth2.as.authorize.implicit.access_token
These system log changes affect responses from requests that involve either the Okta Org Authorization Server or a Custom Authorization Server, including default
.
Bugs Fixed for 2018.09
The following bugs have been fixed and are expected in preview orgs February 28, 2018 and production orgs starting March 5, 2018.
- If a user had a status of
ACTIVE
and had never signed in, and an API call reset the user's password, the user's status was incorrectly changed fromACTIVE
toPROVISIONED
, instead of the expectedRECOVERY
. (OKTA-154024) - If
-admin
was incorrectly included in the domain name during initialization of an OktaAuth object (opens new window), no error was returned. (OKTA-156927) - If a user was created with a password, that password wasn't considered as part of their password history. (OKTA-158966)
Weekly Release 2018.07
Feature Enhancement
The following feature enhancement is expected in preview orgs February 14, 2018, and in production orgs on February 27, 2018.
Keystore Rollover Events Now Logged
OAuth key store rollover events are now included in both the Events and System Log APIs.
Bug Fixed
The following bug has been fixed and is expected in preview orgs February 14, 2018 and production orgs starting February 27, 2018.
- The error message "Exception while persisting IdpAppUser" wasn't available in the System Log API. (OKTA-153604)
Weekly Release 2018.06
Feature Enhancements
Feature Enhancement | Expected in Preview Orgs | Expected in Production Orgs |
---|---|---|
API Access Management is Generally Available in Preview | February 7, 2018 | starting March 12, 2018 |
New Administrator Role for API Access Management | February 7, 2018 | starting February 12, 2018 |
New and Changed Messages for the System Log | February 7, 2018 | starting February 12, 2018 |
API Access Management is Generally Available in Preview
Secure your APIs with API Access Management, Okta's implementation of the OAuth 2.0 authorization framework. API Access Management uses the Okta Identity platform to enable powerful control over access to your APIs. API Access Management can be controlled through the administrator UI as well as a rich set of APIs for client, user, and policy management.
For more information, see OAuth 2.0 and Okta.
New Administrator Role for API Access Management
If you have API Access Management enabled, you can use a dedicated administrator's role for API Access Management: the API Access Management Admin role. Use this role to manage custom authorization servers and related tasks:
- Create and edit authorization servers, scopes, custom claims, and access policies
- Create and edit OAuth 2.0 and OpenID Connect client apps
- Assign users and groups to OAuth 2.0 and OpenID Connect client apps
To change the role assigned to a user, use the Administrator Roles API or visit Security > Administrators in the administrator UI.
New and Changed Messages for the System Log
We've added a new message and improved an existing one in the System Log (/api/v1/logs
):
- A message is now written to the System Log when password credentials fail. Previously this message was written only to
/api/v1/events
. - The System Log message
policy.rule.deactivated
specifies in the Debug Context when the cause of a rule being disabled is that all the network zones for that rule have been deleted.
Bug Fixed
The following bug has been fixed and is expected in preview orgs February 7, 2018 and production orgs starting February 12, 2018.
- A spurious
next
link from the response headers was returned by a policy get operation (GET {url} /api/v1/policies
). (OKTA-152522)
January
Weekly Release 2018.05
Feature Enhancements
Feature Enhancement | Expected in Preview Orgs | Expected in Production Orgs |
---|---|---|
App User Schema API is Generally Available | Available Now | Available Now |
Special HTML Characters in state for okta_post_message | January 31, 2018 | February 7, 2018 |
Custom Scopes in Metadata Endpoints | January 31, 2018 | February 7, 2018 |
Improved Enforcement of Authorization Server Policies | January 31, 2018 | February 7, 2018 |
Functions for Including Groups in Tokens | January 31, 2018 | February 7, 2018 |
New System Log Messages | January 31, 2018 | February 7, 2018 |
New Version of the Sign-In Widget | Available Now | Available Now |
Generally Available: App User Schema API
Use the App User Schema API to work with App User profiles, typically for apps that have features for provisioning users.
Special HTML Characters in state
for okta_post_message
You can include HTML special characters in the state
parameter for okta_post_message
.
Note that state
in the main request body already allows these characters.
Custom Scopes in Metadata Endpoints
You can specify whether or not to include custom scopes in the metadata endpoints for OAuth 2.0 and OpenID Connect.
Existing custom scopes are not exposed by default. Set the metadataPublish
attribute to ALL_CLIENTS
to change the behavior.
Improved Enforcement of Authorization Server Policies
When a client application tries to redeem an authorization token from a refresh token issued by a custom authorization server, policies are evaluated again. This ensures any changes since the time the refresh token was issued are checked.
Functions for Including Groups in Tokens
Use the new EL functions Group.contains
, Group.startsWith
, and Group.endsWith
to define a set of dynamic groups to be included in tokens minted from Okta's authorization servers.
These functions complement the existing EL function getFilteredGroups
which helps you create a static list of groups for inclusion in a token.
New System Log Messages
User account updates have two new events written to the system log ( /api/v1/events
and /api/v1/logs
):
- The
user.account.unlock_by_admin
event complements the existinguser.account.unlock
event which is triggered only by self-service unlock or automatic unlock. Theuser.account.unlock_by_admin
event is triggered when an administrator unlocks an account. - The
user.account.update_primary_email
event is triggered only when a primary email is updated. It's not triggered by profile sync or other automated processes.
New Version of the Sign-In Widget
Version 2.6.0 of the Okta Sign-In Widget (opens new window) is available. Check out the new features and bug fixes!
Bugs Fixed
The following bugs have been fixed and are expected in preview orgs January 31, 2018 and production orgs starting February 7, 2018.
- Client applications could redeem an access token from a refresh token if it contained a deleted scope. (OKTA-154738)
- The exception thrown when creating a zone without the correct features enabled was incorrect
501: unsupported operation
. Now the correct exception is thrown:401: You do not have permission to access the feature you are requesting.
(OKTA-154940) - Requests to
/api/v1/authn
withdeviceToken
in the body of the request incorrectly prompted the user for MFA, even after successfully verifying the factor the first time, if:- The org had MFA enabled ( Sign On Policy > Prompt for Factor > Per Device ).
- The user was assigned to an app that had password sync enabled. (OKTA-156826)
Weekly Release 2018.03
Feature Enhancements
Feature Enhancement | Expected in Preview Orgs | Expected in Production Orgs |
---|---|---|
App User Schema API is Generally Available | Available Now | February 13, 2017 |
Generally Available: App User Schema API
Use the App User Schema API to work with App User profiles, typically for apps that have features for provisioning users.
Weekly Release 2018.02
Feature Enhancements
Feature Enhancement | Expected in Preview Orgs | Expected in Production Orgs |
---|---|---|
App User Schema API is Generally Available | January 10, 2018 | February 13, 2017 |
SHA-256 Certificates for New SAML 2.0 Apps is Generally Available | Available Now | January 10, 2018 |
Generally Available: App User Schema API
Use the App User Schema API to work with App User profiles, typically for apps that have features for provisioning users.
Generally Available: SHA-256 Certificates for SAML 2.0 Apps
When you create a SAML 2.0 app in Okta, the app is created with SHA-256 signed public certificates. Certificates for existing SAML 2.0 apps aren't changed. To update an existing app, use these instructions.
Bug Fixes
The following bugs have been fixed, and are expected in preview orgs starting January 10, 2018, and in production orgs starting January 16, 2018.
- Network zones couldn't be deleted if they were associated with a sign-on policy, even after the policy has been deleted. (OKTA-150747)
- Results returned from the Users API incorrectly reported the status of some users who were sourced by Active Directory. The statuses
PASSWORD_RESET
orLOCKED_OUT
were reported asACTIVE
. (OKTA-153214, OKTA-151861)