On this page
December
Weekly Release 2020.12.2
Change | Expected in Preview Orgs |
---|---|
Manage email subscription settings using the Subscriptions API | December 22, 2020 |
Bugs Fixed in 2020.12.2 | December 22, 2020 |
Manage email subscription settings using the Subscriptions API
The /subscriptions
API is now available in Self-Service EA. The Subscriptions API (opens new window) provides operations to manage email subscription settings for Okta administrator notifications.
Bugs fixed in 2020.12.2
- Clients making GET requests to
/api/v1/users/{usernameprefix}
received an error if the user's short name (usernameprefix
) ended with.jpg
,.png
,.js
,.css
, or a similar file extension, even when a user matching that short name existed. (OKTA-322140) - When an MFA policy was created without specifying the
consent
format, subsequent GET and UPDATE requests resulted in an error. (OKTA-339250) - The
/users/${userId}/groups
endpoint incorrectly returned a 500 Internal Server Error if the last page contained no elements. (OKTA-358328)
Weekly Release 2020.12.1
Change | Expected in Preview Orgs |
---|---|
Bugs Fixed in 2020.12.1 | December 17, 2020 |
Bugs fixed in 2020.12.1
- The Update User API incorrectly allowed the Credentials object of an ACTIVE user to be updated to Password Hook. (OKTA-350956)
- The
illegal_post_logout_redirect_uri
error message, which was enhanced to help clients using the app client configuration wizard, incorrectly appeared for OIN clients. (OKTA-343082)
Monthly Release 2020.12.0
Change | Expected in Preview Orgs |
---|---|
Inclusive language and terminology | December 9, 2020 |
New OAuth Administrator Roles API scopes | December 9, 2020 |
New endpoint added to DynamicScale Rate Limits | December 9, 2020 |
Account linking for SAML IdPs is now GA in Production | December 9, 2020 |
One Time Use Refresh Token is now in Early Access (EA) | December 9, 2020 |
Enhancements to Apps API for Idp Initiated Logins | December 9, 2020 |
Enhancements to Apps API for SAML Apps | December 9, 2020 |
Groups API extended search is now GA in Preview | December 9, 2020 |
Inclusive language and terminology
Okta is focused on the adoption of inclusive language and communication. Some long-standing industry terminology and expressions have been updated in this release. More updates will be made in future releases.
In this release, the documentation for Custom Groups Claims has been updated with inclusive terminology. The term "whitelist" has been replaced with "allowlist":
Existing custom claims that use the groupwhitelist
Profile property don't need to change.
New OAuth Administrator Roles API scopes
The Administer Roles API now supports OAuth scopes okta.roles.manage
and okta.roles.read
. These scopes allow applications to read and manage (create, update, and delete) administrator roles in your Okta organization.
New endpoint added to DynamicScale rate limits
The DynamicScale add-on service now includes the following additional authentication endpoint: /login/login.html
.
Account linking for SAML IdPs is now GA in Production
Admins can now enable or disable automatic account linking between SAML Identity Providers and Okta using the Identity Provider API. They can also restrict account linking based on whether the end user is a member of any specified groups.
One Time Use Refresh Token is now in Early Access (EA)
One Time Use Refresh Token, also called Refresh Token Rotation, is now in Early Access. Refresh Token Rotation helps a public client to securely rotate refresh tokens after each use. A new refresh token is returned each time the client makes a request to exchange a refresh token for a new access token. See Refresh Token Rotation.
Enhancements to Apps API for Idp Initiated Logins
The Apps API can now configure the Idp Initiated Login behavior, which is also available in the Admin Console. Note: The Idp Initiated Login is limited to OpenID Connect clients.
Enhancements to Apps API for SAML Apps
The Apps API can now configure the SLO URL behavior for SAML apps, which is also available in the Admin Console.
Groups API extended search is now GA in Preview
The Groups API support for extended search is now Generally Available (GA) in Preview.
November
Weekly Release 2020.11.1
Change | Expected in Preview Orgs |
---|---|
Bugs Fixed in 2020.11.1 | November 11, 2020 |
Bugs fixed in 2020.11.1
- Import of users with a bcrypt-hashed password succeeded even if the
workFactor
property was missing or misnamed. This prevented imported users from signing in. (OKTA-330587) - During user import, some POST requests to the
/users
endpoint incorrectly triggered inline hooks, resulting in higher latency. (OKTA-335769)
Monthly Release 2020.11.0
Change | Expected in Preview Orgs |
---|---|
Inclusive language and terminology | November 4, 2020 |
System Log API adds additional filter expressions | November 4, 2020 |
Zones API includes usage property | November 4, 2020 |
Client-based rate limiting is now GA in Production | (See entry) |
User Consent for OAuth 2.0 and OpenID Connect flows is rolling out to GA in Production | (See entry) |
Account linking for SAML IdPs is now GA in Preview | November 4, 2020 |
Group object source property is now GA in Preview | November 4, 2020 |
MyAccount API is now in Early Access (EA) | November 4, 2020 |
Bug Fixed in 2020.11.0 | November 4, 2020 |
Inclusive language and terminology
Okta is focused on the adoption of inclusive language and communication. Some long-standing industry terminology and expressions have been updated in this release. More updates will be made in future releases.
The descriptive information returned on both the invalid redirect URI and invalid logout URI error pages has been updated to remove the term "whitelisted".
System Log API adds additional filter expressions
The System Log API /logs
endpoint can now use the SCIM filter expression operators: ew
(ends with), ne
(not equal), and not
(not function).
Zones API includes usage
property
To help you manage zones in your organization, the Early Access Zones API (opens new window) now includes the usage
attribute. There are two types of zones: Policy Network Zones and Blocklist Network Zones.
Client-based rate limiting is now GA in Production
Client-based rate limiting for the /authorize
endpoint is now available in production orgs. It provides granular isolation between requests made to the /authorize
endpoint by using a combination of the Client ID, user's IP address, and Okta device identifier. This isolates rogue OAuth clients and bad actors, ensuring valid users and applications don't run into rate limit violations.
This feature will be available to orgs in Okta Production cells on November 9, 2020.
User Consent for OAuth 2.0 and OpenID Connect flows is rolling out to GA in Production
A consent represents a user's explicit permission to allow an application to access resources protected by scopes. As part of an OAuth 2.0 or OpenID Connect authentication flow, you can prompt the user with a page to approve your app's access to specified resources. See the consent property for scopes.
This feature will be gradually made available to orgs in Okta Production cells beginning on November 11, 2020.
Account linking for SAML IdPs is now GA in Preview
Admins can now enable or disable automatic account linking between SAML Identity Providers and Okta using the Identity Provider API. They can also restrict account linking based on whether the end user is a member of any specified groups.
Group object source
property is now GA in Preview
For API requests that return a Group or a list of Groups, the Group object includes a source
property that provides the ID of the source application for the returned Group. This property is now GA in all Preview orgs. See Group attributes.
MyAccount API is now in Early Access (EA)
The MyAccount API (opens new window) enables non-administrator end users to fetch their Okta user profiles. To enable this EA feature, contact Support (opens new window).
Bug fixed in 2020.11.0
When the expiresAt
property value of the Authentication transaction object was returned with an /authn
response that also included the sessionToken
parameter (not stateToken
), the value incorrectly indicated a 3-minute lifetime. (OKTA-319907)
October
Weekly Release 2020.10.2
Change | Expected in Preview Orgs |
---|---|
Bug fixed in 2020.10.2 | October 21, 2020 |
Bug fixed in 2020.10.2
When accessing the /authorize
endpoint with a scope parameter requiring consent, users not assigned to the application received a consent prompt rather than an error message. (OKTA-335476)
Weekly Release 2020.10.1
Change | Expected in Preview Orgs |
---|---|
Bug fixed in 2020.10.1 | October 14, 2020 |
Bug fixed in 2020.10.1
Requests that were missing access tokens resulted in an HTTP 400 error code instead of a 401. (OKTA-280102)
Monthly Release 2020.10.0
Change | Expected in Preview Orgs |
---|---|
Troubleshooting assistance for app redirect URI | October 7, 2020 |
API Access Management enables scope as a claim | October 7, 2020 |
Rate limit changes | October 7, 2020 |
Client-based rate limiting | October 7, 2020 |
Groups API enhancements in EA | October 7, 2020 |
Troubleshooting assistance for app redirect URI
When an app redirect URI is either missing or incorrectly configured, Okta returns an HTTP 400 error. Now, the error description provides troubleshooting assistance to debug the expected redirect URI.
API Access Management enables scope as a claim
You can now name a claim scope
in API Access Management custom authorization servers. Also, you can now use the EL expression access.scope
in custom claims to return an array of granted scope strings.
Rate limit changes
Rate limits for paid developer orgs and for one-app orgs have been updated. See the Rate Limits page.
Client-based rate limiting
Client-based rate limiting for the /authorize
endpoint is now available in Preview. It provides granular isolation between requests made to the /authorize
endpoint by using a combination of the Client ID, user's IP address, and Okta device identifier. This isolates rogue OAuth clients and bad actors, ensuring valid users and applications don't run into rate limit violations.
Groups API enhancements in EA
The Groups API now supports extended search. Also, source application is now returned in Group objects.
September
Weekly Release 2020.09.4
Change | Expected in Preview Orgs |
---|---|
Bugs fixed in 2020.09.4 | September 30, 2020 |
Bugs fixed in 2020.09.4
When an OAuth service client called the
/authorize
endpoint, the returned error description was inaccurate. (OKTA-252750)If a user was assigned to two groups that have identical roles, then a call to the
/users/${userId}/roles
endpoint to list the administrator roles assigned to the user failed with an HTTP 400 error. (OKTA-325187)The
okta.apps.*
scope wasn't applied to the/apps/${applicationId}/credentials/keys
endpoint. (OKTA-331828)
Weekly Release 2020.09.3
Change | Expected in Preview Orgs |
---|---|
Bug fixed in 2020.09.3 | September 24, 2020 |
Bug fixed in 2020.09.3
If a user was converted to use an external Federated IdP instead of Okta, any subsequent attempt to convert the user with a call to the /users/${userId}/lifecycle/reset_password
endpoint returned an HTTP 501 error instead of an HTTP 400 error. (OKTA-323343)
Weekly Release 2020.09.2
Change | Expected in Preview Orgs |
---|---|
Bug fixed in 2020.09.2 | September 16, 2020 |
Bug fixed in 2020.09.2
- Requests to the
/token
,/revoke
, and/introspect
endpoints that had invalid client credentials would return an HTTP 400 error instead of the HTTP 401 error required by the OAuth 2.0 spec (opens new window). (OKTA-306444)
Weekly Release 2020.09.1
Change | Expected in Preview Orgs |
---|---|
Bugs fixed in 2020.09.1 | September 10, 2020 |
Bugs fixed in 2020.09.1
- When attempting to reset a user's password using the
lifecycle/reset_password
endpoint, admins received an HTTP 500 error code rather than a valid error message if the user's email address was invalid. (OKTA-307089) - If a
Groups
claim returned more than 100 groups, then tokens couldn't be minted, which generated an HTTP 500 error code instead of an HTTP 400 error code. (OKTA-321988) - If an Identity Provider returned an error response during authentication, the
/introspect
endpoint returned an HTTP 500 error code. (OKTA-324419) - When a geographical network zone that included Okta routers was added to an IP blocklist zone, all requests to the org were blocked. (OKTA-326955)
August
Weekly Release 2020.08.2
Change | Expected in Preview Orgs |
---|---|
Bugs fixed in 2020.08.2 | August 19, 2020 |
Bugs fixed in 2020.08.2
- In orgs with Factor Sequencing enabled, customers always had
password
as one of the factor types in the ID token'samr
claim, regardless of which factor was actually used. (OKTA-318437) - For some orgs with both Passwordless Authentication and Improved New Device Behavior Detection enabled, Okta treated all authentication attempts as though they came from new devices. (OKTA-320675)
Monthly Release 2020.08.0
Change | Expected in Preview Orgs |
---|---|
Apple as an Identity Provider is now GA in Production | August 5, 2020 |
OAuth 2.0 authorization code length has been increased | August 5, 2020 |
Bugs fixed in 2020.08.0 | August 5, 2020 |
Apple as an Identity Provider is now GA in Production
Apple as an Identity Provider is now Generally Available in Production. Apple as an IdP allows users to sign in to your app using their Apple ID. See Apple as an Identity Provider.
OAuth 2.0 authorization code length has been increased
To better align with security best practices (opens new window), the length of OAuth 2.0 authorization codes is now 256 bits of entropy (43 characters).
Bugs fixed in 2020.08.0
The GET
/api/v1/users/{userid}/idps
and POST/api/v1/idps/{idpId}/users/{userId}
endpoints weren't OAuth enabled. (OKTA-303902)Non-CORS requests to the OAuth 2.0
/token
endpoint failed when the Okta session cookie was present. (OKTA-312816)
July
Weekly Release 2020.07.2
Change | Expected in Preview Orgs |
---|---|
Bug fixed in 2020.07.2 | July 29, 2020 |
Bug fixed in 2020.07.2
- When using the Apps API, exceeding the character limit for OIDC application redirect URIs resulted in an HTTP 500 error instead of an HTTP 400 error. (OKTA-297164)
Monthly Release 2020.07.0
Change | Expected in Preview Orgs |
---|---|
Apple as an Identity Provider is now GA in Preview | July 9, 2020 |
YubiKey OTP Token operations added | July 9, 2020 |
Support for creating OIN OIDC Apps via the Dynamic Client Registration API | July 9, 2020 |
API support for multiple ACS URLs | July 9, 2020 |
Bugs fixed in 2020.07.0 | July 9, 2020 |
Apple as an Identity Provider is now GA in Preview
Apple as an Identity Provider is now Generally Available in Preview. Apple as an IdP allows users to sign in to your app using their Apple ID. See Apple as an Identity Provider.
YubiKey OTP Token operations added
Using the Factors API, requests for single YubiKey OTP Tokens and uploading a seed for a YubiKey OTP are now supported. Other API operations for YubiKey OTP Tokens are now documented in the Factors API.
Support for creating OIN OIDC Apps using the Dynamic Client Registration API
Creating OIN OIDC Apps using the Dynamic Client Registration API is now supported.
API support for multiple ACS URLs
When creating a custom SAML app using the Apps API, you can now pass two optional parameters (allowMultipleAcsEndpoints
and acsEndpoints
) to configure up to 100 Assertion Consumer Service (ACS) URLs.
Bugs fixed in 2020.07.0
- In certain situations, the Identity Providers API returned the wrong X509 SSO endpoint. (OKTA-310023)
June
Weekly Release 2020.06.2
Change | Expected in Preview Orgs |
---|---|
Bug fixed in 2020.06.2 | June 17, 2020 |
Bug fixed in 2020.06.2
After a user was demastered from Active Directory, calls to the /users
endpoint did not reflect that change for up to 24 hours. (OKTA-294377)
Weekly Release 2020.06.1
Change | Expected in Preview Orgs |
---|---|
Bug fixed in 2020.06.1 | June 10, 2020 |
Bug fixed in 2020.06.1
For deleted or inactive instances, or instances that don't support CVD, calls to the /mappings
endpoint incorrectly returned HTTP 500 errors. (OKTA-287888)
Monthly Release 2020.06.0
Change | Expected in Preview Orgs |
---|---|
Password Import Event eligible for use in event hook | June 3, 2020 |
OAuth public metadata endpoint caching | June 3, 2020 |
Improved new device behavior detection | June 3, 2020 |
Dynamic authentication context for SAML apps | June 2, 2020 |
New JWKS key length validation | June 3, 2020 |
Password Import Event eligible for use in event hook
The user.import.password
event provides information on the outcome of the import of an individual user's password during the Password Import flow. This event is eligible for use in an Event hook, enabling you to trigger removal of a password from your existing user store when import to Okta is confirmed as successful.
OAuth public metadata endpoint caching
HTTP no-cache
headers are no longer sent in responses returned by the following OAuth public metadata endpoints:
/.well-known/openid-configuration
/.well-known/oauth-authorization-server
/oauth2/{authorizationServerId}/.well-known/openid-configuration
/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server
Improved new device behavior detection
When this feature is enabled, stronger signals are used for the detection of new devices. Devices with web browsers that don't store cookies are treated as new, and trusted applications must send a unique identifier for each device as a device token.
Dynamic authentication context for SAML apps
You can configure a custom attribute statement for SAML assertions to send user authentication context to SAML apps during the app authentication process. Apps can use this information to limit access to certain app-specific behaviors and calculate the risk profile for the signed-in user.
New JWKS key length validation
New client JSON Web Key Sets are now validated and rejected if the key length is less than 2048 bits.
May
Weekly Release 2020.05.2
Change | Expected in Preview Orgs |
---|---|
Bug fixed in 2020.05.2 | May 20, 2020 |
Bug fixed in 2020.05.2
When listing AD and LDAP group targets for the Group admin role assigned to a user or to a group, the logo URL in the _links
section of the response was incorrect. (OKTA-297070)
Monthly Release 2020.05.1
Change | Expected in Preview Orgs |
---|---|
Bugs fixed in 2020.05.1 | May 13, 2020 |
Bugs fixed in 2020.05.1
- Exceeding the rate limit on the
/token
endpoint resulted in an HTTP 400 error instead of an HTTP 429 error. (OKTA-289508) - The IdP
/metadata.xml
endpoint was not OAuth enabled. (OKTA-294739) - Simultaneous
DELETE
calls to the/users/${id}
endpoint could result in HTTP 500 errors. (OKTA-223918)
Monthly Release 2020.05.0
Change | Expected in Preview Orgs |
---|---|
Logging of successful password import | May 6, 2020 |
Rate limit headers no longer returned on cached static endpoints | May 6, 2020 |
OAuth for Okta enabled for Trusted Origins, Sessions, and Custom Templates APIs | May 6, 2020 |
Updated behavior for logging of invalid use by OAuth 2.0 Client | May 6, 2020 |
Bugs fixed in 2020.05.0 | May 6, 2020 |
Logging of successful password import
A System Log Event is now generated with details about the success or failure of the password import attempt when a user with an imported password has successfully signed in to Okta.
Rate limit headers no longer returned on cached static endpoints
Rate limits do not apply to these OAuth public metadata endpoints, so rate limit headers will no longer be returned:
/oauth2/v1/keys
/.well-known/openid-configuration
/.well-known/oauth-authorization-server
/oauth2/{authorizationServerId}/v1/keys
/oauth2/{authorizationServerId}/.well-known/openid-configuration
/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server
OAuth for Okta enabled for Trusted Origins, Sessions, and Custom Templates APIs
OAuth for Okta is now enabled for the Trusted Origins API, the Sessions API (opens new window), and the Custom Templates API. See Scopes & supported endpoints.
Updated behavior for logging of invalid use by OAuth 2.0 Client
The previously announced logging behavior has been updated. Invalid client_secret
warnings are now triggered by 5 invalid attempts (consecutive or not) within a 24 hour period.
Bugs fixed in 2020.05.0
- When signing in a federated user using the
/oauth/v1/authorize
endpoint with consent enabled and theprompt
parameter set tologin
, the Sign-In Widget failed with an error. (OKTA-290760)
April
Weekly Release 2020.04.2
Change | Expected in Preview Orgs |
---|---|
Bugs fixed in 2020.04.2 | April 29, 2020 |
Bugs fixed in 2020.04.2
- Service clients weren't able to update users. (OKTA-288246)
- Returned User Type objects erroneously contained a
ref
object. (OKTA-287651)
Weekly Release 2020.04.1
Change | Expected in Preview Orgs |
---|---|
Bug fixed in 2020.04.1 | April 15, 2020 |
Bug fixed in 2020.04.1
- When calling the
/oauth2/default/v1/authorize
or/oauth2/${authServerId}/v1/authorize
endpoints with theprompt
parameter set tologin
and theidp
parameter set to a SAML IdP, the end user wasn't forced to authenticate. (OKTA-288118)
Monthly Release 2020.04.0
Change | Expected in Preview Orgs |
---|---|
OAuth for Okta GA in Production | April 8, 2020 |
User Types API GA in Production | April 8, 2020 |
CORS headers in more API responses | April 8, 2020 |
Bugs fixed in 2020.04.0 | April 8, 2020 |
OAuth for Okta GA in Production
OAuth for Okta is now Generally Available in Production.
User Types API GA in Production
The User Types API is Generally Available in Production.
CORS headers in more API responses
Okta will now return CORS headers for requests made with OAuth 2.0 Bearer tokens, even if an endpoint isn't CORS-enabled and even if the originating URL isn't configured as a Trusted Origin.
Bugs fixed in 2020.04.0
- New SAML apps would have an active SAML assertion inline hook assigned to them automatically. (OKTA-262777)
- Attempts to update the user schema with invalid properties could return HTTP 500 errors. (OKTA-281498)
- The
errorSummary
for error E0000074 was malformed. (OKTA-273711)
March
Weekly Release 2020.03.2
Change | Expected in Preview Orgs |
---|---|
Bugs fixed in 2020.03.2 | March 18, 2020 |
Bugs fixed in 2020.03.2
In some cases, an OAuth 2.0
/authorize
request would incorrectly redirect if the client App had an App Sign-On Policy configured. (OKTA-269116)The
_links
attribute forgroups
sent by Okta in the request body for a SAML inline hook was incorrect. (OKTA-269553)Responses from OpenID Connect and OAuth 2.0 public metadata endpoints incorrectly omitted the return of CORS headers if the calling URL wasn't in the list of trusted origins defined for the org. (OKTA-283549)
When a Workflow was called, all headers that weren't white listed had text prepended in the response, which broke redirects. (OKTA-282294)
In some cases, the end user wasn't correctly prompted for consent during an OAuth 2.0
/authorize
request. (OKTA-270039)
Weekly Release 2020.03.1
Change | Expected in Preview Orgs |
---|---|
Bug fixed in 2020.03.1 | March 11, 2020 |
Bug fixed in 2020.03.1
- The Update Identity Provider operation allowed changing the
protocol
property of an Identity Provider object, which resulted in errors. (OKTA-277221)
Monthly Release 2020.03.0
Change | Expected in Preview Orgs |
---|---|
Email as a factor and supported optional enrollment is Generally Available in Preview | March 4, 2020 |
The Third-Party admin role is Generally Available in Preview | March 4, 2020 |
OAuth for Okta is Generally Available in Preview | March 4, 2020 |
Pagination is available for the List Authorization Servers operation | March 4, 2020 |
Sign-in attempt behavior evaulation is now logged when there is no client information | March 4, 2020 |
OAuth for Okta enabled for Schemas and Linked Objects APIs | March 4, 2020 |
Bugs fixed in 2020.03.0 | March 4, 2020 |
Email as a factor and supported optional enrollment is Generally Available in Preview
The Okta email factor for MFA is now Generally Available in Preview. When the email factor is enabled, end users receive a code in an email message to use when they sign in.
The email factor configuration also supports optional enrollment, which is now Generally Available for all orgs that already have the factor enabled as part of Early Access.
The Third-Party admin role is Generally Available in Preview
The Third-Party admin role (opens new window) is now Generally Available in Preview.
OAuth for Okta is Generally Available in Preview
OAuth for Okta is now Generally Available in Preview. At this time, OAuth for Okta works only with the APIs listed in the Scopes & supported endpoints section. We are actively working towards supporting additional APIs. Our goal is to cover all Okta public API endpoints.
Pagination is available for the List Authorization Servers operation
Pagination is now available for the List Authorization Servers operation.
Sign-in attempt behavior evaluation is now logged when there is no client information
Sign-in attempt behavior evaluation is logged in the debugContext
object of the user.session.start
and policy.evaluate.sign_on
events, even when client information is missing for all behaviors.
OAuth for Okta enabled for Schemas and Linked Objects APIs
The Schemas API and the Linked Objects API now have OAuth for Okta enabled. See Scopes & supported endpoints.
Bugs fixed in 2020.03.0
- Users could acquire logs before the Logs retention period using specific
after
parameters. (OKTA-277912) - App admins were able to modify all profiles in the Profile Editor even when the admin was limited to only administer certain apps. (OKTA-267829)
February
Weekly Release 2020.02.2
Change | Expected in Preview Orgs |
---|---|
Bugs fixed in 2020.02.2 | February 26, 2020 |
Bugs fixed in 2020.02.2
- When the Security Question option wasn't enabled in the password policy, requests to the
/reset_password
endpoint would return a 403 error when thesendEmail
query parameter was set tofalse
. (OKTA-272392) - Some cross-origin requests to the
/users/me
endpoint didn't return CORS headers if the user had an invalid session. (OKTA-260550)
Weekly Release 2020.02.1
Change | Expected in Preview Orgs |
---|---|
Bugs Fixed in 2020.02.1 | February 19, 2020 |
Bugs Fixed in 2020.02.1
- When an admin's last role was revoked using the Roles API, it would sometimes not trigger a System Log event. (OKTA-276093)
- In certain situations the
/keys
endpoint would incorrectly return that the current key was expired and needed to be rolled over when the rollover hadn't occurred yet. (OKTA-227062) - Expired AD users received different authentication errors depending on whether the Passwordless Policy was enabled or disabled. (OKTA-268306)
Monthly Release 2020.02.0
Change | Expected in Preview Orgs |
---|---|
Password Import Inline Hook in General Availability in Preview and Production | February 5, 2020 |
OAuth for Okta Enabled for User Consent Grant Operations | February 5, 2020 |
OAuth for Okta Enabled for Policy API | February 5, 2020 |
User Types API in General Availability in Preview | February 5, 2020 |
SAML Assertion Inline Hook Now Supports URI Formatting in Claims | February 5, 2020 |
Support Added in List Users API for Sort Parameters | February 5, 2020 |
Apps API Support for Custom SAML Attribute Statements | February 5, 2020 |
Rate Limits for OAuth 2.0 Endpoints in Production | n/a |
Bugs Fixed in 2020.02.0 | February 5, 2020 |
Password Import Inline Hook in General Availability in Preview and Production
The password import inline hook lets you interface with an external service to verify a user-supplied password when the user signs in to Okta for the first time. This supports scenarios in which users are migrated from an existing user store while allowing them to retain their passwords.
OAuth for Okta Enabled for User Consent Grant Operations
User Consent Grant Operations now have OAuth for Okta enabled.
OAuth for Okta Enabled for Policy API
The Policy API now has OAuth for Okta enabled.
User Types API in General Availability in Preview
The User Types API is in General Availability (GA) in Preview.
SAML Assertion Inline Hook Now Supports URI Formatting in Claims
Okta now supports URI claims with the SAML assertion inline hook. When you need to replace or add a URI claim, you must encode the claim name within the command based on the JSON Pointer (opens new window) specification.
Support Added in List Users API for Sort Parameters
The List Users API now supports sortBy
and sortOrder
parameters on search
queries.
Apps API Support for Custom SAML Attribute Statements
The Apps API now supports specifying SAML attribute statements for SAML 2.0 apps.
Rate Limits for OAuth 2.0 Endpoints in Production
Rate limiting has been modified for OAuth 2.0 endpoints in Production orgs so that requests that use an invalid client ID don't consume the rate limit. A System Log warning has also been introduced for high rate limit consumption by requests that use a valid client ID.
Bugs Fixed in 2020.02.0
When using the SAML assertion inline hook, if there was an optional attribute statement configured for the app and the attribute statement had no value specified, commands returned from SAML inline hook responses were not applied. (OKTA-263494)
The Update User Types API previously allowed the existing name of a User Type to be changed. (OKTA-241788)
January
Weekly Release 2020.01.2
Change | Expected in Preview Orgs |
---|---|
Bug Fixed in 2020.01.2 | January 29, 2019 |
Bug Fixed in 2020.01.2
- Passing an incorrect
userId
to the List User Roles API would not result in an error. (OKTA-243094)
Monthly Release 2020.01.0
Change | Expected in Preview Orgs |
---|---|
Rate limit warnings for all API customers | January 8, 2020 |
Events API endpoint rate limit added | January 8, 2020 |
System Log Events for user import | January 8, 2020 |
Rate limit warnings for all API customers
All Customer Identity orgs will now see an admin console banner and receive an email notification when their org approaches its rate limit. Previously this was only available for One App and Enterprise orgs.
Events API endpoint rate limit added
The /events
API endpoint now has its own rate limit bucket for Workforce orgs. See the Rate Limits page for more information.
System Log Events for user import
System Log events have been added for the start and end of each phase of the user import process. See the Event Types catalog for more information.