authorization_servers
Creates, updates, deletes, gets or lists an authorization_servers resource.
Overview
| Name | authorization_servers |
| Type | Resource |
| Id | okta.authorizationservers.authorization_servers |
Fields
The following fields are returned by SELECT queries:
- list_authorization_servers
- get_authorization_server
| Name | Datatype | Description |
|---|---|---|
id | string | The ID of the custom authorization server |
name | string | The name of the custom authorization server |
_links | object | Specifies link relations (see Web Linking) available using the JSON Hypertext Application Language specification. This object is used for dynamic discovery of related resources and lifecycle operations. |
accessTokenEncryptedResponseAlgorithm | string | <x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle></x-lifecycle-container>The algorithm for encrypting access tokens issued by this authorization server. If this is requested, the response is signed, and then encrypted. The result is a nested JWT. The default, if omitted, is that no encryption is performed. |
audiences | array | The recipients that the tokens are intended for. This becomes the aud claim in an access token. Okta currently supports only one audience. |
created | string (date-time) | |
credentials | object | |
description | string | The description of the custom authorization server |
issuer | string | The complete URL for the custom authorization server. This becomes the iss claim in an access token. |
issuerMode | string | Indicates which value is specified in the issuer of the tokens that a custom authorization server returns: the Okta org domain URL or a custom domain URL. issuerMode is visible if you have a custom URL domain configured or the Dynamic Issuer Mode feature enabled. If you have a custom URL domain configured, you can set a custom domain URL in a custom authorization server, and this property is returned in the appropriate responses. When set to ORG_URL, then in responses, issuer is the Okta org domain URL: https://${yourOktaDomain}. When set to CUSTOM_URL, then in responses, issuer is the custom domain URL configured in the administration user interface. When set to DYNAMIC, then in responses, issuer is the custom domain URL if the OAuth 2.0 request was sent to the custom domain, or is the Okta org's domain URL if the OAuth 2.0 request was sent to the original Okta org domain. After you configure a custom URL domain, all new custom authorization servers use CUSTOM_URL by default. If the Dynamic Issuer Mode feature is enabled, then all new custom authorization servers use DYNAMIC by default. All existing custom authorization servers continue to use the original value until they're changed using the Admin Console or the API. This way, existing integrations with the client and resource server continue to work after the feature is enabled. |
jwks | object | <x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle></x-lifecycle-container>A JSON Web Key Set for encrypting JWTs minted by the custom authorization server |
jwks_uri | string | <x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle></x-lifecycle-container>URL string that references a JSON Web Key Set for encrypting JWTs minted by the custom authorization server |
lastUpdated | string (date-time) | |
status | string |
| Name | Datatype | Description |
|---|---|---|
id | string | The ID of the custom authorization server |
name | string | The name of the custom authorization server |
_links | object | Specifies link relations (see Web Linking) available using the JSON Hypertext Application Language specification. This object is used for dynamic discovery of related resources and lifecycle operations. |
accessTokenEncryptedResponseAlgorithm | string | <x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle></x-lifecycle-container>The algorithm for encrypting access tokens issued by this authorization server. If this is requested, the response is signed, and then encrypted. The result is a nested JWT. The default, if omitted, is that no encryption is performed. |
audiences | array | The recipients that the tokens are intended for. This becomes the aud claim in an access token. Okta currently supports only one audience. |
created | string (date-time) | |
credentials | object | |
description | string | The description of the custom authorization server |
issuer | string | The complete URL for the custom authorization server. This becomes the iss claim in an access token. |
issuerMode | string | Indicates which value is specified in the issuer of the tokens that a custom authorization server returns: the Okta org domain URL or a custom domain URL. issuerMode is visible if you have a custom URL domain configured or the Dynamic Issuer Mode feature enabled. If you have a custom URL domain configured, you can set a custom domain URL in a custom authorization server, and this property is returned in the appropriate responses. When set to ORG_URL, then in responses, issuer is the Okta org domain URL: https://${yourOktaDomain}. When set to CUSTOM_URL, then in responses, issuer is the custom domain URL configured in the administration user interface. When set to DYNAMIC, then in responses, issuer is the custom domain URL if the OAuth 2.0 request was sent to the custom domain, or is the Okta org's domain URL if the OAuth 2.0 request was sent to the original Okta org domain. After you configure a custom URL domain, all new custom authorization servers use CUSTOM_URL by default. If the Dynamic Issuer Mode feature is enabled, then all new custom authorization servers use DYNAMIC by default. All existing custom authorization servers continue to use the original value until they're changed using the Admin Console or the API. This way, existing integrations with the client and resource server continue to work after the feature is enabled. |
jwks | object | <x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle></x-lifecycle-container>A JSON Web Key Set for encrypting JWTs minted by the custom authorization server |
jwks_uri | string | <x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle></x-lifecycle-container>URL string that references a JSON Web Key Set for encrypting JWTs minted by the custom authorization server |
lastUpdated | string (date-time) | |
status | string |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
list_authorization_servers | select | subdomain | q, limit, after | Lists all custom authorization servers in the org |
get_authorization_server | select | subdomain | Retrieves an authorization server | |
create_authorization_server | insert | subdomain | Creates an authorization server | |
replace_authorization_server | replace | subdomain | Replaces an authorization server | |
delete_authorization_server | delete | subdomain | Deletes an authorization server | |
activate_authorization_server | exec | subdomain | Activates an authorization server | |
deactivate_authorization_server | exec | subdomain | Deactivates an authorization server |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
subdomain | string | The domain of your organization. This can be a provided subdomain of an official okta domain (okta.com, oktapreview.com, etc) or one of your configured custom domains. (default: my-org) |
after | string | Specifies the pagination cursor for the next page of authorization servers. Treat as an opaque value and obtain through the next link relationship. |
limit | integer (int32) | Specifies the number of authorization server results on a page. Maximum value: 200 |
q | string | Searches the name and audiences of authorization servers for matching values (example: customasone) |
SELECT examples
- list_authorization_servers
- get_authorization_server
Lists all custom authorization servers in the org
SELECT
id,
name,
_links,
accessTokenEncryptedResponseAlgorithm,
audiences,
created,
credentials,
description,
issuer,
issuerMode,
jwks,
jwks_uri,
lastUpdated,
status
FROM okta.authorizationservers.authorization_servers
WHERE subdomain = '{{ subdomain }}' -- required
AND q = '{{ q }}'
AND limit = '{{ limit }}'
AND after = '{{ after }}';
Retrieves an authorization server
SELECT
id,
name,
_links,
accessTokenEncryptedResponseAlgorithm,
audiences,
created,
credentials,
description,
issuer,
issuerMode,
jwks,
jwks_uri,
lastUpdated,
status
FROM okta.authorizationservers.authorization_servers
WHERE subdomain = '{{ subdomain }}' -- required;
INSERT examples
- create_authorization_server
- Manifest
Creates an authorization server
INSERT INTO okta.authorizationservers.authorization_servers (
data__accessTokenEncryptedResponseAlgorithm,
data__audiences,
data__credentials,
data__description,
data__issuer,
data__issuerMode,
data__jwks,
data__jwks_uri,
data__name,
data__status,
subdomain
)
SELECT
'{{ accessTokenEncryptedResponseAlgorithm }}',
'{{ audiences }}',
'{{ credentials }}',
'{{ description }}',
'{{ issuer }}',
'{{ issuerMode }}',
'{{ jwks }}',
'{{ jwks_uri }}',
'{{ name }}',
'{{ status }}',
'{{ subdomain }}'
RETURNING
id,
name,
_links,
accessTokenEncryptedResponseAlgorithm,
audiences,
created,
credentials,
description,
issuer,
issuerMode,
jwks,
jwks_uri,
lastUpdated,
status
;
# Description fields are for documentation purposes
- name: authorization_servers
props:
- name: subdomain
value: string
description: Required parameter for the authorization_servers resource.
- name: accessTokenEncryptedResponseAlgorithm
value: string
description: >
<x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle></x-lifecycle-container>The algorithm for encrypting access tokens issued by this authorization server. If this is requested, the response is signed, and then encrypted. The result is a nested JWT. The default, if omitted, is that no encryption is performed.
valid_values: ['RSA-OAEP-256', 'RSA-OAEP-384', 'RSA-OAEP-512']
- name: audiences
value: array
description: >
The recipients that the tokens are intended for. This becomes the `aud` claim in an access token. Okta currently supports only one audience.
- name: credentials
value: object
- name: description
value: string
description: >
The description of the custom authorization server
- name: issuer
value: string
description: >
The complete URL for the custom authorization server. This becomes the `iss` claim in an access token.
- name: issuerMode
value: string
description: >
Indicates which value is specified in the issuer of the tokens that a custom authorization server returns: the Okta org domain URL or a custom domain URL.
`issuerMode` is visible if you have a custom URL domain configured or the Dynamic Issuer Mode feature enabled. If you have a custom URL domain configured, you can set a custom domain URL in a custom authorization server, and this property is returned in the appropriate responses.
When set to `ORG_URL`, then in responses, `issuer` is the Okta org domain URL: `https://${yourOktaDomain}`.
When set to `CUSTOM_URL`, then in responses, `issuer` is the custom domain URL configured in the administration user interface.
When set to `DYNAMIC`, then in responses, `issuer` is the custom domain URL if the OAuth 2.0 request was sent to the custom domain, or is the Okta org's domain URL if the OAuth 2.0 request was sent to the original Okta org domain.
After you configure a custom URL domain, all new custom authorization servers use `CUSTOM_URL` by default. If the Dynamic Issuer Mode feature is enabled, then all new custom authorization servers use `DYNAMIC` by default. All existing custom authorization servers continue to use the original value until they're changed using the Admin Console or the API. This way, existing integrations with the client and resource server continue to work after the feature is enabled.
- name: jwks
value: object
description: >
<x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle></x-lifecycle-container>A [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) for encrypting JWTs minted by the custom authorization server
- name: jwks_uri
value: string
description: >
<x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle></x-lifecycle-container>URL string that references a JSON Web Key Set for encrypting JWTs minted by the custom authorization server
- name: name
value: string
description: >
The name of the custom authorization server
- name: status
value: string
valid_values: ['ACTIVE', 'INACTIVE']
REPLACE examples
- replace_authorization_server
Replaces an authorization server
REPLACE okta.authorizationservers.authorization_servers
SET
data__accessTokenEncryptedResponseAlgorithm = '{{ accessTokenEncryptedResponseAlgorithm }}',
data__audiences = '{{ audiences }}',
data__credentials = '{{ credentials }}',
data__description = '{{ description }}',
data__issuer = '{{ issuer }}',
data__issuerMode = '{{ issuerMode }}',
data__jwks = '{{ jwks }}',
data__jwks_uri = '{{ jwks_uri }}',
data__name = '{{ name }}',
data__status = '{{ status }}'
WHERE
subdomain = '{{ subdomain }}' --required
RETURNING
id,
name,
_links,
accessTokenEncryptedResponseAlgorithm,
audiences,
created,
credentials,
description,
issuer,
issuerMode,
jwks,
jwks_uri,
lastUpdated,
status;
DELETE examples
- delete_authorization_server
Deletes an authorization server
DELETE FROM okta.authorizationservers.authorization_servers
WHERE subdomain = '{{ subdomain }}' --required;
Lifecycle Methods
- activate_authorization_server
- deactivate_authorization_server
Activates an authorization server
EXEC okta.authorizationservers.authorization_servers.activate_authorization_server
@subdomain='{{ subdomain }}' --required;
Deactivates an authorization server
EXEC okta.authorizationservers.authorization_servers.deactivate_authorization_server
@subdomain='{{ subdomain }}' --required;