| Last Updated | 21 March 2022 |
| Document Tag | tch-research-next-gen-authz |
| Author | simonm@thecyberhut.com |
| Part of Research Product | Next Generation Authorization Technology |
Okta typically provides monthly releases to their SaaS offering. The following is a list of authorization related capabilities they have released since 2019.
2019 (9 updates)
| Date | Feature | Details |
| Feb 2019 | OAuth2 Token Inline Hooks | Ability to add custom attributes, perhaps by third party call out, into access and id tokens |
| March 2019 | Enable Role Assignment to Every Member of a Group | Ability to perform bulk role assignments via API |
| March 2019 | OAuth2 PKCE for OAuth2 Clients | Support for Proof Key Code Exchange for OAuth2 clients |
| May 2019 | Token Inline Hooks Can Remove Claims | Ability to change or entirely remove claims issued by Okta OAuth2 AS |
| June 2019 | OAuth2 Refresh Token Expiration Extended to 5 Years | Refresh tokens can now live for up to 5 years |
| Sept 2019 | Separate Rate Limits Applied to OAuth2 Public Endpoint | Ability to have separate rate limits on each endpoint |
| Oct 2019 | OAuth2 Scope Naming Restrictions | Scopes can’t have the word “okta” as a prefix within the scope name |
| Dec 2019 | SAML Inline Hook Availability | SAML assertions now have an API hook that can allow for the addition and modification of attributes that go into the SAML assertion. |
| Dec 2019 | OAuth2 Clear Sessions Endpoint Available | An endpoint available for per-user session clear down. |
2020 (4 updates)
| Date | Feature | Details |
| Feb 2020 | OAuth2 Added to Policy API | The central policy and rule API can now operate against OAuth2 operations |
| Aug 2020 | OAuth2 Auth Code Length Increase | OAuth2 authorization code length increased to 256bits of entropy |
| Oct 2020 | Groups API Extended Search in EA | The groups API has extended search capabilities added to the early access version |
| Dec 2020 | One Time Use Refresh Tokens Now in EA | One time use refresh tokens (token rotation) for OAuth2 now available in early access version |
2021 (8 updates)
| Date | Feature | Details |
| Jan 2021 | New Apps API in EA | Apps API in early access for the ability to manage applications and user/groups to application relations |
| April 2021 | OAuth2 Authorization Code Lifetime Increases | Increased in time from 1 min to 5 mins |
| June 2021 | OAuth2 Flexible Consent Option in GA | Flexible Consent option now available – except for client credentials flow |
| Aug 2021 | Addition of Risk Events and Risk Providers API not EA | New APIs for the use of third party risk signals such as IP addressing |
| Aug 2021 | Device Authorization Grant now EA | OAuth2 Device Grant for IoT style projects now early access |
| Sept 2021 | OAuth2 Issuer URL Can be Dynamic | Issuer URL can be configurable based on domain/sub-domain/custom-domain etc |
| Nov 2021 | OAuth2 Device Grant in GA | OAuth2 Device Grant for IoT style projects now generally available |
| Nov 2021 | OAuth2 Device Authorization Grant now GA | OAuth2 Device Authorization Grant now generally available |
2022 (3 updates)
| Date | Feature | Details |
| Jan 2022 | Custom Permissions for Admin Roles | Admin roles can now have custom permissions |
| Feb 2022 | Role Assignment Improvements | Assigning roles to groups has been improved by retaining the existing role Id where possible |
| March 2022 | Authentication Timestamp Added to Access Tokens | Auth_time claim added to OAuth2 access tokens, that contains authentication time in Unix timestamp format. |