Java Program User Login, Create User Object, How Long Will the Object Be Active Updated FREE

Java Program User Login, Create User Object, How Long Will the Object Be Active

Users API

The Okta User API provides operations to manage users in your organization.

Getting started

Explore the Users API: (opens new window)

User operations

Create User

POST /api/v1/users

Creates a new user in your Okta system with or without credentials

• Create User without Credentials
• Create User with Recovery Question
• Create User with Password
• Create User with Imported Hashed Password
• Create User with Password Import Inline Claw
• Create User with Countersign & Recovery Question
• Create User with Authentication Provider
• Create User in Grouping
• Create User with Non-Default User Type

Request parameters

Parameter	Description	Param Type	DataType	Required	Default
activate	Executes activation lifecycle operation when creating the user	Query	Boolean	FALSE	TRUE
provider	Indicates whether to create a user with a specified authentication provider	Query	Boolean	FALSE	Imitation
contour	Profile properties for user	Trunk	Profile object	TRUE
credentials	Credentials for user	Body	Credentials object	FALSE
groupIds	Ids of groups that user volition be added to at time of creation	Body	Array of Grouping Ids	FALSE
nextLogin	With activate=true, if nextLogin=changePassword, a user is created, activated, and the password is set to EXPIRED, so user must alter information technology the next time they log in.	Query	Cord	Fake	Faux

Response parameters

All responses return the created User. Activation of a user is an asynchronous operation. The system performs group reconciliation during activation and assigns the user to all applications via direct or indirect relationships (grouping memberships).

• The user's transitioningToStatus property is ACTIVE during activation to indicate that the user hasn't completed the asynchronous operation.
• The user'due south condition is ACTIVE when the activation process is complete.

The user is emailed a onetime activation token if activated without a password.

Notation: If the user is assigned to an application that is configured for provisioning, the activation process triggers downstream provisioning to the application. It is possible for a user to login before these applications take been successfully provisioned for the user.

Security Q & A	Countersign	Activate Query Parameter	User Condition	Login Credential	Welcome Screen
		False	STAGED
		Truthful	PROVISIONED	Old Token (Email)	X
X		False	STAGED
X		TRUE	PROVISIONED	One-Time Token (Email)	X
	X	FALSE	STAGED
	10	True	ACTIVE	Password	X
Ten	X	FALSE	STAGED
X	X	Truthful	Active	Password

Creating users with a FEDERATION or SOCIAL provider sets the user status to either ACTIVE or STAGED based on the activate query parameter since these two providers don't support a password or recovery_question credential.

Create User without credentials

Creates a user without a countersign or recovery question & reply

When the user is activated, an electronic mail is sent to the user with an activation token that tin can exist used to complete the activation process. This is the default flow for new user registration using the ambassador UI.

Request case

Response example

Create User with recovery question

Creates a user without a password

When the user is activated, an electronic mail is sent to the user with an activation token that tin exist used to consummate the activation procedure. This flow is useful if migrating users from an existing user store.

Request case

Response example

Create User with countersign

Creates a user without a recovery question & answer

The new user is able to sign in afterwards activation with the assigned password. This menstruum is common when developing a custom user registration experience.

Important: Practise not generate or send a one-time activation token when activating users with an assigned countersign. Users should sign in with their assigned password.

Request example

Response example

Create User with imported hashed password

Creates a user with a specified hashed countersign.

The new user is able to sign in after activation with the specified password. This flow is common when migrating users from another data shop in cases where nosotros want to let the users to retain their electric current passwords.

Important: Practice not generate or send a 1-time activation token when activating users with an imported password. Users should login with their imported countersign.

Request example

Response example

Create User with Password Import Inline Hook

Creates a user with a Password Hook object specifying that a Countersign Inline Hook should be used to handle password verification.

The Countersign Inline Hook is triggered to handle verification of the end user'due south password the beginning time the user tries to sign in, with Okta calling the Password Inline Hook to check that the countersign the user supplied is valid. If the countersign is valid, Okta stores the hash of the password that was provided and tin authenticate the user independently from and so on. Meet Password Import Inline Hook for more details.

The new user is able to sign in afterwards activation with the valid password. This menstruation supports migrating users from another data shop in cases where nosotros wish to allow the users to retain their electric current passwords.

Important: Do non generate or send a one-time activation token when activating users with an Countersign Inline Hook. Users should sign in with their existing countersign to exist imported using the Countersign Import Inline Hook.

Asking case

Response case

Create User with Password & Recovery Question

Creates a new user with a countersign and recovery question & answer

The new user is able to log in with the assigned password afterward activation. This flow is mutual when developing a custom user-registration experience.

Important: Don't generate or send a former activation token when activating users with an assigned countersign. Users should login with their assigned password.

Asking example

Response example

Create User with Hallmark Provider

Creates a new passwordless user with a SOCIAL or FEDERATION authentication provider that must be authenticated via a trusted Identity Provider

Request example

Response example

Create User in Group

Creates a user that is added to the specified groups upon creation

Use this in conjunction with other create operations for a Group Administrator that is scoped to create users simply in specified groups. The request may specify up to xx group ids. (This limit applies only when creating a user. The user may later on exist added to more groups.)

Request example

Response example

Create User with non-default User Type

Creates a user with a specified User Blazon (encounter User Types). The blazon specification may be included with any of the in a higher place Create User operations; this example demonstrates creating a user without credentials.

The User Type determines which Schema applies to that user. After a user has been created, the user can be assigned a different User Blazon simply by an administrator via a full replacement PUT performance.

Request case

Response example

Get User

GET /api/v1/users/${userId}

CORS

Fetches a user from your Okta organization

• Get Current User
• Get User with ID
• Become User with Login
• Get User with Login Shortname

Content-Type header fields

This endpoint supports an optional okta-response value for the Content-Type header, which can be used for operation optimization. Complex DelAuth configurations may dethrone performance when fetching specific parts of the response, and passing this parameter can omit these parts, bypassing the clogging.

The okta-response header value takes a comma-separated list of omit options (optionally surrounded in quotes), each specifying a part of the response to omit.

okta-response value	Description
omitCredentials	Omits the credentials subobject from the response
omitCredentialsLinks	Omits the following HAL links from the response: Change Password, Alter Recovery Question, Forgot Password, Reset Password, Reset Factors, Unlock
omitTransitioningToStatus	Omits the transitioningToStatus field from the response

The operation optimization will just be applied when all three parameters are passed. Unrecognized parameters are ignored.

Content-Type header examples

Header: Content-Type: awarding/json; okta-response=omitCredentials,omitCredentialsLinks
Result: Omits the credentials subobject and credentials links from the response. Does non apply functioning optimization.

Header: Content-Type: application/json; okta-response="omitCredentials,omitCredentialsLinks, omitTransitioningToStatus"
Result: Omits the credentials, credentials links, and transitioningToStatus field from the response. Applies performance optimization.

Request parameters

Fetch a user by id, login, or login shortname if the curt name is unambiguous.

Parameter	Description	Param Type	DataType	Required
id	id, login, or login shortname (as long every bit it is unambiguous)	URL	String	TRUE

When fetching a user by login or login shortname, you should URL encode (opens new window) the request parameter to ensure special characters are escaped properly. Logins with a / or ? character tin simply exist fetched by id due to URL issues with escaping the / and ? characters.

Hint: you can substitute me for the id to fetch the current user linked to an API token or session cookie.

Note: Some browsers have begun blocking third-party cookies by default, disrupting Okta functionality in certain flows. For information come across FAQ: How Blocking Third Party Cookies Can Potentially Impact Your Okta Surround (opens new window) .

Response parameters

Fetched User

An invalid id returns a 404 Not Found status code.

Get current User

Fetches the current user linked to API token or session cookie

Request example

Response case

Get User with ID

Fetches a specific user when y'all know the user's id

Hint: If you lot don't know the user id, list the users to notice the correct ID.

Request case

Response instance

Get User with login

Fetches a specific user when you know the user'southward login

When fetching a user by login, URL encode (opens new window) the request parameter to ensure special characters are escaped properly. Logins with a / grapheme tin only exist fetched by id due to URL problems with escaping the / character.

Asking example

Response example

Become User with Login Shortname

Fetches a specific user when you know the user's login shortname and the shortname is unique within the system

When fetching a user by login shortname, URL encode (opens new window) the request parameter to ensure special characters are escaped properly. Logins with a / character can merely be fetched by id due to URL issues with escaping the / graphic symbol.

Request example

Response example

List Users

Get /api/v1/users

Lists users in your organization with pagination in near cases

A subset of users can be returned that match a supported filter expression or search criteria.

Content-Type header fields

This endpoint supports an optional okta-response value for the Content-Type header, which tin can be used for performance optimization. Complex DelAuth configurations may degrade performance when fetching specific parts of the response, and passing this parameter can omit these parts, bypassing the bottleneck.

The okta-response header value takes a comma-separated list of omit options (optionally surrounded in quotes), each specifying a part of the response to omit.

okta-response value	Description
omitCredentials	Omits the credentials subobject from the response
omitCredentialsLinks	Omits the following HAL links from the response: Change Countersign, Modify Recovery Question, Forgot Countersign, Reset Password, Reset Factors, Unlock
omitTransitioningToStatus	Omits the transitioningToStatus field from the response

The operation optimization will only be applied when all three parameters are passed. Unrecognized parameters are ignored.

Content-Blazon header examples

Header: Content-Blazon: awarding/json; okta-response=omitCredentials,omitCredentialsLinks
Effect: Omits the credentials subobject and credentials links from the response. Does non use performance optimization.

Header: Content-Blazon: awarding/json; okta-response="omitCredentials,omitCredentialsLinks, omitTransitioningToStatus"
Result: Omits the credentials, credentials links, and transitioningToStatus field from the response. Applies performance optimization.

Request parameters

The first three parameters in the table below correspond to different types of lists:

• List All Users (no parameters)
• Find Users (q)
• List Users with a Filter (filter)
• List Users with Search (search)

Parameter	Description	Param Type	DataType	Required
q	Finds a user that matches firstName, lastName, and email properties	Query	String	False
filter	Filters users with a supported expression for a subset of backdrop	Query	String	FALSE
search	Searches for users with a supported filtering expression for near properties	Query	String	False
limit	Specifies the number of results returned (maximum 200)	Query	Number	False
after	Specifies the pagination cursor for the next page of users	Query	String	Faux
sortBy	Specifies field to sort by (for search queries only)	Search query	Cord	FALSE
sortOrder	Specifies sort lodge asc or desc (for search queries simply)	Search query	String	Fake

• If you lot don't specify a value for limit, the maximum (200) is used equally a default. If you are using a q parameter, the default limit is 10.
• An HTTP 500 status lawmaking unremarkably indicates that you lot have exceeded the request timeout. Retry your asking with a smaller limit and paginate the results.
• Treat the afterwards cursor as an opaque value and obtain it through the side by side link relation. Meet Pagination.

Response parameters

Array of User

Known Limitation

Due to an infrastructure limitation, group administrators (opens new window) , aid desk-bound administrators (opens new window) , and custom administrators (opens new window) who are simply scoped to view and manage users of their assigned groups may feel timeout for the list users endpoints.

List all Users

Returns a list of all users that do non accept a condition of DEPROVISIONED, up to the maximum (200 for most orgs)

Different results are returned depending on specified queries in the asking.

Request case

Response example

Observe Users

Finds users who match the specified query

Use the q parameter for a simple lookup of users by proper name, for instance when creating a people picker. The value of q is matched against firstName, lastName, or email.

This operation:

• Doesn't support pagination.
• Queries the nearly upward-to-date data. For example, if you create a user or change an aspect and then issue a filter request, the alter is reflected in the results.
• Performs a startsWith lucifer only this is an implementation detail and may modify without find. Y'all don't need to specify firstName, lastName, or email.

Request example

Response example

Note: This omits users that accept a condition of DEPROVISIONED. To return all users, apply a filter query instead.

Listing Users with a filter

Lists all users that match the filter criteria

This operation:

• Filters against the most upwardly-to-appointment data. For example, if yous create a user or alter an attribute and and so issue a filter request, the changes are reflected in your results.
• Requires URL encoding (opens new window) . For example, filter=lastUpdated gt "2013-06-01T00:00:00.000Z" is encoded as filter=lastUpdated%20gt%xx%222013-06-01T00:00:00.000Z%22.
• Supports only a express number of backdrop: condition, lastUpdated, id, profile.login, profile.electronic mail, contour.firstName, and profile.lastName.

Filter	Clarification
status eq "STAGED"	Users that have a status of STAGED
status eq "PROVISIONED"	Users that have a condition of PROVISIONED
status eq "Active"	Users that have a status of Active
status eq "RECOVERY"	Users that take a status of RECOVERY
status eq "PASSWORD_EXPIRED"	Users that have a status of PASSWORD_EXPIRED
status eq "LOCKED_OUT"	Users that have a status of LOCKED_OUT
status eq "DEPROVISIONED"	Users that have a status of DEPROVISIONED
lastUpdated lt "yyyy-MM-dd'T'HH:mm:ss.SSSZ"	Users final updated before a specific timestamp
lastUpdated eq "yyyy-MM-dd'T'HH:mm:ss.SSSZ"	Users last updated at a specific timestamp
lastUpdated gt "yyyy-MM-dd'T'HH:mm:ss.SSSZ"	Users last updated after a specific timestamp
id eq "00u1ero7vZFVEIYLWPBN"	Users with a specified id
contour.login eq "login@example.com"	Users with a specified login
contour.email eq "email@example.com"	Users with a specified email*
profile.firstName eq "John"	Users with a specified firstName*
contour.lastName eq "Smith"	Users with a specified lastName*

Hint: If filtering by email, lastName, or firstName, information technology may be easier to use q instead of filter.

Run across Filtering for more data on the expressions that are used in filtering.

Filter examples

List users with status of LOCKED_OUT

List users updated after 06/01/2013 but earlier 01/01/2014

List users updated afterwards 06/01/2013 but before 01/01/2014 with a status of ACTIVE

Listing users updated later on 06/01/2013 but with a status of LOCKED_OUT or RECOVERY

Request example: status

Response example

Request instance: timestamp

Lists all users that have been updated since a specific timestamp

Use this functioning when implementing a background synchronization job and you want to poll for changes.

Response example

List Users with search

Searches for users based on the backdrop specified in the search parameter

Note: List users with search should not be used as a part of whatever disquisitional flows, such every bit authentication, to prevent potential data loss. Search results may not reflect the latest information, as this endpoint uses a search index which may non be up-to-date with recent updates to the object.

Property names in the search parameter are case sensitive, whereas operators (eq, sw, etc.) and string values are case insensitive. Unlike in user logins, diacritical marks are significant in search string values: a search for isaac.brock will observe Isaac.Brock only will not find a belongings whose value is isáàc.bröck.

This operation:

• Supports pagination.
• Requires URL encoding (opens new window) . For example, search=profile.department eq "Engineering" is encoded equally search=profile.section%20eq%20%22Engineering%22. Apply an ID lookup for records that you update to ensure your results contain the latest information.

  Note: If you utilize the special grapheme " inside a quoted string, it must also be escaped \ and encoded. For example, search=contour.lastName eq "bob"smith" is encoded as search=profile.lastName%20eq%xx%22bob%5C%22smith%22.

• Searches many properties:
  • Whatsoever user contour property, including custom-defined properties
  • The top-level backdrop id, status, created, activated, statusChanged and lastUpdated
  • The User Type accessed as type.id
• Accepts sortBy and sortOrder parameters.
  • sortBy can exist whatever single belongings, for case sortBy=contour.lastName
  • sortOrder is optional and defaults to ascending
  • sortOrder is ignored if sortBy is not present
  • Users with the same value for the sortBy property will be ordered past id

Search Term Instance	Clarification
condition eq "STAGED"	Users that have a status of STAGED
lastUpdated gt "yyyy-MM-dd'T'HH:mm:ss.SSSZ"	Users final updated afterwards a specific timestamp
id eq "00u1ero7vZFVEIYLWPBN"	Users with a specified id
type.id eq "otyfnjfba4ye7pgjB0g4"	Users with a specified User Type ID
profile.department eq "Engineering"	Users that have a department of Engineering science
profile.occupation eq "Leader"	Users that have an occupation of Leader
profile.lastName sw "Sm"	Users whose lastName starts with Sm

Search examples

Listing users with an occupation of Leader

List users in the department of Engineering who were created before 01/01/2014 or have a condition of ACTIVE.

Request example

Response example

Searching arrays

You tin search properties that are arrays. If whatever element matches the search term, the entire array (object) is returned. For examples, see Asking example for assortment and Response case for array.

• We follow the SCIM Protocol Specification (opens new window) for searching arrays.
• Search for one value at a time when searching arrays. For example, you lot can't search for users where a string is equal to an aspect in two different arrays.

Asking example for array

The following instance is for a custom attribute on User, an array of strings named arrayAttr that contains values ["arrayAttrVal1", "arrayAttrVal2"...].

Response example for array

Update User

Note: Use the POST method to make a partial update and the PUT method to delete unspecified backdrop.

PUT /api/v1/users/${userId}

Updates a user's profile and/or credentials using strict-update semantics

All contour properties must be specified when updating a user's contour with a PUT method. Any property not specified in the request is deleted.

Important: Don't use PUT method for partial updates.

Request parameters

Parameter	Description	Param Type	DataType	Required
userId	ID of user to update	URL	Cord	True
strict	If true, validates against minimum age and history password policy	Query	String	FALSE
contour	Updated profile for user	Body	Profile object	FALSE
credentials	Update credentials for user	Body	Credentials object	FALSE

profile and credentials can exist updated independently or together with a single request.

Note: Currently, the User Type of a user can only exist changed via a full replacement PUT functioning. If the request parameters of a partial update include the blazon element from the User object, the value must match the existing type of the user. Just administrators are permitted to alter the user blazon of a user; stop users are non immune to modify their own user type.

Response parameters

Updated User

Update current User's Profile

POST /api/v1/users/me

CORS

Updates current user's profile with partial update semantics

Request parameters

Parameter	Clarification	Param Blazon	DataType	Required
profile	Updated profile for user	Body	Profile object	FALSE

Stop user can only update profile with this request. To update credentials, use Update Contour with ID.

Note: An stop user can but update profile properties for which the user has write access. To update user permissions for a schema property, employ Update User Profile Schema Property

Response parameters

Updated User

Asking instance

Response example

Update Profile with ID

POST /api/v1/users/${userId}

Updates a user's profile or credentials with fractional update semantics

Important: Employ the POST method for partial updates. Unspecified backdrop are set to cypher with PUT.

Asking parameters

Parameter	Description	Param Blazon	DataType	Required
userId	ID of user to update	URL	String	Truthful
strict	If truthful, validates against minimum historic period and history password policy	Query	Cord	FALSE
profile	Updated profile for user	Trunk	Profile object	Simulated
credentials	Update credentials for user	Body	Credentials object	FALSE

contour and credentials tin exist updated independently or with a single asking.

Response parameters

Updated User

Request example

Response example

Set password

Sets passwords without validating existing user credentials

This is an administrative operation. For operations that validate credentials refer to Reset Password, Forgot Password, and Alter Countersign.

Request example

Response example

Prepare recovery question and reply

Sets recovery question and answer without validating existing user credentials

This is an administrative operation. For an performance that requires validation, see Change Recovery Question.

Request example

Response example

Get Assigned App Links

GET /api/v1/users/${userId}/appLinks

CORS

Fetches appLinks for all direct or indirect (via group membership) assigned applications

Request parameters

Parameter	Description	Param Type	DataType	Required
id	id, login, or login shortname (every bit long as it is unambiguous) of user	URL	Cord	Truthful

Response parameters

Assortment of App Links

Request example

Response example

Go User's Groups

GET /api/v1/users/${userId}/groups

CORS

Fetches the groups of which the user is a member

Request parameters

Parameter	Clarification	Param Type	DataType	Required
id	id, login, or login shortname (as long as it is unambiguous) of user	URL	String	Truthful

Response parameters

Array of Groups

Asking example

Response example

Lifecycle operations

Lifecycle operations are non-idempotent operations that initiate a state transition for a user's status. Some operations are asynchronous while others are synchronous. The user'due south current status limits what operations are allowed. For instance, you can't unlock a user that is Active.

Activate User

POST /api/v1/users/${userId}/lifecycle/actuate

Activates a user

This operation tin can only be performed on users with a STAGED or DEPROVISIONED condition. Activation of a user is an asynchronous operation.

• The user's transitioningToStatus property has a value of Active during activation to indicate that the user hasn't completed the asynchronous operation.
• The user's status is Agile when the activation process is complete.

Users who don't take a password must complete the welcome flow by visiting the activation link to complete the transition to Active status.

Request parameters

Parameter	Description	Param Type	DataType	Required	Default
id	id of user	URL	String	Truthful
sendEmail	Sends an activation e-mail to the user if truthful	Query	Boolean	Imitation	True

Response parameters

• Returns empty object by default.
• If sendEmail is false, returns an activation link for the user to ready their account. The activation token tin can be used to create a custom activation link.

If a password was set earlier the user was activated, then user must login with with their password or the activationToken and not the activation link. More than information about using the activationToken to login can be found in the Hallmark API.

Request instance

Response example

Reactivate User

POST /api/v1/users/${userId}/lifecycle/reactivate

Reactivates a user

This operation can only exist performed on users with a PROVISIONED status. This performance restarts the activation workflow if for some reason the user activation was not completed when using the activationToken from Activate User.

Users that don't have a countersign must consummate the menstruation by completing Reset Countersign and MFA enrollment steps to transition the user to Active status.

Request parameters

Parameter	Description	Param Type	DataType	Required
id	id, login, or login shortname (as long every bit information technology is unambiguous) of user	URL	String	TRUE
sendEmail	Sends an activation email to the user if truthful. Default value is false.	Query	Boolean	FALSE

Response parameters

• Returns empty object by default.
• If sendEmail is false, returns an activation link for the user to set upward their business relationship. The activation token tin can exist used to create a custom activation link.

Request example

Response instance (success)

Response example (unexpected user status)

Conciliate User

POST /api/v1/users/${userId}/lifecycle/conciliate

Deactivates a user

This functioning can only be performed on users that do non have a DEPROVISIONED status.

• The user's transitioningToStatus holding is DEPROVISIONED during deactivation to bespeak that the user hasn't completed the asynchronous operation.
• The user'due south status is DEPROVISIONED when the deactivation procedure is complete.

Important: Deactivating a user is a destructive operation. The user is deprovisioned from all assigned applications which may destroy their data such as electronic mail or files. This action cannot exist recovered!

Asking parameters

Parameter	Description	Param Type	DataType	Required
userId	ID of user	URL	String	TRUE
sendEmail	Sends a deactivation email to the administrator if true. Default value is fake.	Query	Boolean	FALSE

Note: You tin also perform user deactivation asynchronously. To invoke asynchronous user deactivation, laissez passer an HTTP header Prefer: reply-async with the request.

Response parameters

Returns an empty object.

Deactivate user synchronously

Asking example

Response example

Deactivate user asynchronously

Request example

Response instance

Suspend User

POST /api/v1/users/${userId}/lifecycle/suspend

Suspends a user

This operation tin can only exist performed on users with an ACTIVE condition. The user has a condition of SUSPENDED when the procedure is complete.

Suspended users:

• Tin't log in to Okta. Their grouping and app assignments are retained.
• Tin can only be unsuspended or deactivated.

Request parameters

Parameter	Description	Param Type	DataType	Required
id	id of user	URL	String	TRUE

Response parameters

Returns an empty object

• Passing an invalid id returns a 404 Not Found status code with fault code E0000007.
• Passing an id that is not in the ACTIVE state returns a 400 Bad Request condition code with error lawmaking E0000001.

Request example

Response instance

Unsuspend User

Mail service /api/v1/users/${userId}/lifecycle/unsuspend

Unsuspends a user and returns them to the Agile state

This performance can only exist performed on users that have a SUSPENDED status.

Request parameters

Parameter	Description	Param Type	DataType	Required
id	id of user	URL	String	True

Response parameters

Returns an empty object.

Passing an invalid id returns a 404 Not Found status code with fault code E0000007. Passing an id that is non in the SUSPENDED state returns a 400 Bad Asking status lawmaking with mistake code E0000001.

Request case

Response example

Delete User

DELETE /api/v1/users/${userId}

Deletes a user permanently. This operation can merely be performed on users that have a DEPROVISIONED status. This action cannot be recovered!

This performance on a user that hasn't been deactivated causes that user to be deactivated. A 2d delete operation is required to delete the user.

Request parameters

Parameter	Description	Param Type	DataType	Required	Default
id	id of user	URL	String	True
sendEmail	Sends a deactivation e-mail to the ambassador if truthful. Default value is false.	Query	Boolean	Simulated	Fake

Notation: You tin also perform user deletion asynchronously. To invoke asynchronous user deletion, pass an HTTP header Prefer: respond-async with the request. This header is also supported by user deactivation, which is performed if the delete endpoint is invoked on a user that hasn't been deactivated.

Response parameters

Passing an invalid id returns a 404 Non Constitute status code with error code E0000007.

Delete user synchronously

Request case

Response example

Delete user asynchronously

Request example

Response example

Unlock User

Post /api/v1/users/${userId}/lifecycle/unlock

Unlocks a user with a LOCKED_OUT condition and returns them to Agile status. Users will be able to login with their electric current password.

Note: This functioning works with Okta-mastered users. It doesn't support directory-mastered accounts such equally Active Directory.

Request parameters

Parameter	Description	Param Type	DataType	Required	Default
id	id of user	URL	String	TRUE

Response parameters

Returns an empty object

Request example

Response instance

Reset password

Postal service /api/v1/users/${userId}/lifecycle/reset_password

Generates a one-fourth dimension token (OTT) that tin can be used to reset a user'south password. The OTT link tin be automatically emailed to the user or returned to the API caller and distributed using a custom flow.

This operation will transition the user to the condition of RECOVERY and the user volition not exist able to login or initiate a forgot password menses until they consummate the reset menses.

Note: You can also use this API to catechumen a user with the Okta Credential Provider to a apply a Federated Provider. Afterwards this conversion, the user cannot directly sign in with password. The 2nd case demonstrates this usage.

Request parameters

Parameter	Clarification	Param Type	DataType	Required	Default
id	id of user	URL	String	Truthful
sendEmail	Sends reset password email to the user if true	Query	Boolean	Simulated	True

To ensure a successful password recovery lookup if an e-mail address is associated with multiple users:

• Okta no longer includes deactivated users in the lookup.
• The lookup searches login IDs first, then primary e-mail addresses, and then secondary e-mail addresses.

Response parameters

• Returns an empty object by default.
• IfsendEmail is false, returns a link for the user to reset their password.

Request example

Response instance

Request example (Convert a User to a Federated User)

To convert a user to a federated user, pass FEDERATION equally the provider in the Provider object. The sendEmail parameter must be false or omitted for this type of conversion.

Response case

Expire countersign

POST /api/v1/users/${userId}/lifecycle/expire_password

This operation transitions the user status to PASSWORD_EXPIRED so that the user is required to change their countersign at their next login. If tempPassword is included in the request, the user's countersign is reset to a temporary password that is returned, and and then the temporary countersign is expired.

If yous have integrated Okta with your on-premise Active Directory (AD), and so setting a user's password as expired in Okta also expires the countersign in Active Directory. When the user tries to log in to Okta, delegated hallmark finds the password-expired condition in the Active Directory, and the user is presented with the password-expired page where he or she can change the password.

Asking parameters

Parameter	Description	Param Type	DataType	Required	Default
id	id of user	URL	Cord	TRUE
tempPassword	Sets the user's countersign to a temporary password, if truthful	Query	Boolean	Faux	False

Response parameters

• Returns the complete user object by default
• If tempPassword is truthful, returns the temporary countersign

Request example

Response example

Reset Factors

Mail /api/v1/users/${userId}/lifecycle/reset_factors

This operation resets all factors for the specified user. All MFA gene enrollments returned to the unenrolled land. The user's status remains ACTIVE. This link is present simply if the user is currently enrolled in one or more MFA factors.

Request parameters

Parameter	Description	Param Type	DataType	Required	Default
id	id of user	URL	String	TRUE

Response parameters

Returns an empty object by default.

Request example

Response example

Clear current User sessions

Clears Okta sessions for the currently logged in user. By default, the current session remains active. Apply this method in a browser-based awarding.

This operation requires a session cookie for the user. API token is non immune for this operation.

POST /api/v1/users/me/lifecycle/delete_sessions

CORS

Request parameters

Parameter	Clarification	Param Type	DataType	Required	Default
keepCurrent	Skip deleting user's current session when set to true	Body	boolean	Simulated	true

Response

Returns an empty object.

Asking example

Response example

If the sessions were successfully cleared, a 200 OK response will exist returned.

If the electric current session is invalid, a 403 Forbidden response will be returned.

User sessions

Articulate User sessions

DELETE /api/v1/users/${userId}/sessions

Removes all agile identity provider sessions. This forces the user to authenticate on the next performance. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user.

Note: This performance doesn't clear the sessions created for web sign in or native applications.

Request parameters

Parameter	Description	Param Type	DataType	Required	Default
userId	id of a user	URL	Cord	True
oauthTokens	Revoke issued OpenID Connect and OAuth refresh and access tokens	Query	Boolean	FALSE	Simulated

Response parameters

Asking case

Response case

Credential operations

Forgot password

POST /api/v1/users/${userId}/credentials/forgot_password

Generates a quondam token (OTT) that tin can be used to reset a user's password

The user volition be required to validate their security question's answer when visiting the reset link. This performance tin can merely be performed on users with an Active condition and a valid recovery question credential.

Note: If you have migrated to Okta Identity Engine, you lot tin can let users to recover passwords with any enrolled MFA authenticator. See Cocky-service account recovery (opens new window) . Identity Engine

Asking parameters

Parameter	Description	Param Type	DataType	Required	Default
id	id of user	URL	String	TRUE
sendEmail	Sends a forgot countersign email to the user if true	Query	Boolean	Imitation	Truthful

To ensure a successful countersign recovery lookup if an email address is associated with multiple users:

• Okta no longer includes deactivated users in the lookup.
• The lookup searches login IDs first, and then chief email addresses, and then secondary email addresses.

Response parameters

• Returns an empty object past default
• If sendEmail is false, returns a link for the user to reset their password.

This operation does not affect the status of the user.

Request example

Response example

POST /api/v1/users/${userId}/credentials/forgot_password

Sets a new password for a user by validating the user's answer to their current recovery question

This operation tin just be performed on users with an ACTIVE condition and a valid recovery question credential.

Important: This operation is intended for applications that need to implement their own forgot countersign flow. You lot are responsible for mitigation of all security risks such as phishing and replay attacks. The best practice is to generate a short-lived, one-time token (OTT) that is sent to a verified e-mail business relationship.

Request parameters

Parameter	Description	Param Type	DataType	Required
id	id of user	URL	String	TRUE
password	New password for user	Trunk	Countersign object	TRUE
recovery_question	Answer to user's current recovery question	Trunk	Recovery Question object	TRUE

Response parameters

Credentials of the user

This functioning does non affect the status of the user.

Request example

Response instance

Change countersign

Mail service /api/v1/users/${userId}/credentials/change_password

Changes a user's password by validating the user'south current password

This performance can merely be performed on users in STAGED, Agile, PASSWORD_EXPIRED, or RECOVERY status that take a valid password credential

Request parameters

Parameter	Description	Param Type	DataType	Required
id	id of user	URL	String	Truthful
strict	If truthful, validates confronting password minimum age policy	Query	String	Fake
oldPassword	Current password for user	Body	Countersign object	TRUE
newPassword	New countersign for user	Body	Password object	TRUE

Response parameters

Credentials of the user

The user transitions to Agile condition when successfully invoked in RECOVERY status.

Asking case

Response example

Change recovery question

POST /api/v1/users/${userId}/credentials/change_recovery_question

Changes a user's recovery question & answer credential past validating the user's current password

This performance can only be performed on users in STAGED, Agile or RECOVERY status that have a valid password credential

Request parameters

Parameter	Description	Param Blazon	DataType	Required
id	id of user	URL	Cord	Truthful
password	Electric current password for user	Body	Password object	Truthful
recovery_question	New recovery question & answer for user	Body	Recovery Question object	TRUE

Response parameters

Credentials of the user

This operation does non affect the status of the user.

Request example

Response example

User-consent Grant operations

Early Admission

A consent represents a user's explicit permission to allow an application to access resources protected by scopes. Consent grants are unlike from tokens because a consent tin outlast a token, and in that location can exist multiple tokens with varying sets of scopes derived from a single consent. When an application comes dorsum and needs to get a new access token, it may not need to prompt the user for consent if they have already consented to the specified scopes. Consent grants remain valid until the user manually revokes them, or until the user, application, dominance server or scope is deactivated or deleted.

Hint: For all grant operations, you can employ me instead of the userId in an endpoint that contains /users, in an agile session with no SSWS token (API token). For example: https://${yourOktaDomain}/api/v1/users/me/grants returns all the grants for the agile session user.

Notation: Some browsers have begun blocking third-party cookies by default, disrupting Okta functionality in certain flows. For information see FAQ: How Blocking Third Party Cookies Can Potentially Impact Your Okta Environment (opens new window) .

List Grants

Early Access

Go /api/v1/users/${userId}/grants

Lists all grants for the specified user

Request parameters

Parameter	Description	Param Type	DataType	Required	Default
userId	ID of the user for whom yous are fetching grants	URL	String	True
aggrandize	Valid value: telescopic. If specified, scope details are included in the _embedded attribute.	Query	Cord	FALSE
scopeId	The scope ID to filter on	Query	String	FALSE
limit	The number of grants to return (maximum 200)	Query	Number	Fake	20
after	Specifies the pagination cursor for the next page of grants	Query	String	Faux

Notation: after should be treated every bit a cursor (an opaque value) and obtained through the next link relation.

Asking case

Response instance

Get a Grant

Early Access

Go /api/v1/users/${userId}/grants/${grantId}

Gets a grant for the specified user

Request parameters

Parameter	Clarification	Param Blazon	DataType	Required
userId	ID of the user to whom the grant belongs	URL	Cord	Truthful
grantId	ID of the grant being fetched	Query	String	Truthful
aggrandize	Valid value: scope. If specified, telescopic details are included in the _embedded attribute.	Query	String	FALSE

Asking case

Response example

Listing Grants for a User-Client combination

Early Access

Get /api/v1/users/${userId}/clients/${clientId}/grants

Lists all grants for a specified user and client

Request parameters

Parameter	Description	Parameter Type	DataType	Required	Default
userId	ID of the user whose grants you are listing for the specified clientId	URL	String	True
clientId	ID of the client whose grants you lot are listing for the specified userId	URL	String	Truthful
expand	Valid value: scope. If specified, telescopic details are included in the _embedded aspect.	Query	String	FALSE
limit	The number of tokens to return (maximum 200)	Query	Number	FALSE	20
subsequently	Specifies the pagination cursor for the next folio of tokens	Query	Cord	Faux

Request example

Response case

Revoke all Grants for a User

Early Access

DELETE /api/v1/users/${userId}/grants

Revokes all grants for a specified user

Request parameters

Parameter	Clarification	Parameter Blazon	DataType	Required
userId	ID of the user whose grant is beingness revoked	URL	String	TRUE

Asking case

Response case

Revoke a Grant for a User

Early Access

DELETE /api/v1/users/${userId}/grants/${grantId}

Revokes one grant for a specified user

Asking parameters

Parameter	Description	Parameter Type	DataType	Required
userId	ID of the user whose grant is being revoked	URL	String	TRUE
grantId	ID of the grant being revoked	URL	Cord	TRUE

Request example

Response example

Revoke Grants for User and Client

Early Access

DELETE /api/v1/users/${userId}/clients/${clientId}/grants

Revokes all grants for the specified user and client

Request parameters

Parameter	Clarification	Parameter Blazon	DataType	Required
userId	ID of the user whose grants are being revoked for the specified client	URL	Cord	Truthful
clientId	ID of the client who was granted consent by the specified user	URL	String	TRUE

Request example

Response instance

User OAuth 2.0 Token management operations

• List Refresh Tokens
• Get Refresh Token
• Revoke All Refresh Tokens
• Revoke Refresh Token

These endpoints allow you lot to manage tokens issued past an Say-so Server for a item User and Client. For example, yous could revoke every active refresh token for a User in the context of a specific Customer. You can also revoke specific tokens or manage tokens at the Authorization Server level.

Read Validate Access Tokens to empathize more than near how OAuth 2.0 tokens work.

Early Access

Listing Refresh Tokens

Early Access

Go /api/v1/users/${userId}/clients/${clientId}/tokens

Lists all refresh tokens issued for the specified User and Customer.

Asking parameters

Parameter	Description	Param Type	DataType	Required	Default
userId	ID of the user for whom you are fetching tokens	URL	Cord	Truthful
clientId	ID of the client	URL	Cord	TRUE
expand	Valid value: scope. If specified, telescopic details are included in the _embedded attribute.	Query	Cord	Imitation
limit	The number of tokens to render (maximum 200)	Query	Number	FALSE	twenty
subsequently	Specifies the pagination cursor for the next page of tokens	Query	String	FALSE

Annotation: after should be treated equally a cursor (an opaque value) and obtained through the side by side link relation.

Request example

Response example

Become Refresh Token

Early on Access

GET /api/v1/users/${userId}/clients/${clientId}/tokens/${tokenId}

Gets a refresh token issued for the specified User and Customer.

Request parameters

Parameter	Description	Param Type	DataType	Required	Default
userId	ID of the user for whom you are fetching tokens	URL	Cord	TRUE
clientId	ID of the client	URL	String	Truthful
tokenId	ID of the token	URL	String	TRUE
aggrandize	Valid value: scope. If specified, scope details are included in the _embedded aspect.	Query	String	Fake
limit	The number of grants to return (maximum 200)	Query	Number	FALSE	twenty
after	Specifies the pagination cursor for the adjacent folio of grants	Query	String	Imitation

Notation: after should be treated equally a cursor (an opaque value) and obtained through the next link relation.

Request case

Response example

Revoke All Refresh Tokens

Early on Access

DELETE /api/v1/users/${userId}/clients/${clientId}/tokens

Revokes all refresh tokens issued for the specified User and Client. Any access tokens issued with these refresh tokens will also exist revoked, but access tokens issued without a refresh token will not be affected.

Asking parameters

Parameter	Description	Parameter Type	DataType	Required
userId	ID of the user whose grants are being revoked for the specified client	URL	String	TRUE
clientId	ID of the client who was granted consent past the specified user	URL	String	TRUE

Request example

Response instance

Revoke Refresh Token

Early Access

DELETE /api/v1/users/${userId}/clients/${clientId}/tokens/${tokenId}

Revokes the specified refresh token. If an access token was issued with this refresh token, information technology will besides exist revoked.

Request parameters

Parameter	Description	Parameter Type	DataType	Required
userId	ID of the user whose grants are existence revoked for the specified customer	URL	String	TRUE
clientId	ID of the customer who was granted consent by the specified user	URL	Cord	TRUE
tokenId	ID of the token	URL	String	Truthful

Request instance

Response example

User Client resource operations

Early on Access

Listing Client resource for a User

Early Access

GET /api/v1/users/${userId}/clients

Lists all client resource for which the specified user has grants or tokens.

Request parameters

Parameter	Description	Parameter Type	DataType	Required
userId	ID of the user	URL	Cord	TRUE

Request example

Response example

User object

Instance

User properties

The User object defines several read-only backdrop:

Holding	Description	DataType	Nullable	Unique	Readonly
id	unique central for user	String	Simulated	Truthful	Truthful
status	electric current status of user	STAGED, PROVISIONED, Agile, RECOVERY, LOCKED_OUT, PASSWORD_EXPIRED, SUSPENDED, or DEPROVISIONED	False	FALSE	Truthful
created	timestamp when user was created	Date	FALSE	FALSE	TRUE
activated	timestamp when transition to Active status completed	Date	FALSE	FALSE	True
statusChanged	timestamp when status last changed	Date	Truthful	FALSE	TRUE
lastLogin	timestamp of last login	Date	TRUE	False	True
lastUpdated	timestamp when user was last updated	Engagement	FALSE	FALSE	Truthful
passwordChanged	timestamp when password final changed	Date	Truthful	FALSE	TRUE
type	user type that determines the schema for the user'due south contour	Map (see below)	FALSE	Imitation	TRUE
transitioningToStatus	target status of an in-progress asynchronous status transition	PROVISIONED, Active, or DEPROVISIONED	True	FALSE	TRUE
profile	user profile properties	Profile object	Fake	FALSE	Fake
credentials	user's principal authentication and recovery credentials	Credentials object	Faux	FALSE	FALSE
_links	link relations for the user's current condition	JSON HAL (opens new window)	Truthful	FALSE	Truthful
_embedded	embedded resources related to the user	JSON HAL (opens new window)	True	Faux	TRUE

Metadata properties such equally id, status, timestamps, _links, and _embedded are merely available after a user is created.

• The activated timestamp volition but be bachelor for users activated after 06/xxx/2013.
• ThestatusChanged and lastLogin timestamps will exist missing for users created earlier 06/30/2013 and updated on next status modify or login.

The type property is a map that identifies the User Type of the user (meet User Types). Currently it contains a single element, id, as shown in the Example. It can exist specified when creating a new User, and may be updated by an ambassador on a total replace of an existing user (but not a partial update).

User status

The following diagram shows the country object for a user:

Understanding User status values

The status of a user changes in response to explicit events, such as admin-driven lifecycle changes, user login, or self-service password recovery. Okta doesn't asynchronously sweep through users and update their password decease country, for example. Instead, Okta evaluates password policy at login time, notices the countersign has expired, and moves the user to the expired country. When running reports, remember that the data is valid as of the last login or lifecycle event for that user.

Contour object

Specifies standard and custom profile properties for a user.

Default Profile properties

The default user profile is based on the System for Cross-Domain Identity Management: Core Schema (opens new window) and has following standard backdrop:

Belongings	Description	DataType	Nullable	Unique	Readonly	MinLength	MaxLength	Validation
login	unique identifier for the user (username)	String	Imitation	TRUE	Simulated	five	100	pattern
email	main e-mail accost of user	Cord	Faux	Truthful	FALSE	5	100	RFC 5322 Department 3.two.3 (opens new window)
secondEmail	secondary email address of user typically used for account recovery	String	TRUE	TRUE	Fake	v	100	RFC 5322 Section 3.2.3 (opens new window)
firstName	given proper noun of the user (givenName)	Cord	FALSE (default)	FALSE	Imitation	i	fifty
lastName	family unit proper noun of the user (familyName)	String	Fake (default)	FALSE	FALSE	1	50
middleName	centre proper name(s) of the user	String	TRUE	Imitation	FALSE
honorificPrefix	honorific prefix(es) of the user, or title in near Western languages	String	TRUE	FALSE	FALSE
honorificSuffix	honorific suffix(es) of the user	String	TRUE	False	FALSE
title	user's title, such as "Vice President	String	TRUE	FALSE	FALSE
displayName	name of the user, suitable for display to cease users	Cord	TRUE	Imitation	FALSE
nickName	coincidental way to address the user in real life	Cord	TRUE	Fake	False
profileUrl	url of user's online profile (e.g. a web page)	Cord	Truthful	Imitation	Simulated			URL (opens new window)
primaryPhone	master telephone number of user such as home number	String	TRUE	Fake	FALSE	0	100
mobilePhone	mobile telephone number of user	String	True	FALSE	Simulated	0	100
streetAddress	total street accost component of user's address	String	TRUE	FALSE	Faux
urban center	city or locality component of user'south address (locality)	String	Truthful	FALSE	FALSE
state	land or region component of user'due south address (region)	String	TRUE	FALSE	FALSE
zipCode	zipcode or postal code component of user'southward address (postalCode)	String	Truthful	FALSE	False
countryCode	country proper name component of user'due south accost (country)	String	TRUE	False	FALSE			ISO 3166-1 blastoff two "curt" code format (opens new window)
postalAddress	mailing address component of user's address	Cord	TRUE	Simulated	FALSE
preferredLanguage	user'southward preferred written or spoken languages	Cord	TRUE	False	Faux			RFC 7231 Section five.3.5 (opens new window)
locale	user's default location for purposes of localizing items such as currency, date time format, numerical representations, etc.	String	TRUE	FALSE	FALSE			Run into Note for more details.
timezone	user'southward fourth dimension zone	String	True	FALSE	Fake			IANA Fourth dimension Zone database format (opens new window)
userType	used to depict the organisation to user relationship such as "Employee" or "Contractor"	String	Truthful	FALSE	False
employeeNumber	organization or company assigned unique identifier for the user	String	True	FALSE	FALSE
costCenter	name of a toll heart assigned to user	String	TRUE	Imitation	False
arrangement	name of user'south organization	Cord	TRUE	Imitation	FALSE
division	proper name of user'south sectionalization	Cord	True	FALSE	FALSE
department	proper name of user's section	String	Truthful	Imitation	FALSE
managerId	id of a user'due south director	String	TRUE	False	Imitation
director	displayName of the user'southward managing director	String	TRUE	Imitation	FALSE

Note: A locale value is a chain of the ISO 639-i ii letter linguistic communication code, an underscore, and the ISO 3166-1 two letter country code. For case, en_US specifies the language English and country US.

Okta login

Every user within your Okta organisation must have a unique identifier for a login. This constraint applies to all users you import from other systems or applications such equally Active Directory. Your arrangement is the top-level namespace to mix and match logins from all your continued applications or directories. Careful consideration of naming conventions for your login identifier volition arrive easier to onboard new applications in the time to come.

Logins are not considered unique if they differ only in case and/or diacritical marks. If ane of your users has a login of Isaac.Brock@case.com, there cannot be another user whose login is isaac.brock@case.com, nor isáàc.bröck@example.com.

Okta has a default ambiguous proper noun resolution policy for logins that include @-signs. (By default, logins must be formatted as email addresses and thus always include @-signs. That brake can be removed using either the ambassador UI or the Schemas API.) Users can login with their not-qualified short name (e.grand. isaac.brock with login isaac.brock@instance.com) as long as the short name is all the same unique inside the organisation.

Hint: Don't use a login with a / graphic symbol. Although / is a valid character co-ordinate to RFC 6531 department three.3 (opens new window) , a user with this grapheme in their login tin can't exist fetched by login due to security risks with escaping this grapheme in URI paths. For more data nearly login, see Get User by ID.

Modifying default Contour properties

The only permitted customization of the default profile is to update permissions, to change whether the firstName and lastName properties are nullable, or to specify a design for login. Y'all can utilise the Profile Editor in the administrator UI or the Schemas API to make schema modifications.

Custom Profile backdrop

User profiles may be extended with custom properties just the property must first be added to the user profile schema before information technology can be referenced. You tin use the Profile Editor in the administrator UI or the Schemas API to manage schema extensions.

Custom attributes may contain HTML tags. It is the client's responsibility to escape or encode this data earlier displaying it. Use all-time-practices (opens new window) to preclude cantankerous-site scripting.

Credentials object

Specifies primary authentication and recovery credentials for a user. Credential types and requirements vary depending on the provider and security policy of the organization.

Property	DataType	Nullable	Unique	Readonly
countersign	Countersign object	True	Imitation	FALSE
recovery_question	Recovery Question object	True	Fake	FALSE
provider	Provider object	FALSE	Fake	Truthful

Password object

Specifies a countersign for a user

Property	DataType	Nullable	Unique	Readonly	MinLength	MaxLength	Validation
value	String	TRUE	Fake	FALSE	Password Policy	72	Password Policy
hash	Hashed Password object	True	FALSE	FALSE	N/A	N/A
claw	Password Hook object	TRUE	FALSE	FALSE	Due north/A	North/A

A password value is a write-only property. A password hash is a write-only holding. A countersign claw is a write-only property.

When a user has a valid password, or imported hashed password, or password hook, and a response object contains a countersign credential, then the Countersign object is a bare object without the value belongings divers (for instance, password: {}), to betoken that a password value exists.

Default Countersign Policy

The password specified in the value belongings must come across the default password policy requirements:

• Must be a minimum of 8 characters
• Must accept a graphic symbol from the post-obit groups:
  • Upper case
  • Lower instance
  • Digit
• Must not contain the user'due south login or parts of the the login when dissever on the following characters: , . _ # @
  • For instance, a user with login isaac.brock@example.com will not be able set countersign brockR0cks! as the password contains the login part brock.

Password policy requirements can be modified in the administrator UI (Security -> Policies)

Hashed Password object

Specifies a hashed password to import into Okta. This allows an existing password to be imported into Okta straight from some other store. Okta supports the BCRYPT, SHA-512, SHA-256, SHA-1, and MD5 hashing functions for countersign import. A hashed password may be specified in a Password object when creating or updating a user, just not for other operations. See Create User with Imported Hashed Password for information on using this object when creating a user. When updating a user with a hashed password the user must be in the STAGED status.

Notation: Because the patently text countersign isn't specified when a hashed password is provided, countersign policy isn't applied.

Holding	Blazon	Description
algorithm	String	The algorithm used to generate the hash using the password (and table salt, when applicable). Must be set to BCRYPT, SHA-512, SHA-256, SHA-1 or MD5.
value	Cord	For SHA-512, SHA-256, SHA-ane, MD5, This is the bodily base64-encoded hash of the password (and table salt, if used). This is the Base64 encoded value of the SHA-512/SHA-256/SHA-1/MD5 assimilate that was computed by either pre-fixing or post-fixing the salt to the password, depending on the saltOrder. If a salt was not used in the source arrangement, and then this should just be the the Base64 encoded value of the countersign'south SHA-512/SHA-256/SHA-1/MD5 assimilate. For BCRYPT, This is the bodily radix64-encoded hashed password.
salt	String	Only required for salted hashes. For BCRYPT, this specifies the radix64-encoded salt used to generate the hash, which must be 22 characters long. For other salted hashes, this specifies the base64-encoded salt used to generate the hash.
workFactor	Number	Governs the strength of the hash and the time required to compute it. Only required for BCRYPT algorithm. Minimum value is i, and maximum is 20.
saltOrder	String	Specifies whether salt was pre- or postfixed to the password earlier hashing. Just required for salted algorithms.

BCRYPT Hashed Password object instance

SHA-512 Hashed Password object example

SHA-256 Hashed Countersign object example

SHA-i Hashed Password object case

MD5 Hashed Password object example

Password Hook object

Specifies that a Password Import Inline Hook should be triggered to handle verification of the user's password the starting time time the user logs in. This allows an existing password to be imported into Okta direct from some other store. Meet Create User with Password Hook for information on using this object when creating a user.

When updating a user with a countersign hook the user must exist in the STAGED condition.

Note: Because the plainly text password isn't specified when a countersign hook is specified, password policy isn't applied.

Property	DataType	Clarification	Required	Min Value	Max Value
type	String	The type of Password Inline Claw. Currently, must be set to default.	True	North/A	North/A

Countersign Claw object example

Recovery Question object

Specifies a undercover question and respond that is validated (case insensitive) when a user forgets their countersign or unlocks their business relationship. The answer property is write-only.

Belongings	DataType	Nullable	Unique	Readonly	MinLength	MaxLength
question	Cord	True	Fake	Fake	i	100
answer	String	True	Simulated	Imitation	1	100

Provider object

Specifies the hallmark provider that validates the user's password credential. The user's electric current provider is managed by the Delegated Authentication settings for your organization. The provider object is read-only.

Belongings	DataType	Nullable	Unique	Readonly
type	OKTA, ACTIVE_DIRECTORY,LDAP, FEDERATION, SOCIAL or IMPORT	Faux	FALSE	Truthful
proper noun	String	Truthful	False	True

ACTIVE_DIRECTORY or LDAP providers specify the directory instance name as the name property.

Users with a FEDERATION or SOCIAL authentication provider exercise not support a password or recovery_question credential and must authenticate via a trusted Identity Provider.

IMPORT specifies a hashed password that was imported from an external source.

Links object

Specifies link relations (run across Web Linking (opens new window) available for the electric current condition of a user. The Links object is used for dynamic discovery of related resources, lifecycle operations, and credential operations. The Links object is read-only.

Individual Users vs. collection of Users

For an private User result, the Links object contains a full fix of link relations available for that User as adamant past your policies. For a collection of Users, the Links object contains merely the self link. Operations that return a drove of Users include List Users and Listing Grouping Members.

Hither are some links that may exist available on a User, as adamant by your policies:

Link Relation Blazon	Description
self	A self-referential link to this user
activate	Lifecycle action to activate the user
conciliate	Lifecycle action to conciliate the user
suspend	Lifecycle activity to suspend the user
unsuspend	Lifecycle activeness to unsuspend the user
resetPassword	Lifecycle activity to trigger a countersign reset
expirePassword	Lifecycle action to expire the user'southward countersign
resetFactors	Lifecycle action to reset all MFA factors
unlock	Lifecycle action to unlock a locked-out user
forgotPassword	Resets a user'south countersign past validating the user'southward recovery credential.
changePassword	Changes a user'southward password validating the user's current password
changeRecoveryQuestion	Changes a user's recovery credential past validating the user's current password

User-Consent Grant object

Early Admission

User-Consent Grant backdrop

Early on Access

Belongings	Description	Datatype
Id	ID of this grant	Cord
status	Status of the grant. Valid values: ACTIVE, REVOKED or EXPIRED	String
created	Timestamp when the grant was created	Date
lastUpdated	Timestamp when the grant was concluding updated	Engagement
issuer	The complete URL of the authorization server for this grant	String
clientId	ID of the client for this grant	String
userId	ID of the user who consented to this grant	String
scopeId	ID of the telescopic to which this grant applies	String
_links	Discoverable resource related to the grant	JSON HAL (opens new window)
_embedded	If expand=scope is included in the request, information almost the scope specified by scopeId is included in the response.	JSON HAL (opens new window)

Customer Grant object

Early Admission

Customer Grant properties

Property	Description	Datatype	Unique
client_id	The client ID of the OAuth 2.0 customer	Cord	TRUE
client_name	The name of the OAuth 2.0 client	String	TRUE
client_uri	The URI of the OAuth two.0 client	String	Fake
logo_uri	The logo URI of the OAuth 2.0 client	String	Fake
_links	Discoverable resources related to the grant	JSON HAL (opens new window)	False

Java Program User Login, Create User Object, How Long Will the Object Be Active

DOWNLOAD HERE

Source: https://developer.okta.com/docs/reference/api/users/

Posted by: mcknightmothough.blogspot.com

Share this post