APIGOV-32943 — Okta IDP per-scope policy lifecycle, app name templates, and scope exclude list#1049
Draft
sbolosan wants to merge 9 commits into
Draft
APIGOV-32943 — Okta IDP per-scope policy lifecycle, app name templates, and scope exclude list#1049sbolosan wants to merge 9 commits into
sbolosan wants to merge 9 commits into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automated policy management :
When a credential is provisioned, the agent now creates or updates an Okta authorization policy scoped to the specific access being granted. When a credential is deprovisioned, the agent removes the credential from that policy. If it was the last credential on the policy, the agent automatically cleans up the policy entirely rather than leaving empty policies behind in Okta.
Configurable naming :
Okta app and policy names can now be built from a configurable template using placeholders for the Marketplace application name, owning team, credential name, scope, and OAuth flow. Names are validated at startup and length limits are enforced before anything is sent to Okta.
Team name resolution :
When registering an app in Okta, if the owning team isn't immediately available in the local cache, the agent will look it up from the platform and cache it for future use.
Scope filtering :
Scopes returned by Okta (such as openid, profile, email) can be filtered out from what is shown in the Marketplace UI using a configurable exclude list.