keys
Creates, updates, deletes, gets or lists a keys resource.
Overview
| Name | keys |
| Type | Resource |
| Id | okta.authorizationservers.keys |
Fields
The following fields are returned by SELECT queries:
- list_authorization_server_keys
- get_authorization_server_key
| Name | Datatype | Description |
|---|---|---|
_links | object | Specifies link relations (see Web Linking) available using the JSON Hypertext Application Language specification. This object is used for dynamic discovery of related resources and lifecycle operations. |
alg | string | The algorithm used with the Key. Valid value: RS256 |
e | string | RSA key value (public exponent) for Key binding |
kid | string | Unique identifier for the key |
kty | string | Cryptographic algorithm family for the certificate's keypair. Valid value: RSA |
n | string | RSA modulus value that is used by both the public and private keys and provides a link between them |
status | string | An ACTIVE Key is used to sign tokens issued by the authorization server. Supported values: ACTIVE, NEXT, or EXPIRED<br> A NEXT Key is the next Key that the authorization server uses to sign tokens when Keys are rotated. The NEXT Key might not be listed if it hasn't been generated. An EXPIRED Key is the previous Key that the authorization server used to sign tokens. The EXPIRED Key might not be listed if no Key has expired or the expired Key was deleted. |
use | string | Acceptable use of the key. Valid value: sig |
| Name | Datatype | Description |
|---|---|---|
_links | object | Specifies link relations (see Web Linking) available using the JSON Hypertext Application Language specification. This object is used for dynamic discovery of related resources and lifecycle operations. |
alg | string | The algorithm used with the Key. Valid value: RS256 |
e | string | RSA key value (public exponent) for Key binding |
kid | string | Unique identifier for the key |
kty | string | Cryptographic algorithm family for the certificate's keypair. Valid value: RSA |
n | string | RSA modulus value that is used by both the public and private keys and provides a link between them |
status | string | An ACTIVE Key is used to sign tokens issued by the authorization server. Supported values: ACTIVE, NEXT, or EXPIRED<br> A NEXT Key is the next Key that the authorization server uses to sign tokens when Keys are rotated. The NEXT Key might not be listed if it hasn't been generated. An EXPIRED Key is the previous Key that the authorization server used to sign tokens. The EXPIRED Key might not be listed if no Key has expired or the expired Key was deleted. |
use | string | Acceptable use of the key. Valid value: sig |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
list_authorization_server_keys | select | subdomain | Lists all of the current, future, and expired Keys used by the Custom Authorization Server | |
get_authorization_server_key | select | subdomain | Retrieves an Authorization Server Key specified by the keyId | |
rotate_authorization_server_keys | exec | subdomain | Rotates the current Keys for a Custom Authorization Server. If you rotate Keys, the ACTIVE Key becomes the EXPIRED Key, the NEXT Key becomes the ACTIVE Key,and the Custom Authorization Server immediately begins using the new active Key to sign tokens. > Note: Okta rotates your Keys automatically in AUTO mode. You can rotate Keysyourself in either mode. If Keys are rotated manually, you should invalidate any intermediate cache. and fetch the Keys again using the Keys endpoint. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
subdomain | string | The domain of your organization. This can be a provided subdomain of an official okta domain (okta.com, oktapreview.com, etc) or one of your configured custom domains. (default: my-org) |
SELECT examples
- list_authorization_server_keys
- get_authorization_server_key
Lists all of the current, future, and expired Keys used by the Custom Authorization Server
SELECT
_links,
alg,
e,
kid,
kty,
n,
status,
use
FROM okta.authorizationservers.keys
WHERE subdomain = '{{ subdomain }}' -- required;
Retrieves an Authorization Server Key specified by the keyId
SELECT
_links,
alg,
e,
kid,
kty,
n,
status,
use
FROM okta.authorizationservers.keys
WHERE subdomain = '{{ subdomain }}' -- required;
Lifecycle Methods
- rotate_authorization_server_keys
Rotates the current Keys for a Custom Authorization Server. If you rotate Keys,
the ACTIVE Key becomes the EXPIRED Key, the NEXT Key becomes the ACTIVE Key,
and the Custom Authorization Server immediately begins using the new active
Key to sign tokens.
> Note: Okta rotates your Keys automatically in AUTO mode. You can rotate Keys
yourself in either mode. If Keys are rotated manually, you should invalidate any intermediate cache.
and fetch the Keys again using the Keys endpoint.
EXEC okta.authorizationservers.keys.rotate_authorization_server_keys
@subdomain='{{ subdomain }}' --required
@@json=
'{
"use": "{{ use }}"
}';