Java Program User Login, Create User Object, How Long Will the Object Be Active Updated FREE
Java Program User Login, Create User Object, How Long Will the Object Be Active
Users API
The Okta User API provides operations to manage users in your organization.
Getting started
Explore the Users API: (opens new window)
User operations
Create User
POST /api/v1/users
Creates a new user in your Okta system with or without credentials
- Create User without Credentials
- Create User with Recovery Question
- Create User with Password
- Create User with Imported Hashed Password
- Create User with Password Import Inline Claw
- Create User with Countersign & Recovery Question
- Create User with Authentication Provider
- Create User in Grouping
- Create User with Non-Default User Type
Request parameters
Parameter | Description | Param Type | DataType | Required | Default |
---|---|---|---|---|---|
activate | Executes activation lifecycle operation when creating the user | Query | Boolean | FALSE | TRUE |
provider | Indicates whether to create a user with a specified authentication provider | Query | Boolean | FALSE | Imitation |
contour | Profile properties for user | Trunk | Profile object | TRUE | |
credentials | Credentials for user | Body | Credentials object | FALSE | |
groupIds | Ids of groups that user volition be added to at time of creation | Body | Array of Grouping Ids | FALSE | |
nextLogin | With activate=true , if nextLogin=changePassword , a user is created, activated, and the password is set to EXPIRED , so user must alter information technology the next time they log in. | Query | Cord | Fake | Faux |
Response parameters
All responses return the created User. Activation of a user is an asynchronous operation. The system performs group reconciliation during activation and assigns the user to all applications via direct or indirect relationships (grouping memberships).
- The user's
transitioningToStatus
property isACTIVE
during activation to indicate that the user hasn't completed the asynchronous operation. - The user'due south
condition
isACTIVE
when the activation process is complete.
The user is emailed a onetime activation token if activated without a password.
Notation: If the user is assigned to an application that is configured for provisioning, the activation process triggers downstream provisioning to the application. It is possible for a user to login before these applications take been successfully provisioned for the user.
Security Q & A | Countersign | Activate Query Parameter | User Condition | Login Credential | Welcome Screen |
---|---|---|---|---|---|
False | STAGED | ||||
Truthful | PROVISIONED | Old Token (Email) | X | ||
X | False | STAGED | |||
X | TRUE | PROVISIONED | One-Time Token (Email) | X | |
X | FALSE | STAGED | |||
10 | True | ACTIVE | Password | X | |
Ten | X | FALSE | STAGED | ||
X | X | Truthful | Active | Password |
Creating users with a FEDERATION
or SOCIAL
provider sets the user status to either ACTIVE
or STAGED
based on the activate
query parameter since these two providers don't support a password
or recovery_question
credential.
Create User without credentials
Creates a user without a countersign or recovery question & reply
When the user is activated, an electronic mail is sent to the user with an activation token that tin can exist used to complete the activation process. This is the default flow for new user registration using the ambassador UI.
Request case
Response example
Create User with recovery question
Creates a user without a password
When the user is activated, an electronic mail is sent to the user with an activation token that tin exist used to consummate the activation procedure. This flow is useful if migrating users from an existing user store.
Request case
Response example
Create User with countersign
Creates a user without a recovery question & answer
The new user is able to sign in afterwards activation with the assigned password. This menstruum is common when developing a custom user registration experience.
Important: Practise not generate or send a one-time activation token when activating users with an assigned countersign. Users should sign in with their assigned password.
Request example
Response example
Create User with imported hashed password
Creates a user with a specified hashed countersign.
The new user is able to sign in after activation with the specified password. This flow is common when migrating users from another data shop in cases where nosotros want to let the users to retain their electric current passwords.
Important: Practice not generate or send a 1-time activation token when activating users with an imported password. Users should login with their imported countersign.
Request example
Response example
Create User with Password Import Inline Hook
Creates a user with a Password Hook object specifying that a Countersign Inline Hook should be used to handle password verification.
The Countersign Inline Hook is triggered to handle verification of the end user'due south password the beginning time the user tries to sign in, with Okta calling the Password Inline Hook to check that the countersign the user supplied is valid. If the countersign is valid, Okta stores the hash of the password that was provided and tin authenticate the user independently from and so on. Meet Password Import Inline Hook for more details.
The new user is able to sign in afterwards activation with the valid password. This menstruation supports migrating users from another data shop in cases where nosotros wish to allow the users to retain their electric current passwords.
Important: Do non generate or send a one-time activation token when activating users with an Countersign Inline Hook. Users should sign in with their existing countersign to exist imported using the Countersign Import Inline Hook.
Asking case
Response case
Create User with Password & Recovery Question
Creates a new user with a countersign and recovery question & answer
The new user is able to log in with the assigned password afterward activation. This flow is mutual when developing a custom user-registration experience.
Important: Don't generate or send a former activation token when activating users with an assigned countersign. Users should login with their assigned password.
Asking example
Response example
Create User with Hallmark Provider
Creates a new passwordless user with a SOCIAL
or FEDERATION
authentication provider that must be authenticated via a trusted Identity Provider
Request example
Response example
Create User in Group
Creates a user that is added to the specified groups upon creation
Use this in conjunction with other create operations for a Group Administrator that is scoped to create users simply in specified groups. The request may specify up to xx group ids. (This limit applies only when creating a user. The user may later on exist added to more groups.)
Request example
Response example
Create User with non-default User Type
Creates a user with a specified User Blazon (encounter User Types). The blazon specification may be included with any of the in a higher place Create User operations; this example demonstrates creating a user without credentials.
The User Type determines which Schema applies to that user. After a user has been created, the user can be assigned a different User Blazon simply by an administrator via a full replacement PUT performance.
Request case
Response example
Get User
GET /api/v1/users/${userId}
CORS
Fetches a user from your Okta organization
- Get Current User
- Get User with ID
- Become User with Login
- Get User with Login Shortname
Content-Type header fields
This endpoint supports an optional okta-response
value for the Content-Type
header, which can be used for operation optimization. Complex DelAuth configurations may dethrone performance when fetching specific parts of the response, and passing this parameter can omit these parts, bypassing the clogging.
The okta-response
header value takes a comma-separated list of omit options (optionally surrounded in quotes), each specifying a part of the response to omit.
okta-response value | Description |
---|---|
omitCredentials | Omits the credentials subobject from the response |
omitCredentialsLinks | Omits the following HAL links from the response: Change Password, Alter Recovery Question, Forgot Password, Reset Password, Reset Factors, Unlock |
omitTransitioningToStatus | Omits the transitioningToStatus field from the response |
The operation optimization will just be applied when all three parameters are passed. Unrecognized parameters are ignored.
Content-Type header examples
Header: Content-Type: awarding/json; okta-response=omitCredentials,omitCredentialsLinks
Result: Omits the credentials subobject and credentials links from the response. Does non apply functioning optimization.
Header: Content-Type: application/json; okta-response="omitCredentials,omitCredentialsLinks, omitTransitioningToStatus"
Result: Omits the credentials, credentials links, and transitioningToStatus
field from the response. Applies performance optimization.
Request parameters
Fetch a user by id
, login
, or login shortname
if the curt name is unambiguous.
Parameter | Description | Param Type | DataType | Required |
---|---|---|---|---|
id | id , login , or login shortname (as long every bit it is unambiguous) | URL | String | TRUE |
When fetching a user by
login
orlogin shortname
, you should URL encode (opens new window) the request parameter to ensure special characters are escaped properly. Logins with a/
or?
character tin simply exist fetched byid
due to URL issues with escaping the/
and?
characters.
Hint: you can substitute
me
for theid
to fetch the current user linked to an API token or session cookie.
Note: Some browsers have begun blocking third-party cookies by default, disrupting Okta functionality in certain flows. For information come across FAQ: How Blocking Third Party Cookies Can Potentially Impact Your Okta Surround (opens new window) .
Response parameters
Fetched User
An invalid id
returns a 404 Not Found
status code.
Get current User
Fetches the current user linked to API token or session cookie
Request example
Response case
Get User with ID
Fetches a specific user when y'all know the user's id
Hint: If you lot don't know the user
id
, list the users to notice the correct ID.
Request case
Response instance
Get User with login
Fetches a specific user when you know the user'southward login
When fetching a user by login
, URL encode (opens new window) the request parameter to ensure special characters are escaped properly. Logins with a /
grapheme tin only exist fetched by id
due to URL problems with escaping the /
character.
Asking example
Response example
Become User with Login Shortname
Fetches a specific user when you know the user's login shortname
and the shortname is unique within the system
When fetching a user by login shortname
, URL encode (opens new window) the request parameter to ensure special characters are escaped properly. Logins with a /
character can merely be fetched by id
due to URL issues with escaping the /
graphic symbol.
Request example
Response example
List Users
Get /api/v1/users
Lists users in your organization with pagination in near cases
A subset of users can be returned that match a supported filter expression or search criteria.
Content-Type header fields
This endpoint supports an optional okta-response
value for the Content-Type
header, which tin can be used for performance optimization. Complex DelAuth configurations may degrade performance when fetching specific parts of the response, and passing this parameter can omit these parts, bypassing the bottleneck.
The okta-response
header value takes a comma-separated list of omit options (optionally surrounded in quotes), each specifying a part of the response to omit.
okta-response value | Description |
---|---|
omitCredentials | Omits the credentials subobject from the response |
omitCredentialsLinks | Omits the following HAL links from the response: Change Countersign, Modify Recovery Question, Forgot Countersign, Reset Password, Reset Factors, Unlock |
omitTransitioningToStatus | Omits the transitioningToStatus field from the response |
The operation optimization will only be applied when all three parameters are passed. Unrecognized parameters are ignored.
Content-Blazon header examples
Header: Content-Blazon: awarding/json; okta-response=omitCredentials,omitCredentialsLinks
Effect: Omits the credentials subobject and credentials links from the response. Does non use performance optimization.
Header: Content-Blazon: awarding/json; okta-response="omitCredentials,omitCredentialsLinks, omitTransitioningToStatus"
Result: Omits the credentials, credentials links, and transitioningToStatus
field from the response. Applies performance optimization.
Request parameters
The first three parameters in the table below correspond to different types of lists:
- List All Users (no parameters)
- Find Users (
q
) - List Users with a Filter (
filter
) - List Users with Search (
search
)
Parameter | Description | Param Type | DataType | Required |
---|---|---|---|---|
q | Finds a user that matches firstName , lastName , and email properties | Query | String | False |
filter | Filters users with a supported expression for a subset of backdrop | Query | String | FALSE |
search | Searches for users with a supported filtering expression for near properties | Query | String | False |
limit | Specifies the number of results returned (maximum 200) | Query | Number | False |
after | Specifies the pagination cursor for the next page of users | Query | String | Faux |
sortBy | Specifies field to sort by (for search queries only) | Search query | Cord | FALSE |
sortOrder | Specifies sort lodge asc or desc (for search queries simply) | Search query | String | Fake |
- If you lot don't specify a value for
limit
, the maximum (200) is used equally a default. If you are using aq
parameter, the default limit is 10. - An HTTP 500 status lawmaking unremarkably indicates that you lot have exceeded the request timeout. Retry your asking with a smaller limit and paginate the results.
- Treat the
afterwards
cursor as an opaque value and obtain it through the side by side link relation. Meet Pagination.
Response parameters
Array of User
Known Limitation
Due to an infrastructure limitation, group administrators (opens new window) , aid desk-bound administrators (opens new window) , and custom administrators (opens new window) who are simply scoped to view and manage users of their assigned groups may feel timeout for the list users endpoints.
List all Users
Returns a list of all users that do non accept a condition of DEPROVISIONED
, up to the maximum (200 for most orgs)
Different results are returned depending on specified queries in the asking.
Request case
Response example
Observe Users
Finds users who match the specified query
Use the q
parameter for a simple lookup of users by proper name, for instance when creating a people picker. The value of q
is matched against firstName
, lastName
, or email
.
This operation:
- Doesn't support pagination.
- Queries the nearly upward-to-date data. For example, if you create a user or change an aspect and then issue a filter request, the alter is reflected in the results.
- Performs a startsWith lucifer only this is an implementation detail and may modify without find. Y'all don't need to specify
firstName
,lastName
, oremail
.
Request example
Response example
Note: This omits users that accept a condition of
DEPROVISIONED
. To return all users, apply a filter query instead.
Listing Users with a filter
Lists all users that match the filter criteria
This operation:
- Filters against the most upwardly-to-appointment data. For example, if yous create a user or alter an attribute and and so issue a filter request, the changes are reflected in your results.
- Requires URL encoding (opens new window) . For example,
filter=lastUpdated gt "2013-06-01T00:00:00.000Z"
is encoded asfilter=lastUpdated%20gt%xx%222013-06-01T00:00:00.000Z%22
. - Supports only a express number of backdrop:
condition
,lastUpdated
,id
,profile.login
,profile.electronic mail
,contour.firstName
, andprofile.lastName
.
Filter | Clarification |
---|---|
status eq "STAGED" | Users that have a status of STAGED |
status eq "PROVISIONED" | Users that have a condition of PROVISIONED |
status eq "Active" | Users that have a status of Active |
status eq "RECOVERY" | Users that take a status of RECOVERY |
status eq "PASSWORD_EXPIRED" | Users that have a status of PASSWORD_EXPIRED |
status eq "LOCKED_OUT" | Users that have a status of LOCKED_OUT |
status eq "DEPROVISIONED" | Users that have a status of DEPROVISIONED |
lastUpdated lt "yyyy-MM-dd'T'HH:mm:ss.SSSZ" | Users final updated before a specific timestamp |
lastUpdated eq "yyyy-MM-dd'T'HH:mm:ss.SSSZ" | Users last updated at a specific timestamp |
lastUpdated gt "yyyy-MM-dd'T'HH:mm:ss.SSSZ" | Users last updated after a specific timestamp |
id eq "00u1ero7vZFVEIYLWPBN" | Users with a specified id |
contour.login eq "login@example.com" | Users with a specified login |
contour.email eq "email@example.com" | Users with a specified email * |
profile.firstName eq "John" | Users with a specified firstName * |
contour.lastName eq "Smith" | Users with a specified lastName * |
Hint: If filtering by
lastName
, orfirstName
, information technology may be easier to useq
instead offilter
.
Run across Filtering for more data on the expressions that are used in filtering.
Filter examples
List users with status of LOCKED_OUT
List users updated after 06/01/2013 but earlier 01/01/2014
List users updated afterwards 06/01/2013 but before 01/01/2014 with a status of ACTIVE
Listing users updated later on 06/01/2013 but with a status of LOCKED_OUT
or RECOVERY
Request example: status
Response example
Request instance: timestamp
Lists all users that have been updated since a specific timestamp
Use this functioning when implementing a background synchronization job and you want to poll for changes.
Response example
List Users with search
Searches for users based on the backdrop specified in the search parameter
Note: List users with search should not be used as a part of whatever disquisitional flows, such every bit authentication, to prevent potential data loss. Search results may not reflect the latest information, as this endpoint uses a search index which may non be up-to-date with recent updates to the object.
Property names in the search parameter are case sensitive, whereas operators (eq
, sw
, etc.) and string values are case insensitive. Unlike in user logins, diacritical marks are significant in search string values: a search for isaac.brock
will observe Isaac.Brock
only will not find a belongings whose value is isĂ¡Ă c.bröck
.
This operation:
- Supports pagination.
- Requires URL encoding (opens new window) . For example,
search=profile.department eq "Engineering"
is encoded equallysearch=profile.section%20eq%20%22Engineering%22
. Apply an ID lookup for records that you update to ensure your results contain the latest information.Note: If you utilize the special grapheme
"
inside a quoted string, it must also be escaped\
and encoded. For example,search=contour.lastName eq "bob"smith"
is encoded assearch=profile.lastName%20eq%xx%22bob%5C%22smith%22
. - Searches many properties:
- Whatsoever user contour property, including custom-defined properties
- The top-level backdrop
id
,status
,created
,activated
,statusChanged
andlastUpdated
- The User Type accessed as
type.id
- Accepts
sortBy
andsortOrder
parameters.-
sortBy
can exist whatever single belongings, for casesortBy=contour.lastName
-
sortOrder
is optional and defaults to ascending -
sortOrder
is ignored ifsortBy
is not present - Users with the same value for the
sortBy
property will be ordered pastid
-
Search Term Instance | Clarification |
---|---|
condition eq "STAGED" | Users that have a status of STAGED |
lastUpdated gt "yyyy-MM-dd'T'HH:mm:ss.SSSZ" | Users final updated afterwards a specific timestamp |
id eq "00u1ero7vZFVEIYLWPBN" | Users with a specified id |
type.id eq "otyfnjfba4ye7pgjB0g4" | Users with a specified User Type ID |
profile.department eq "Engineering" | Users that have a department of Engineering science |
profile.occupation eq "Leader" | Users that have an occupation of Leader |
profile.lastName sw "Sm" | Users whose lastName starts with Sm |
Search examples
Listing users with an occupation of Leader
List users in the department of Engineering
who were created before 01/01/2014
or have a condition of ACTIVE
.
Request example
Response example
Searching arrays
You tin search properties that are arrays. If whatever element matches the search term, the entire array (object) is returned. For examples, see Asking example for assortment and Response case for array.
- We follow the SCIM Protocol Specification (opens new window) for searching arrays.
- Search for one value at a time when searching arrays. For example, you lot can't search for users where a string is equal to an aspect in two different arrays.
Asking example for array
The following instance is for a custom attribute on User, an array of strings named arrayAttr
that contains values ["arrayAttrVal1", "arrayAttrVal2"...]
.
Response example for array
Update User
Note: Use the
POST
method to make a partial update and thePUT
method to delete unspecified backdrop.
PUT /api/v1/users/${userId}
Updates a user's profile and/or credentials using strict-update semantics
All contour properties must be specified when updating a user's contour with a PUT
method. Any property not specified in the request is deleted.
Important: Don't use
PUT
method for partial updates.
Request parameters
Parameter | Description | Param Type | DataType | Required |
---|---|---|---|---|
userId | ID of user to update | URL | Cord | True |
strict | If true, validates against minimum age and history password policy | Query | String | FALSE |
contour | Updated profile for user | Body | Profile object | FALSE |
credentials | Update credentials for user | Body | Credentials object | FALSE |
profile
and credentials
can exist updated independently or together with a single request.
Note: Currently, the User Type of a user can only exist changed via a full replacement PUT functioning. If the request parameters of a partial update include the
blazon
element from the User object, the value must match the existing type of the user. Just administrators are permitted to alter the user blazon of a user; stop users are non immune to modify their own user type.
Response parameters
Updated User
Update current User's Profile
POST /api/v1/users/me
CORS
Updates current user's profile with partial update semantics
Request parameters
Parameter | Clarification | Param Blazon | DataType | Required |
---|---|---|---|---|
profile | Updated profile for user | Body | Profile object | FALSE |
Stop user can only update profile
with this request. To update credentials, use Update Contour with ID.
Note: An stop user can but update profile properties for which the user has write access. To update user permissions for a schema property, employ Update User Profile Schema Property
Response parameters
Updated User
Asking instance
Response example
Update Profile with ID
POST /api/v1/users/${userId}
Updates a user's profile or credentials with fractional update semantics
Important: Employ the
POST
method for partial updates. Unspecified backdrop are set to cypher withPUT
.
Asking parameters
Parameter | Description | Param Blazon | DataType | Required |
---|---|---|---|---|
userId | ID of user to update | URL | String | Truthful |
strict | If truthful, validates against minimum historic period and history password policy | Query | Cord | FALSE |
profile | Updated profile for user | Trunk | Profile object | Simulated |
credentials | Update credentials for user | Body | Credentials object | FALSE |
contour
and credentials
tin exist updated independently or with a single asking.
Response parameters
Updated User
Request example
Response example
Set password
Sets passwords without validating existing user credentials
This is an administrative operation. For operations that validate credentials refer to Reset Password, Forgot Password, and Alter Countersign.
Request example
Response example
Prepare recovery question and reply
Sets recovery question and answer without validating existing user credentials
This is an administrative operation. For an performance that requires validation, see Change Recovery Question.
Request example
Response example
Get Assigned App Links
GET /api/v1/users/${userId}/appLinks
CORS
Fetches appLinks for all direct or indirect (via group membership) assigned applications
Request parameters
Parameter | Description | Param Type | DataType | Required |
---|---|---|---|---|
id | id , login , or login shortname (every bit long as it is unambiguous) of user | URL | Cord | Truthful |
Response parameters
Assortment of App Links
Request example
Response example
Go User's Groups
GET /api/v1/users/${userId}/groups
CORS
Fetches the groups of which the user is a member
Request parameters
Parameter | Clarification | Param Type | DataType | Required |
---|---|---|---|---|
id | id , login , or login shortname (as long as it is unambiguous) of user | URL | String | Truthful |
Response parameters
Array of Groups
Asking example
Response example
Lifecycle operations
Lifecycle operations are non-idempotent operations that initiate a state transition for a user's status. Some operations are asynchronous while others are synchronous. The user'due south current status limits what operations are allowed. For instance, you can't unlock a user that is Active
.
Activate User
POST /api/v1/users/${userId}/lifecycle/actuate
Activates a user
This operation tin can only be performed on users with a STAGED
or DEPROVISIONED
condition. Activation of a user is an asynchronous operation.
- The user's
transitioningToStatus
property has a value ofActive
during activation to indicate that the user hasn't completed the asynchronous operation. - The user's status is
Agile
when the activation process is complete.
Users who don't take a password must complete the welcome flow by visiting the activation link to complete the transition to Active
status.
Request parameters
Parameter | Description | Param Type | DataType | Required | Default |
---|---|---|---|---|---|
id | id of user | URL | String | Truthful | |
sendEmail | Sends an activation e-mail to the user if truthful | Query | Boolean | Imitation | True |
Response parameters
- Returns empty object by default.
- If
sendEmail
isfalse
, returns an activation link for the user to ready their account. The activation token tin can be used to create a custom activation link.
If a password was set earlier the user was activated, then user must login with with their password or the activationToken
and not the activation link. More than information about using the activationToken
to login can be found in the Hallmark API.
Request instance
Response example
Reactivate User
POST /api/v1/users/${userId}/lifecycle/reactivate
Reactivates a user
This operation can only exist performed on users with a PROVISIONED
status. This performance restarts the activation workflow if for some reason the user activation was not completed when using the activationToken from Activate User.
Users that don't have a countersign must consummate the menstruation by completing Reset Countersign and MFA enrollment steps to transition the user to Active
status.
Request parameters
Parameter | Description | Param Type | DataType | Required |
---|---|---|---|---|
id | id , login , or login shortname (as long every bit information technology is unambiguous) of user | URL | String | TRUE |
sendEmail | Sends an activation email to the user if truthful . Default value is false . | Query | Boolean | FALSE |
Response parameters
- Returns empty object by default.
- If
sendEmail
isfalse
, returns an activation link for the user to set upward their business relationship. The activation token tin can exist used to create a custom activation link.
Request example
Response instance (success)
Response example (unexpected user status)
Conciliate User
POST /api/v1/users/${userId}/lifecycle/conciliate
Deactivates a user
This functioning can only be performed on users that do non have a DEPROVISIONED
status.
- The user's
transitioningToStatus
holding isDEPROVISIONED
during deactivation to bespeak that the user hasn't completed the asynchronous operation. - The user'due south status is
DEPROVISIONED
when the deactivation procedure is complete.
Important: Deactivating a user is a destructive operation. The user is deprovisioned from all assigned applications which may destroy their data such as electronic mail or files. This action cannot exist recovered!
Asking parameters
Parameter | Description | Param Type | DataType | Required |
---|---|---|---|---|
userId | ID of user | URL | String | TRUE |
sendEmail | Sends a deactivation email to the administrator if true . Default value is fake . | Query | Boolean | FALSE |
Note: You tin also perform user deactivation asynchronously. To invoke asynchronous user deactivation, laissez passer an HTTP header
Prefer: reply-async
with the request.
Response parameters
Returns an empty object.
Deactivate user synchronously
Asking example
Response example
Deactivate user asynchronously
Request example
Response instance
Suspend User
POST /api/v1/users/${userId}/lifecycle/suspend
Suspends a user
This operation tin can only exist performed on users with an ACTIVE
condition. The user has a condition of SUSPENDED
when the procedure is complete.
Suspended users:
- Tin't log in to Okta. Their grouping and app assignments are retained.
- Tin can only be unsuspended or deactivated.
Request parameters
Parameter | Description | Param Type | DataType | Required |
---|---|---|---|---|
id | id of user | URL | String | TRUE |
Response parameters
Returns an empty object
- Passing an invalid
id
returns a404 Not Found
status code with fault codeE0000007
. - Passing an
id
that is not in theACTIVE
state returns a400 Bad Request
condition code with error lawmakingE0000001
.
Request example
Response instance
Unsuspend User
Mail service /api/v1/users/${userId}/lifecycle/unsuspend
Unsuspends a user and returns them to the Agile
state
This performance can only exist performed on users that have a SUSPENDED
status.
Request parameters
Parameter | Description | Param Type | DataType | Required |
---|---|---|---|---|
id | id of user | URL | String | True |
Response parameters
Returns an empty object.
Passing an invalid id
returns a 404 Not Found
status code with fault code E0000007
. Passing an id
that is non in the SUSPENDED
state returns a 400 Bad Asking
status lawmaking with mistake code E0000001
.
Request case
Response example
Delete User
DELETE /api/v1/users/${userId}
Deletes a user permanently. This operation can merely be performed on users that have a DEPROVISIONED
status. This action cannot be recovered!
This performance on a user that hasn't been deactivated causes that user to be deactivated. A 2d delete operation is required to delete the user.
Request parameters
Parameter | Description | Param Type | DataType | Required | Default |
---|---|---|---|---|---|
id | id of user | URL | String | True | |
sendEmail | Sends a deactivation e-mail to the ambassador if truthful . Default value is false . | Query | Boolean | Simulated | Fake |
Notation: You tin also perform user deletion asynchronously. To invoke asynchronous user deletion, pass an HTTP header
Prefer: respond-async
with the request. This header is also supported by user deactivation, which is performed if the delete endpoint is invoked on a user that hasn't been deactivated.
Response parameters
Passing an invalid id
returns a 404 Non Constitute
status code with error code E0000007
.
Delete user synchronously
Request case
Response example
Delete user asynchronously
Request example
Response example
Unlock User
Post /api/v1/users/${userId}/lifecycle/unlock
Unlocks a user with a LOCKED_OUT
condition and returns them to Agile
status. Users will be able to login with their electric current password.
Note: This functioning works with Okta-mastered users. It doesn't support directory-mastered accounts such equally Active Directory.
Request parameters
Parameter | Description | Param Type | DataType | Required | Default |
---|---|---|---|---|---|
id | id of user | URL | String | TRUE |
Response parameters
Returns an empty object
Request example
Response instance
Reset password
Postal service /api/v1/users/${userId}/lifecycle/reset_password
Generates a one-fourth dimension token (OTT) that tin can be used to reset a user'south password. The OTT link tin be automatically emailed to the user or returned to the API caller and distributed using a custom flow.
This operation will transition the user to the condition of RECOVERY
and the user volition not exist able to login or initiate a forgot password menses until they consummate the reset menses.
Note: You can also use this API to catechumen a user with the Okta Credential Provider to a apply a Federated Provider. Afterwards this conversion, the user cannot directly sign in with password. The 2nd case demonstrates this usage.
Request parameters
Parameter | Clarification | Param Type | DataType | Required | Default |
---|---|---|---|---|---|
id | id of user | URL | String | Truthful | |
sendEmail | Sends reset password email to the user if true | Query | Boolean | Simulated | True |
To ensure a successful password recovery lookup if an e-mail address is associated with multiple users:
- Okta no longer includes deactivated users in the lookup.
- The lookup searches login IDs first, then primary e-mail addresses, and then secondary e-mail addresses.
Response parameters
- Returns an empty object by default.
- If
sendEmail
isfalse
, returns a link for the user to reset their password.
Request example
Response instance
Request example (Convert a User to a Federated User)
To convert a user to a federated user, pass FEDERATION
equally the provider
in the Provider object. The sendEmail
parameter must be false or omitted for this type of conversion.
Response case
Expire countersign
POST /api/v1/users/${userId}/lifecycle/expire_password
This operation transitions the user status to PASSWORD_EXPIRED
so that the user is required to change their countersign at their next login. If tempPassword
is included in the request, the user's countersign is reset to a temporary password that is returned, and and then the temporary countersign is expired.
If yous have integrated Okta with your on-premise Active Directory (AD), and so setting a user's password as expired in Okta also expires the countersign in Active Directory. When the user tries to log in to Okta, delegated hallmark finds the password-expired condition in the Active Directory, and the user is presented with the password-expired page where he or she can change the password.
Asking parameters
Parameter | Description | Param Type | DataType | Required | Default |
---|---|---|---|---|---|
id | id of user | URL | Cord | TRUE | |
tempPassword | Sets the user's countersign to a temporary password, if truthful | Query | Boolean | Faux | False |
Response parameters
- Returns the complete user object by default
- If
tempPassword
istruthful
, returns the temporary countersign
Request example
Response example
Reset Factors
Mail /api/v1/users/${userId}/lifecycle/reset_factors
This operation resets all factors for the specified user. All MFA gene enrollments returned to the unenrolled land. The user's status remains ACTIVE. This link is present simply if the user is currently enrolled in one or more MFA factors.
Request parameters
Parameter | Description | Param Type | DataType | Required | Default |
---|---|---|---|---|---|
id | id of user | URL | String | TRUE |
Response parameters
Returns an empty object by default.
Request example
Response example
Clear current User sessions
Clears Okta sessions for the currently logged in user. By default, the current session remains active. Apply this method in a browser-based awarding.
This operation requires a session cookie for the user. API token is non immune for this operation.
POST /api/v1/users/me/lifecycle/delete_sessions
CORS
Request parameters
Parameter | Clarification | Param Type | DataType | Required | Default |
---|---|---|---|---|---|
keepCurrent | Skip deleting user's current session when set to true | Body | boolean | Simulated | true |
Response
Returns an empty object.
Asking example
Response example
If the sessions were successfully cleared, a 200 OK
response will exist returned.
If the electric current session is invalid, a 403 Forbidden
response will be returned.
User sessions
Articulate User sessions
DELETE /api/v1/users/${userId}/sessions
Removes all agile identity provider sessions. This forces the user to authenticate on the next performance. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user.
Note: This performance doesn't clear the sessions created for web sign in or native applications.
Request parameters
Parameter | Description | Param Type | DataType | Required | Default |
---|---|---|---|---|---|
userId | id of a user | URL | Cord | True | |
oauthTokens | Revoke issued OpenID Connect and OAuth refresh and access tokens | Query | Boolean | FALSE | Simulated |
Response parameters
Asking case
Response case
Credential operations
Forgot password
POST /api/v1/users/${userId}/credentials/forgot_password
Generates a quondam token (OTT) that tin can be used to reset a user's password
The user volition be required to validate their security question's answer when visiting the reset link. This performance tin can merely be performed on users with an Active
condition and a valid recovery question credential.
Note: If you have migrated to Okta Identity Engine, you lot tin can let users to recover passwords with any enrolled MFA authenticator. See Cocky-service account recovery (opens new window) . Identity Engine
Asking parameters
Parameter | Description | Param Type | DataType | Required | Default |
---|---|---|---|---|---|
id | id of user | URL | String | TRUE | |
sendEmail | Sends a forgot countersign email to the user if true | Query | Boolean | Imitation | Truthful |
To ensure a successful countersign recovery lookup if an email address is associated with multiple users:
- Okta no longer includes deactivated users in the lookup.
- The lookup searches login IDs first, and then chief email addresses, and then secondary email addresses.
Response parameters
- Returns an empty object past default
- If
sendEmail
isfalse
, returns a link for the user to reset their password.
This operation does not affect the status of the user.
Request example
Response example
POST /api/v1/users/${userId}/credentials/forgot_password
Sets a new password for a user by validating the user's answer to their current recovery question
This operation tin just be performed on users with an ACTIVE
condition and a valid recovery question credential.
Important: This operation is intended for applications that need to implement their own forgot countersign flow. You lot are responsible for mitigation of all security risks such as phishing and replay attacks. The best practice is to generate a short-lived, one-time token (OTT) that is sent to a verified e-mail business relationship.
Request parameters
Parameter | Description | Param Type | DataType | Required |
---|---|---|---|---|
id | id of user | URL | String | TRUE |
password | New password for user | Trunk | Countersign object | TRUE |
recovery_question | Answer to user's current recovery question | Trunk | Recovery Question object | TRUE |
Response parameters
Credentials of the user
This functioning does non affect the status of the user.
Request example
Response instance
Change countersign
Mail service /api/v1/users/${userId}/credentials/change_password
Changes a user's password by validating the user'south current password
This performance can merely be performed on users in STAGED
, Agile
, PASSWORD_EXPIRED
, or RECOVERY
status that take a valid password credential
Request parameters
Parameter | Description | Param Type | DataType | Required |
---|---|---|---|---|
id | id of user | URL | String | Truthful |
strict | If truthful, validates confronting password minimum age policy | Query | String | Fake |
oldPassword | Current password for user | Body | Countersign object | TRUE |
newPassword | New countersign for user | Body | Password object | TRUE |
Response parameters
Credentials of the user
The user transitions to Agile
condition when successfully invoked in RECOVERY
status.
Asking case
Response example
Change recovery question
POST /api/v1/users/${userId}/credentials/change_recovery_question
Changes a user's recovery question & answer credential past validating the user's current password
This performance can only be performed on users in STAGED, Agile or RECOVERY status
that have a valid password credential
Request parameters
Parameter | Description | Param Blazon | DataType | Required |
---|---|---|---|---|
id | id of user | URL | Cord | Truthful |
password | Electric current password for user | Body | Password object | Truthful |
recovery_question | New recovery question & answer for user | Body | Recovery Question object | TRUE |
Response parameters
Credentials of the user
This operation does non affect the status of the user.
Request example
Response example
User-consent Grant operations
Early AdmissionA consent represents a user's explicit permission to allow an application to access resources protected by scopes. Consent grants are unlike from tokens because a consent tin outlast a token, and in that location can exist multiple tokens with varying sets of scopes derived from a single consent. When an application comes dorsum and needs to get a new access token, it may not need to prompt the user for consent if they have already consented to the specified scopes. Consent grants remain valid until the user manually revokes them, or until the user, application, dominance server or scope is deactivated or deleted.
Hint: For all grant operations, you can employ
me
instead of theuserId
in an endpoint that contains/users
, in an agile session with no SSWS token (API token). For example:https://${yourOktaDomain}/api/v1/users/me/grants
returns all the grants for the agile session user.
Notation: Some browsers have begun blocking third-party cookies by default, disrupting Okta functionality in certain flows. For information see FAQ: How Blocking Third Party Cookies Can Potentially Impact Your Okta Environment (opens new window) .
List Grants
Early AccessGo /api/v1/users/${userId}/grants
Lists all grants for the specified user
Request parameters
Parameter | Description | Param Type | DataType | Required | Default |
---|---|---|---|---|---|
userId | ID of the user for whom yous are fetching grants | URL | String | True | |
aggrandize | Valid value: telescopic . If specified, scope details are included in the _embedded attribute. | Query | Cord | FALSE | |
scopeId | The scope ID to filter on | Query | String | FALSE | |
limit | The number of grants to return (maximum 200) | Query | Number | Fake | 20 |
after | Specifies the pagination cursor for the next page of grants | Query | String | Faux |
Notation:
after
should be treated every bit a cursor (an opaque value) and obtained through the next link relation.
Asking case
Response instance
Get a Grant
Early AccessGo /api/v1/users/${userId}/grants/${grantId}
Gets a grant for the specified user
Request parameters
Parameter | Clarification | Param Blazon | DataType | Required |
---|---|---|---|---|
userId | ID of the user to whom the grant belongs | URL | Cord | Truthful |
grantId | ID of the grant being fetched | Query | String | Truthful |
aggrandize | Valid value: scope . If specified, telescopic details are included in the _embedded attribute. | Query | String | FALSE |
Asking case
Response example
Listing Grants for a User-Client combination
Early AccessGet /api/v1/users/${userId}/clients/${clientId}/grants
Lists all grants for a specified user and client
Request parameters
Parameter | Description | Parameter Type | DataType | Required | Default |
---|---|---|---|---|---|
userId | ID of the user whose grants you are listing for the specified clientId | URL | String | True | |
clientId | ID of the client whose grants you lot are listing for the specified userId | URL | String | Truthful | |
expand | Valid value: scope . If specified, telescopic details are included in the _embedded aspect. | Query | String | FALSE | |
limit | The number of tokens to return (maximum 200) | Query | Number | FALSE | 20 |
subsequently | Specifies the pagination cursor for the next folio of tokens | Query | Cord | Faux |
Request example
Response case
Revoke all Grants for a User
Early AccessDELETE /api/v1/users/${userId}/grants
Revokes all grants for a specified user
Request parameters
Parameter | Clarification | Parameter Blazon | DataType | Required |
---|---|---|---|---|
userId | ID of the user whose grant is beingness revoked | URL | String | TRUE |
Asking case
Response case
Revoke a Grant for a User
Early AccessDELETE /api/v1/users/${userId}/grants/${grantId}
Revokes one grant for a specified user
Asking parameters
Parameter | Description | Parameter Type | DataType | Required |
---|---|---|---|---|
userId | ID of the user whose grant is being revoked | URL | String | TRUE |
grantId | ID of the grant being revoked | URL | Cord | TRUE |
Request example
Response example
Revoke Grants for User and Client
Early AccessDELETE /api/v1/users/${userId}/clients/${clientId}/grants
Revokes all grants for the specified user and client
Request parameters
Parameter | Clarification | Parameter Blazon | DataType | Required |
---|---|---|---|---|
userId | ID of the user whose grants are being revoked for the specified client | URL | Cord | Truthful |
clientId | ID of the client who was granted consent by the specified user | URL | String | TRUE |
Request example
Response instance
User OAuth 2.0 Token management operations
- List Refresh Tokens
- Get Refresh Token
- Revoke All Refresh Tokens
- Revoke Refresh Token
These endpoints allow you lot to manage tokens issued past an Say-so Server for a item User and Client. For example, yous could revoke every active refresh token for a User in the context of a specific Customer. You can also revoke specific tokens or manage tokens at the Authorization Server level.
Read Validate Access Tokens to empathize more than near how OAuth 2.0 tokens work.
Early AccessListing Refresh Tokens
Early AccessGo /api/v1/users/${userId}/clients/${clientId}/tokens
Lists all refresh tokens issued for the specified User and Customer.
Asking parameters
Parameter | Description | Param Type | DataType | Required | Default |
---|---|---|---|---|---|
userId | ID of the user for whom you are fetching tokens | URL | Cord | Truthful | |
clientId | ID of the client | URL | Cord | TRUE | |
expand | Valid value: scope . If specified, telescopic details are included in the _embedded attribute. | Query | Cord | Imitation | |
limit | The number of tokens to render (maximum 200) | Query | Number | FALSE | twenty |
subsequently | Specifies the pagination cursor for the next page of tokens | Query | String | FALSE |
Annotation:
after
should be treated equally a cursor (an opaque value) and obtained through the side by side link relation.
Request example
Response example
Become Refresh Token
Early on AccessGET /api/v1/users/${userId}/clients/${clientId}/tokens/${tokenId}
Gets a refresh token issued for the specified User and Customer.
Request parameters
Parameter | Description | Param Type | DataType | Required | Default |
---|---|---|---|---|---|
userId | ID of the user for whom you are fetching tokens | URL | Cord | TRUE | |
clientId | ID of the client | URL | String | Truthful | |
tokenId | ID of the token | URL | String | TRUE | |
aggrandize | Valid value: scope . If specified, scope details are included in the _embedded aspect. | Query | String | Fake | |
limit | The number of grants to return (maximum 200) | Query | Number | FALSE | twenty |
after | Specifies the pagination cursor for the adjacent folio of grants | Query | String | Imitation |
Notation:
after
should be treated equally a cursor (an opaque value) and obtained through the next link relation.
Request case
Response example
Revoke All Refresh Tokens
Early on AccessDELETE /api/v1/users/${userId}/clients/${clientId}/tokens
Revokes all refresh tokens issued for the specified User and Client. Any access tokens issued with these refresh tokens will also exist revoked, but access tokens issued without a refresh token will not be affected.
Asking parameters
Parameter | Description | Parameter Type | DataType | Required |
---|---|---|---|---|
userId | ID of the user whose grants are being revoked for the specified client | URL | String | TRUE |
clientId | ID of the client who was granted consent past the specified user | URL | String | TRUE |
Request example
Response instance
Revoke Refresh Token
Early AccessDELETE /api/v1/users/${userId}/clients/${clientId}/tokens/${tokenId}
Revokes the specified refresh token. If an access token was issued with this refresh token, information technology will besides exist revoked.
Request parameters
Parameter | Description | Parameter Type | DataType | Required |
---|---|---|---|---|
userId | ID of the user whose grants are existence revoked for the specified customer | URL | String | TRUE |
clientId | ID of the customer who was granted consent by the specified user | URL | Cord | TRUE |
tokenId | ID of the token | URL | String | Truthful |
Request instance
Response example
User Client resource operations
Early on AccessListing Client resource for a User
Early AccessGET /api/v1/users/${userId}/clients
Lists all client resource for which the specified user has grants or tokens.
Request parameters
Parameter | Description | Parameter Type | DataType | Required |
---|---|---|---|---|
userId | ID of the user | URL | Cord | TRUE |
Request example
Response example
User object
Instance
User properties
The User object defines several read-only backdrop:
Holding | Description | DataType | Nullable | Unique | Readonly |
---|---|---|---|---|---|
id | unique central for user | String | Simulated | Truthful | Truthful |
status | electric current status of user | STAGED , PROVISIONED , Agile , RECOVERY , LOCKED_OUT , PASSWORD_EXPIRED , SUSPENDED , or DEPROVISIONED | False | FALSE | Truthful |
created | timestamp when user was created | Date | FALSE | FALSE | TRUE |
activated | timestamp when transition to Active status completed | Date | FALSE | FALSE | True |
statusChanged | timestamp when status last changed | Date | Truthful | FALSE | TRUE |
lastLogin | timestamp of last login | Date | TRUE | False | True |
lastUpdated | timestamp when user was last updated | Engagement | FALSE | FALSE | Truthful |
passwordChanged | timestamp when password final changed | Date | Truthful | FALSE | TRUE |
type | user type that determines the schema for the user'due south contour | Map (see below) | FALSE | Imitation | TRUE |
transitioningToStatus | target status of an in-progress asynchronous status transition | PROVISIONED , Active , or DEPROVISIONED | True | FALSE | TRUE |
profile | user profile properties | Profile object | Fake | FALSE | Fake |
credentials | user's principal authentication and recovery credentials | Credentials object | Faux | FALSE | FALSE |
_links | link relations for the user's current condition | JSON HAL (opens new window) | Truthful | FALSE | Truthful |
_embedded | embedded resources related to the user | JSON HAL (opens new window) | True | Faux | TRUE |
Metadata properties such equally id
, status
, timestamps, _links
, and _embedded
are merely available after a user is created.
- The
activated
timestamp volition but be bachelor for users activated after 06/xxx/2013. - The
statusChanged
andlastLogin
timestamps will exist missing for users created earlier 06/30/2013 and updated on next status modify or login.
The type
property is a map that identifies the User Type of the user (meet User Types). Currently it contains a single element, id
, as shown in the Example. It can exist specified when creating a new User, and may be updated by an ambassador on a total replace of an existing user (but not a partial update).
User status
The following diagram shows the country object for a user:
Understanding User status values
The status of a user changes in response to explicit events, such as admin-driven lifecycle changes, user login, or self-service password recovery. Okta doesn't asynchronously sweep through users and update their password decease country, for example. Instead, Okta evaluates password policy at login time, notices the countersign has expired, and moves the user to the expired country. When running reports, remember that the data is valid as of the last login or lifecycle event for that user.
Contour object
Specifies standard and custom profile properties for a user.
Default Profile properties
The default user profile is based on the System for Cross-Domain Identity Management: Core Schema (opens new window) and has following standard backdrop:
Belongings | Description | DataType | Nullable | Unique | Readonly | MinLength | MaxLength | Validation |
---|---|---|---|---|---|---|---|---|
login | unique identifier for the user (username ) | String | Imitation | TRUE | Simulated | five | 100 | pattern |
main e-mail accost of user | Cord | Faux | Truthful | FALSE | 5 | 100 | RFC 5322 Department 3.two.3 (opens new window) | |
secondEmail | secondary email address of user typically used for account recovery | String | TRUE | TRUE | Fake | v | 100 | RFC 5322 Section 3.2.3 (opens new window) |
firstName | given proper noun of the user (givenName ) | Cord | FALSE (default) | FALSE | Imitation | i | fifty | |
lastName | family unit proper noun of the user (familyName ) | String | Fake (default) | FALSE | FALSE | 1 | 50 | |
middleName | centre proper name(s) of the user | String | TRUE | Imitation | FALSE | |||
honorificPrefix | honorific prefix(es) of the user, or title in near Western languages | String | TRUE | FALSE | FALSE | |||
honorificSuffix | honorific suffix(es) of the user | String | TRUE | False | FALSE | |||
title | user's title, such as "Vice President | String | TRUE | FALSE | FALSE | |||
displayName | name of the user, suitable for display to cease users | Cord | TRUE | Imitation | FALSE | |||
nickName | coincidental way to address the user in real life | Cord | TRUE | Fake | False | |||
profileUrl | url of user's online profile (e.g. a web page) | Cord | Truthful | Imitation | Simulated | URL (opens new window) | ||
primaryPhone | master telephone number of user such as home number | String | TRUE | Fake | FALSE | 0 | 100 | |
mobilePhone | mobile telephone number of user | String | True | FALSE | Simulated | 0 | 100 | |
streetAddress | total street accost component of user's address | String | TRUE | FALSE | Faux | |||
urban center | city or locality component of user'south address (locality ) | String | Truthful | FALSE | FALSE | |||
state | land or region component of user'due south address (region ) | String | TRUE | FALSE | FALSE | |||
zipCode | zipcode or postal code component of user'southward address (postalCode ) | String | Truthful | FALSE | False | |||
countryCode | country proper name component of user'due south accost (country ) | String | TRUE | False | FALSE | ISO 3166-1 blastoff two "curt" code format (opens new window) | ||
postalAddress | mailing address component of user's address | Cord | TRUE | Simulated | FALSE | |||
preferredLanguage | user'southward preferred written or spoken languages | Cord | TRUE | False | Faux | RFC 7231 Section five.3.5 (opens new window) | ||
locale | user's default location for purposes of localizing items such as currency, date time format, numerical representations, etc. | String | TRUE | FALSE | FALSE | Run into Note for more details. | ||
timezone | user'southward fourth dimension zone | String | True | FALSE | Fake | IANA Fourth dimension Zone database format (opens new window) | ||
userType | used to depict the organisation to user relationship such as "Employee" or "Contractor" | String | Truthful | FALSE | False | |||
employeeNumber | organization or company assigned unique identifier for the user | String | True | FALSE | FALSE | |||
costCenter | name of a toll heart assigned to user | String | TRUE | Imitation | False | |||
arrangement | name of user'south organization | Cord | TRUE | Imitation | FALSE | |||
division | proper name of user'south sectionalization | Cord | True | FALSE | FALSE | |||
department | proper name of user's section | String | Truthful | Imitation | FALSE | |||
managerId | id of a user'due south director | String | TRUE | False | Imitation | |||
director | displayName of the user'southward managing director | String | TRUE | Imitation | FALSE |
Note: A locale value is a chain of the ISO 639-i ii letter linguistic communication code, an underscore, and the ISO 3166-1 two letter country code. For case,
en_US
specifies the language English and country US.
Okta login
Every user within your Okta organisation must have a unique identifier for a login. This constraint applies to all users you import from other systems or applications such equally Active Directory. Your arrangement is the top-level namespace to mix and match logins from all your continued applications or directories. Careful consideration of naming conventions for your login identifier volition arrive easier to onboard new applications in the time to come.
Logins are not considered unique if they differ only in case and/or diacritical marks. If ane of your users has a login of Isaac.Brock@case.com
, there cannot be another user whose login is isaac.brock@case.com
, nor isĂ¡Ă c.bröck@example.com
.
Okta has a default ambiguous proper noun resolution policy for logins that include @-signs. (By default, logins must be formatted as email addresses and thus always include @-signs. That brake can be removed using either the ambassador UI or the Schemas API.) Users can login with their not-qualified short name (e.grand. isaac.brock
with login isaac.brock@instance.com
) as long as the short name is all the same unique inside the organisation.
Hint: Don't use a
login
with a/
graphic symbol. Although/
is a valid character co-ordinate to RFC 6531 department three.3 (opens new window) , a user with this grapheme in theirlogin
tin can't exist fetched bylogin
due to security risks with escaping this grapheme in URI paths. For more data nearlylogin
, see Get User by ID.
Modifying default Contour properties
The only permitted customization of the default profile is to update permissions, to change whether the firstName
and lastName
properties are nullable, or to specify a design for login
. Y'all can utilise the Profile Editor in the administrator UI or the Schemas API to make schema modifications.
Custom Profile backdrop
User profiles may be extended with custom properties just the property must first be added to the user profile schema before information technology can be referenced. You tin use the Profile Editor in the administrator UI or the Schemas API to manage schema extensions.
Custom attributes may contain HTML tags. It is the client's responsibility to escape or encode this data earlier displaying it. Use all-time-practices (opens new window) to preclude cantankerous-site scripting.
Credentials object
Specifies primary authentication and recovery credentials for a user. Credential types and requirements vary depending on the provider and security policy of the organization.
Property | DataType | Nullable | Unique | Readonly |
---|---|---|---|---|
countersign | Countersign object | True | Imitation | FALSE |
recovery_question | Recovery Question object | True | Fake | FALSE |
provider | Provider object | FALSE | Fake | Truthful |
Password object
Specifies a countersign for a user
Property | DataType | Nullable | Unique | Readonly | MinLength | MaxLength | Validation |
---|---|---|---|---|---|---|---|
value | String | TRUE | Fake | FALSE | Password Policy | 72 | Password Policy |
hash | Hashed Password object | True | FALSE | FALSE | N/A | N/A | |
claw | Password Hook object | TRUE | FALSE | FALSE | Due north/A | North/A |
A password value is a write-only property. A password hash is a write-only holding. A countersign claw is a write-only property.
When a user has a valid password, or imported hashed password, or password hook, and a response object contains a countersign credential, then the Countersign object is a bare object without the value
belongings divers (for instance, password: {}
), to betoken that a password value exists.
Default Countersign Policy
The password specified in the value belongings must come across the default password policy requirements:
- Must be a minimum of 8 characters
- Must accept a graphic symbol from the post-obit groups:
- Upper case
- Lower instance
- Digit
- Must not contain the user'due south login or parts of the the login when dissever on the following characters:
,
.
_
#
@
- For instance, a user with login
isaac.brock@example.com
will not be able set countersign brockR0cks! as the password contains the login partbrock
.
- For instance, a user with login
Password policy requirements can be modified in the administrator UI (Security -> Policies)
Hashed Password object
Specifies a hashed password to import into Okta. This allows an existing password to be imported into Okta straight from some other store. Okta supports the BCRYPT, SHA-512, SHA-256, SHA-1, and MD5 hashing functions for countersign import. A hashed password may be specified in a Password object when creating or updating a user, just not for other operations. See Create User with Imported Hashed Password for information on using this object when creating a user. When updating a user with a hashed password the user must be in the STAGED
status.
Notation: Because the patently text countersign isn't specified when a hashed password is provided, countersign policy isn't applied.
Holding | Blazon | Description |
---|---|---|
algorithm | String | The algorithm used to generate the hash using the password (and table salt, when applicable). Must be set to BCRYPT, SHA-512, SHA-256, SHA-1 or MD5. |
value | Cord | For SHA-512, SHA-256, SHA-ane, MD5, This is the bodily base64-encoded hash of the password (and table salt, if used). This is the Base64 encoded value of the SHA-512/SHA-256/SHA-1/MD5 assimilate that was computed by either pre-fixing or post-fixing the salt to the password , depending on the saltOrder . If a salt was not used in the source arrangement, and then this should just be the the Base64 encoded value of the countersign'south SHA-512/SHA-256/SHA-1/MD5 assimilate. For BCRYPT, This is the bodily radix64-encoded hashed password. |
salt | String | Only required for salted hashes. For BCRYPT, this specifies the radix64-encoded salt used to generate the hash, which must be 22 characters long. For other salted hashes, this specifies the base64-encoded salt used to generate the hash. |
workFactor | Number | Governs the strength of the hash and the time required to compute it. Only required for BCRYPT algorithm. Minimum value is i, and maximum is 20. |
saltOrder | String | Specifies whether salt was pre- or postfixed to the password earlier hashing. Just required for salted algorithms. |
BCRYPT Hashed Password object instance
SHA-512 Hashed Password object example
SHA-256 Hashed Countersign object example
SHA-i Hashed Password object case
MD5 Hashed Password object example
Password Hook object
Specifies that a Password Import Inline Hook should be triggered to handle verification of the user's password the starting time time the user logs in. This allows an existing password to be imported into Okta direct from some other store. Meet Create User with Password Hook for information on using this object when creating a user.
When updating a user with a countersign hook the user must exist in the STAGED
condition.
Note: Because the plainly text password isn't specified when a countersign hook is specified, password policy isn't applied.
Property | DataType | Clarification | Required | Min Value | Max Value |
---|---|---|---|---|---|
type | String | The type of Password Inline Claw. Currently, must be set to default. | True | North/A | North/A |
Countersign Claw object example
Recovery Question object
Specifies a undercover question and respond that is validated (case insensitive) when a user forgets their countersign or unlocks their business relationship. The answer property is write-only.
Belongings | DataType | Nullable | Unique | Readonly | MinLength | MaxLength |
---|---|---|---|---|---|---|
question | Cord | True | Fake | Fake | i | 100 |
answer | String | True | Simulated | Imitation | 1 | 100 |
Provider object
Specifies the hallmark provider that validates the user's password credential. The user's electric current provider is managed by the Delegated Authentication settings for your organization. The provider object is read-only.
Belongings | DataType | Nullable | Unique | Readonly |
---|---|---|---|---|
type | OKTA , ACTIVE_DIRECTORY ,LDAP , FEDERATION , SOCIAL or IMPORT | Faux | FALSE | Truthful |
proper noun | String | Truthful | False | True |
ACTIVE_DIRECTORY
orLDAP
providers specify the directory instance name as thename
property.
Users with a
FEDERATION
orSOCIAL
authentication provider exercise not support apassword
orrecovery_question
credential and must authenticate via a trusted Identity Provider.
IMPORT
specifies a hashed password that was imported from an external source.
Links object
Specifies link relations (run across Web Linking (opens new window) available for the electric current condition of a user. The Links object is used for dynamic discovery of related resources, lifecycle operations, and credential operations. The Links object is read-only.
Individual Users vs. collection of Users
For an private User result, the Links object contains a full fix of link relations available for that User as adamant past your policies. For a collection of Users, the Links object contains merely the self
link. Operations that return a drove of Users include List Users and Listing Grouping Members.
Hither are some links that may exist available on a User, as adamant by your policies:
Link Relation Blazon | Description |
---|---|
self | A self-referential link to this user |
activate | Lifecycle action to activate the user |
conciliate | Lifecycle action to conciliate the user |
suspend | Lifecycle activity to suspend the user |
unsuspend | Lifecycle activeness to unsuspend the user |
resetPassword | Lifecycle activity to trigger a countersign reset |
expirePassword | Lifecycle action to expire the user'southward countersign |
resetFactors | Lifecycle action to reset all MFA factors |
unlock | Lifecycle action to unlock a locked-out user |
forgotPassword | Resets a user'south countersign past validating the user'southward recovery credential. |
changePassword | Changes a user'southward password validating the user's current password |
changeRecoveryQuestion | Changes a user's recovery credential past validating the user's current password |
User-Consent Grant object
Early AdmissionUser-Consent Grant backdrop
Early on AccessBelongings | Description | Datatype |
---|---|---|
Id | ID of this grant | Cord |
status | Status of the grant. Valid values: ACTIVE , REVOKED or EXPIRED | String |
created | Timestamp when the grant was created | Date |
lastUpdated | Timestamp when the grant was concluding updated | Engagement |
issuer | The complete URL of the authorization server for this grant | String |
clientId | ID of the client for this grant | String |
userId | ID of the user who consented to this grant | String |
scopeId | ID of the telescopic to which this grant applies | String |
_links | Discoverable resource related to the grant | JSON HAL (opens new window) |
_embedded | If expand =scope is included in the request, information almost the scope specified by scopeId is included in the response. | JSON HAL (opens new window) |
Customer Grant object
Early AdmissionCustomer Grant properties
Property | Description | Datatype | Unique |
---|---|---|---|
client_id | The client ID of the OAuth 2.0 customer | Cord | TRUE |
client_name | The name of the OAuth 2.0 client | String | TRUE |
client_uri | The URI of the OAuth two.0 client | String | Fake |
logo_uri | The logo URI of the OAuth 2.0 client | String | Fake |
_links | Discoverable resources related to the grant | JSON HAL (opens new window) | False |
Java Program User Login, Create User Object, How Long Will the Object Be Active
DOWNLOAD HERE
Source: https://developer.okta.com/docs/reference/api/users/
Posted by: mcknightmothough.blogspot.com
0 Response to "Java Program User Login, Create User Object, How Long Will the Object Be Active Updated FREE"
Post a Comment