On this page

    Okta Classic Engine API release notes (2025)

    March

    Weekly release 2025.03.3

    Change Expected in Preview Orgs
    Bugs fixed in 2025.03.3 March 26, 2025

    Bugs fixed in 2025.03.3

    • Custom role admins with permission conditions couldn't search for users by firstName or lastName. (OKTA-894392)

    • GET requests to the /api/v1/users/me/appLinks endpoint sometimes returned an HTTP 500 Internal Server error. (OKTA-873694)

    Weekly release 2025.03.2

    Change Expected in Preview Orgs
    Bugs fixed in 2025.03.2 March 19, 2025

    Bugs fixed in 2025.03.2

    • The OIN Submission Tester didn't support custom domains in the IdP flow. (OKTA-835402)

    • Step-up authentication using the ACR value urn:okta:loa:2fa:any didn't always challenge the user for an additional authentication factor with each /authorize request, even when the user didn't have an upgraded Okta session from initial authentication. (OKTA-754476)

    Weekly release 2025.03.1

    Change Expected in Preview Orgs
    Bugs fixed in 2025.03.1 March 12, 2025

    Bugs fixed in 2025.03.1

    • createdBy and lastUpdatedBy custom attributes couldn't be used in group rules. (OKTA-566492)

    • Custom admins who were limited to viewing only application group members received incomplete results when using the List All Users API without a search or filter parameter. (OKTA-801592)

    • The JSON Web Token that Okta generates and sends to the OpenID Connect identity provider contained a string exp instead of a number 'exp'. (OKTA-852446)

    • When making POST requests to users/{userId}/factors/{factorId}/verify or authn/factors/{factorId}/verify endpoints with factorType instead of factorId in the URL path, multiple failed verification attempts didn't lock users out and the failed attempts weren't logged in the System Log. (OKTA-871469)

    Monthly release 2025.03.0

    Change Expected in Preview Orgs
    OIDC IdPs now support group sync is GA in Production October 23, 2024
    Granular account linking for certain Identity Providers is GA in Production December 11, 2024
    Improved group search functionality is GA in Production February 12, 2025
    Improved user search functionality is GA in Production February 12, 2025
    Improved realms and device search functionality is GA in Production February 12, 2025
    Realms for Workforce is GA in Production February 13, 2025
    Identity Security Posture Management functionality in the OIN catalog March 5, 2025
    Default global session policy rule update March 5, 2025
    Developer documentation update in 2025.03.0 March 5, 2025
    Bug fixed in 2025.03.0 March 5, 2025

    OIDC IdPs now support group sync is GA in Production

    OpenID Connect identity providers (IdPs) now support full group sync and adding a user to a group that they don't already belong to. A user who authenticates with an external IdP is added to all available groups when Full sync of groups is enabled. The user is added to any groups that they don't already belong to when Add user to missing groups is enabled. This allows you to specify certain groups that users should be added to.

    Granular account linking for certain Identity Providers is GA in Production

    When admins link users from SAML and OIDC identity providers, they can now exclude specific users and admins. This improves security by allowing admins to configure granular access control scenarios. See Add an external Identity Provider for OpenId Connect and SAML 2.0.

    Improved group search functionality is GA in Production

    You can now search for groups whose names or descriptions contain specified text. This makes it easier to find a group when you don't recall its exact name. Use the co operator within the search parameter of the Groups API. See Operators (opens new window) and search within the Groups API (opens new window).

    Improved user search functionality is GA in Production

    You can now search for users whose names, email addresses, or usernames contain specified text. This makes it easier to do user lookups and add users to groups. Use the co operator within the search parameter of the Users API. See Operators (opens new window) and search within the Users API (opens new window).

    Improved realms and device search functionality is GA in Production

    We've extended the contains (co) operator to realms and devices. You can now search for realms and devices whose profile attributes contain specified text through API. This makes lookups easier without needing to recall the exact names of various profile attributes. Use the co operator within the search parameter. See Contains operator (opens new window) and the search parameter in the Realms (opens new window) and Devices (opens new window) APIs.

    Realms for Workforce is GA in Production

    The Realms and Realms Management APIs allow you to unlock greater flexibility in managing and delegating the management of your distinct user populations within a single Okta org. See Realms (opens new window) and Realm Assignments (opens new window).

    Identity Security Posture Management functionality in the OIN catalog

    The Okta Integration Network page now provides Identity Security Posture Management functionality. When you select it, the OIN catalog displays only the apps with Identity Security Posture Management functionality.

    Default global session policy rule update

    The default value for the maxSessionLifetimeMinutes property of the default global session policy rule is now 1440 (24 hours) and can be changed. Previously the maxSessionLifetimeMinutes property of the default global session policy rule was read-only. See Policies API (opens new window).

    Developer documentation update in 2025.03.0

    The list of public permissions has moved from the Roles in Okta (opens new window) topic to the Permissions in Okta (opens new window) topic. The new topic contains more permission details for you to define your custom admin roles.

    Bug fixed in 2025.03.0

    Some certificates with trailing characters were uploaded successfully to the /domains/{domainId}/certificate endpoint, despite their invalid format. (OKTA-486406)

    February

    Weekly release 2025.02.2

    Change Expected in Preview Orgs
    Bugs fixed in 2025.02.2 February 20, 2025

    Bugs fixed in 2025.02.2

    • An API request to create a resource set with a duplicate name sometimes returned a 5xx error instead of a 4xx error response. (OKTA-867792)

    • Admins couldn't retrieve more than five entitlement SAML assertions and OIDC claims when configuring apps. (OKTA-865900)

    • The contains (co) operator sometimes gave unclear error messages when using less than three characters or with other operators. (OKTA-846206)

    • When an admin attempted to revoke an API token (DELETE /api/v1/api-tokens/{apiTokenId}), and the credential used to authenticate the request was an access_token for a Service client, an HTTP 403 error was returned. (OKTA-844384)

    Weekly release 2025.02.1

    Change Expected in Preview Orgs
    Bugs fixed in 2025.02.1 February 13, 2025

    Bugs fixed in 2025.02.1

    • When a GET request was made using the User Grants API (/api/v1/users/{userId}/grants), the response didn't include pagination links in the response header. (OKTA-826775)

    • The Users API returned inconsistent responses in Classic Engine orgs that allowed self-service registration and in Identity Engine orgs that were migrated from these orgs. (OKTA-833094)

    • In the Admin Console, updates in the code editor that Okta couldn't parse returned a 500 Internal Server Error. (OKTA-837068)

    • The On-Behalf of Token Exchange flow was returning the wrong error message when an invalid subject_token_type was requested. (OKTA-841223)

    • When a POST request was made (/api/v1/authorizationServers/{authServerId}/policies) to create an authorization policy, the created and lastUpdated properties had a null value. (OKTA-848623)

    • Some identity provider API POST (/api/v1/idps) and PUT (/api/v1/idps/{idpId}) requests returned an HTTP 500 error code if the request didn't have the policy.accountLink object in the request body. (OKTA-865143)

    Monthly release 2025.02.0

    Change Expected in Preview Orgs
    IP Exempt Zone is GA in Preview October 23, 2024
    OIDC IdPs now support group sync is GA in Preview October 23, 2024
    Granular account linking for certain identity providers is GA December 11, 2024
    Realms for Workforce is GA in Preview February 13, 2025
    Improved group search functionality is GA in Preview February 12, 2025
    Improved user search functionality is GA in Preview February 12, 2025
    Support for importing Active Directory group descriptions is GA in Production February 6, 2025
    Developer documentation updates in 2025.02.0 February 6, 2025
    Bugs fixed in 2025.02.0 February 6, 2025

    IP Exempt Zone is GA in Preview

    This feature introduces useAsExemptList as a read-only Boolean property that distinguishes the new default IP exempt zones from other zones. When you enable this feature and you make a GET api/v1/zones request, Okta returns useAsExemptList in the response. The value true indicates that the zone is an exempt zone. Only system generated exempt zones are available.

    OIDC IdPs now support group sync is GA in Preview

    OpenID Connect (OIDC) identity providers (IdPs) now support full group sync and adding a user to a group that they don't already belong to. A user who authenticates with an external IdP is added to all available groups when Full sync of groups is enabled. The user is added to any groups that they don't already belong to when Add user to missing groups is enabled. This allows you to specify certain groups that users should be added to.

    Granular account linking for certain identity providers is GA

    When admins link users from SAML and OIDC identity providers, they can now exclude specific users and admins. This improves security by allowing admins to configure granular access control scenarios. See Add an external Identity Provider for OpenID Connect and SAML 2.0.

    Realms for Workforce is GA in Preview

    The Realms and Realms Management APIs allow you to unlock greater flexibility in managing and delegating the management of your distinct user populations within a single Okta org. See Realms (opens new window) and Realm Assignments (opens new window).

    Improved group search functionality is GA in Preview

    You can now search for groups whose names or descriptions contain specified text. This makes it easier to find a group when you don't recall its exact name. Use the co operator within the search parameter of the Groups API. See Operators (opens new window) and search within the Groups API (opens new window).

    Improved user search functionality is GA in Preview

    You can now search for users whose names, email addresses, or usernames contain specified text. This makes it easier to add users to groups or apps. Use the co operator within the search parameter of the Users API. See Operators (opens new window) and search within the Users API (opens new window).

    Support for importing Active Directory group descriptions is GA in Production

    The descriptions of groups sourced from Active Directory now use their description from AD. These replace any previous descriptions of AD-sourced groups in Okta, which used a pretty-printed version of the distinguished name (DN) instead.

    Developer documentation updates in 2025.02.0

    Bugs fixed in 2025.02.0

    • When calling deleted app users through the Apps API, the API returned a 500 internal server error instead of a 404 error. (OKTA-832609)
    • PUT requests (/api/v1/apps/appId) to update an OpenID Connect app took 30 seconds to complete. (OKTA-852488)
    • When the List all devices API (opens new window) was used with a search query parameter, it sometimes returned outdated records for screenLockType and managementStatus. (OKTA-856387)

    January

    Weekly release 2025.01.2

    Change Expected in Preview Orgs
    Authentication claims sharing between Okta orgs is EA in Preview January 29, 2025
    Bugs fixed in 2025.01.2 January 29, 2025

    Authentication claims sharing between Okta orgs is EA in Preview

    Authentication claims sharing allows an admin to configure their Okta org to trust claims from IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Configure claims sharing.

    Bugs fixed in 2025.01.2

    • When the Default Network Zone IP Exempt List feature was enabled for an org, an admin was able to delete the default example IP zone using the Zones API (/api/v1/zones/{DefaultExemptIpZone ID}). (OKTA-817263)
    • The List all principal rate limits (opens new window) returned an empty response when querying with a custom client_id and using OAuth 2.0 for authentication. (OKTA-832687)
    • When a super admin updated a deactivated user to a different realm, admins received a Resource not found error. (OKTA-699778)
    • Events for tokens revoked in bulk for a resource didn't appear in the System Log. (OKTA-834025)

    Weekly release 2025.01.1

    Change Expected in Preview Orgs
    Bug fixed in 2025.01.1 January 15, 2025

    Bug fixed in 2025.01.1

    When an admin attempted to delete an IdP using the SDK, the operation failed with an HTTP 500 response code. (OKTA-846005)

    Monthly release 2025.01.0

    Change Expected in Preview Orgs
    Additional use case selection in the OIN Wizard January 8, 2025
    Deprecated API endpoints: Extend, Grant, and Revoke Okta Support access January 8, 2025
    Granular configuration for Keep Me Signed In is EA in Preview January 8, 2025
    POST requests to the authorize endpoint is self-service EA January 8, 2025

    Additional use case selection in the OIN Wizard

    Independent software vendors (ISVs) can select the following additional use case categories when they submit their integration to the OIN:

    • Automation
    • Centralized Logging
    • Directory and HR Sync
    • Multifactor Authentication (MFA)

    See OIN Wizard use case selection.

    Deprecated API endpoints: Extend, Grant, and Revoke Okta Support access

    The following API endpoints have been deprecated:

    Use the Update an Okta Support case (opens new window) endpoint to extend, grant, or revoke Okta Support access for a specific support case. For the corresponding Okta Admin Console feature, see Give access to Okta Support (opens new window).

    Granular configuration for Keep Me Signed In is EA in Preview

    Admins can now configure the post-authentication prompt for Keep Me Signed In (KMSI) at a granular level in authentication policies. This allows admins to selectively enable post-authentication KMSI on a per-user, per-group, or per-app basis. When enabled, this feature exposes a frequency setting that lets admins control how often the post-authentication prompt is presented to users. See Configure Keep me signed in (KMSI).

    The post-authentication prompt text (title, subtitle, accept button, and reject button) is now customizable through the Brands API. See Customize post-authentication sign-in prompts.

    POST requests to the authorize endpoint is Self-Service EA

    You can now send user data securely in a POST request body to the /authorize endpoint.

    Edit This Page On GitHub