From bd1c82f075b7807397d46aecee7cb48a3f293c7a Mon Sep 17 00:00:00 2001 From: almog2296 Date: Wed, 4 Feb 2026 12:09:55 +0200 Subject: [PATCH 1/5] all --- Packs/Okta/Integrations/Okta_v2/Okta_v2.py | 8 ++-- Packs/Okta/Integrations/Okta_v2/Okta_v2.yml | 7 +++ .../Okta/Integrations/Okta_v2/Okta_v2_test.py | 46 +++++++++++++++++++ Packs/Okta/Integrations/Okta_v2/README.md | 3 ++ Packs/Okta/ReleaseNotes/3_3_34.md | 6 +++ Packs/Okta/pack_metadata.json | 2 +- 6 files changed, 68 insertions(+), 4 deletions(-) create mode 100644 Packs/Okta/ReleaseNotes/3_3_34.md diff --git a/Packs/Okta/Integrations/Okta_v2/Okta_v2.py b/Packs/Okta/Integrations/Okta_v2/Okta_v2.py index 50e0c9a78614..a50fb5e11893 100644 --- a/Packs/Okta/Integrations/Okta_v2/Okta_v2.py +++ b/Packs/Okta/Integrations/Okta_v2/Okta_v2.py @@ -483,9 +483,10 @@ def delete_user(self, user_term): uri = f"/api/v1/users/{encode_string_results(user_term)}" return self.http_request(method="DELETE", url_suffix=uri, resp_type="text") - def clear_user_sessions(self, user_id): + def clear_user_sessions(self, user_id, revoke_oauth_tokens=False): uri = f"/api/v1/users/{user_id}/sessions" - return self.http_request(method="DELETE", url_suffix=uri, resp_type="text") + params = {"oauthTokens": "true"} if revoke_oauth_tokens else None + return self.http_request(method="DELETE", url_suffix=uri, params=params, resp_type="text") def get_zone(self, zoneID): uri = f"/api/v1/zones/{zoneID}" @@ -1030,7 +1031,8 @@ def delete_user_command(client, args): def clear_user_sessions_command(client, args): user_id = args.get("userId") - raw_response = client.clear_user_sessions(user_id) + revoke_oauth_tokens = argToBoolean(args.get("revoke_oauth_tokens", False)) + raw_response = client.clear_user_sessions(user_id, revoke_oauth_tokens) outputs = { "Okta.Metadata(true)": client.request_metadata, } diff --git a/Packs/Okta/Integrations/Okta_v2/Okta_v2.yml b/Packs/Okta/Integrations/Okta_v2/Okta_v2.yml index 5d79c7f5fe95..d51337f98c23 100644 --- a/Packs/Okta/Integrations/Okta_v2/Okta_v2.yml +++ b/Packs/Okta/Integrations/Okta_v2/Okta_v2.yml @@ -1557,6 +1557,13 @@ script: - description: Okta User ID. name: userId required: true + - description: When true, revokes OpenID Connect and OAuth refresh and access tokens issued to the user. + name: revoke_oauth_tokens + auto: PREDEFINED + defaultValue: 'false' + predefined: + - 'true' + - 'false' description: |- Removes all active identity provider sessions. This forces the user to authenticate upon the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user. For more information and examples: diff --git a/Packs/Okta/Integrations/Okta_v2/Okta_v2_test.py b/Packs/Okta/Integrations/Okta_v2/Okta_v2_test.py index d639a6d5d286..fd3ddb52b6a1 100644 --- a/Packs/Okta/Integrations/Okta_v2/Okta_v2_test.py +++ b/Packs/Okta/Integrations/Okta_v2/Okta_v2_test.py @@ -1387,3 +1387,49 @@ def test_extract_user_and_factor_id_from_url_failure(url): with pytest.raises(DemistoException, match="Could not extract user ID and Factor ID from the polling URL"): extract_user_and_factor_id_from_url(url) + + +def test_clear_user_sessions_with_oauth_tokens(mocker): + """ + Given: + - Arguments for clear_user_sessions_command with revokeOauthTokens set to true. + When: + - Running clear_user_sessions_command. + Then: + - Ensure the clear_user_sessions method is called with revoke_oauth_tokens=True. + - Ensure the API is called with the oauthTokens query parameter. + """ + mock_http_request = mocker.patch.object(client, "http_request", return_value="") + client.request_metadata = {} + + client.clear_user_sessions("TestUserID456", revoke_oauth_tokens=True) + + mock_http_request.assert_called_once_with( + method="DELETE", + url_suffix="/api/v1/users/TestUserID456/sessions", + params={"oauthTokens": "true"}, + resp_type="text", + ) + + +def test_clear_user_sessions_without_oauth_tokens(mocker): + """ + Given: + - Arguments for clear_user_sessions_command with revokeOauthTokens set to false (default). + When: + - Running clear_user_sessions_command. + Then: + - Ensure the clear_user_sessions method is called with revoke_oauth_tokens=False. + - Ensure the API is called without the oauthTokens query parameter. + """ + mock_http_request = mocker.patch.object(client, "http_request", return_value="") + client.request_metadata = {} + + client.clear_user_sessions("TestUserID789", revoke_oauth_tokens=False) + + mock_http_request.assert_called_once_with( + method="DELETE", + url_suffix="/api/v1/users/TestUserID789/sessions", + params=None, + resp_type="text", + ) diff --git a/Packs/Okta/Integrations/Okta_v2/README.md b/Packs/Okta/Integrations/Okta_v2/README.md index e99cd2d45f64..cd3042d89543 100644 --- a/Packs/Okta/Integrations/Okta_v2/README.md +++ b/Packs/Okta/Integrations/Okta_v2/README.md @@ -55,6 +55,8 @@ The following scopes are required for the Okta v2 integration to work properly: For more information, see the '[Implement OAuth for Okta](https://developer.okta.com/docs/guides/implement-oauth-for-okta/main/)' official documentation article. +**Note:** OAuth 2.0 authentication is confirmed to support the 'Revoke all user sessions' functionality. When using the `okta-clear-user-sessions` command with `revokeOauthTokens=true`, it revokes OpenID Connect and OAuth refresh and access tokens issued to the user. + ### Instance Configuration | **Parameter** | **Description** | **Required** | @@ -2172,6 +2174,7 @@ https://developer.okta.com/docs/reference/api/users/#user-sessions | **Argument Name** | **Description** | **Required** | | --- | --- | --- | | userId | Okta User ID. | Required | +| revoke_oauth_tokens | When true, revokes OpenID Connect and OAuth refresh and access tokens issued to the user. Possible values are: true, false. Default is false. | Optional | #### Context Output diff --git a/Packs/Okta/ReleaseNotes/3_3_34.md b/Packs/Okta/ReleaseNotes/3_3_34.md new file mode 100644 index 000000000000..6328e192def8 --- /dev/null +++ b/Packs/Okta/ReleaseNotes/3_3_34.md @@ -0,0 +1,6 @@ + +#### Integrations + +##### Okta v2 + +- Added support for the *revoke_oauth_tokens* argument in the **okta-clear-user-sessions** command. diff --git a/Packs/Okta/pack_metadata.json b/Packs/Okta/pack_metadata.json index 4782bf0c5cfa..1dd19423b72c 100644 --- a/Packs/Okta/pack_metadata.json +++ b/Packs/Okta/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Okta", "description": "Integration with Okta's cloud-based identity management service.", "support": "xsoar", - "currentVersion": "3.3.33", + "currentVersion": "3.3.34", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 76185895252bd2353df54ba67a22b1c432c7ca2d Mon Sep 17 00:00:00 2001 From: almog2296 Date: Wed, 4 Feb 2026 13:48:39 +0200 Subject: [PATCH 2/5] fix after ai review --- Packs/Okta/Integrations/Okta_v2/README.md | 2 +- Packs/Okta/ReleaseNotes/3_3_34.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Packs/Okta/Integrations/Okta_v2/README.md b/Packs/Okta/Integrations/Okta_v2/README.md index cd3042d89543..b1687fcebf50 100644 --- a/Packs/Okta/Integrations/Okta_v2/README.md +++ b/Packs/Okta/Integrations/Okta_v2/README.md @@ -55,7 +55,7 @@ The following scopes are required for the Okta v2 integration to work properly: For more information, see the '[Implement OAuth for Okta](https://developer.okta.com/docs/guides/implement-oauth-for-okta/main/)' official documentation article. -**Note:** OAuth 2.0 authentication is confirmed to support the 'Revoke all user sessions' functionality. When using the `okta-clear-user-sessions` command with `revokeOauthTokens=true`, it revokes OpenID Connect and OAuth refresh and access tokens issued to the user. +**Note:** OAuth 2.0 authentication is confirmed to support the 'Revoke all user sessions' functionality. When using the `okta-clear-user-sessions` command with `revoke_oauth_tokens=true`, it revokes OpenID Connect and OAuth refresh and access tokens issued to the user. ### Instance Configuration diff --git a/Packs/Okta/ReleaseNotes/3_3_34.md b/Packs/Okta/ReleaseNotes/3_3_34.md index 6328e192def8..e479ef515406 100644 --- a/Packs/Okta/ReleaseNotes/3_3_34.md +++ b/Packs/Okta/ReleaseNotes/3_3_34.md @@ -3,4 +3,4 @@ ##### Okta v2 -- Added support for the *revoke_oauth_tokens* argument in the **okta-clear-user-sessions** command. +- Added support for *revoke_oauth_tokens* argument in the **okta-clear-user-sessions** command. From b11cc7c4b5e13bd3da63eb8360bf36618b4dea54 Mon Sep 17 00:00:00 2001 From: almog2296 Date: Thu, 5 Feb 2026 15:07:36 +0200 Subject: [PATCH 3/5] change argument name to revokeOauthTokens and default to true --- Packs/Okta/Integrations/Okta_v2/Okta_v2.py | 2 +- Packs/Okta/Integrations/Okta_v2/Okta_v2.yml | 4 ++-- Packs/Okta/Integrations/Okta_v2/README.md | 2 +- Packs/Okta/ReleaseNotes/3_3_34.md | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Packs/Okta/Integrations/Okta_v2/Okta_v2.py b/Packs/Okta/Integrations/Okta_v2/Okta_v2.py index a50fb5e11893..5994b3e2b1c6 100644 --- a/Packs/Okta/Integrations/Okta_v2/Okta_v2.py +++ b/Packs/Okta/Integrations/Okta_v2/Okta_v2.py @@ -1031,7 +1031,7 @@ def delete_user_command(client, args): def clear_user_sessions_command(client, args): user_id = args.get("userId") - revoke_oauth_tokens = argToBoolean(args.get("revoke_oauth_tokens", False)) + revoke_oauth_tokens = argToBoolean(args.get("revokeOauthTokens", True)) raw_response = client.clear_user_sessions(user_id, revoke_oauth_tokens) outputs = { "Okta.Metadata(true)": client.request_metadata, diff --git a/Packs/Okta/Integrations/Okta_v2/Okta_v2.yml b/Packs/Okta/Integrations/Okta_v2/Okta_v2.yml index d51337f98c23..1cbc6b6847ff 100644 --- a/Packs/Okta/Integrations/Okta_v2/Okta_v2.yml +++ b/Packs/Okta/Integrations/Okta_v2/Okta_v2.yml @@ -1558,9 +1558,9 @@ script: name: userId required: true - description: When true, revokes OpenID Connect and OAuth refresh and access tokens issued to the user. - name: revoke_oauth_tokens + name: revokeOauthTokens auto: PREDEFINED - defaultValue: 'false' + defaultValue: 'true' predefined: - 'true' - 'false' diff --git a/Packs/Okta/Integrations/Okta_v2/README.md b/Packs/Okta/Integrations/Okta_v2/README.md index b1687fcebf50..396cceb486f0 100644 --- a/Packs/Okta/Integrations/Okta_v2/README.md +++ b/Packs/Okta/Integrations/Okta_v2/README.md @@ -2174,7 +2174,7 @@ https://developer.okta.com/docs/reference/api/users/#user-sessions | **Argument Name** | **Description** | **Required** | | --- | --- | --- | | userId | Okta User ID. | Required | -| revoke_oauth_tokens | When true, revokes OpenID Connect and OAuth refresh and access tokens issued to the user. Possible values are: true, false. Default is false. | Optional | +| revokeOauthTokens | When true, revokes OpenID Connect and OAuth refresh and access tokens issued to the user. Possible values are: true, false. Default is true. | Optional | #### Context Output diff --git a/Packs/Okta/ReleaseNotes/3_3_34.md b/Packs/Okta/ReleaseNotes/3_3_34.md index e479ef515406..8cd1f89ecbf0 100644 --- a/Packs/Okta/ReleaseNotes/3_3_34.md +++ b/Packs/Okta/ReleaseNotes/3_3_34.md @@ -3,4 +3,4 @@ ##### Okta v2 -- Added support for *revoke_oauth_tokens* argument in the **okta-clear-user-sessions** command. +- Added support for *revokeOauthTokens* argument in the **okta-clear-user-sessions** command. From bcfff535f1d357440a19034c723d31fba3042d13 Mon Sep 17 00:00:00 2001 From: almog2296 Date: Thu, 5 Feb 2026 15:12:26 +0200 Subject: [PATCH 4/5] update readme --- Packs/Okta/Integrations/Okta_v2/Okta_v2.yml | 2 +- Packs/Okta/Integrations/Okta_v2/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Packs/Okta/Integrations/Okta_v2/Okta_v2.yml b/Packs/Okta/Integrations/Okta_v2/Okta_v2.yml index 1cbc6b6847ff..b3f841191238 100644 --- a/Packs/Okta/Integrations/Okta_v2/Okta_v2.yml +++ b/Packs/Okta/Integrations/Okta_v2/Okta_v2.yml @@ -1565,7 +1565,7 @@ script: - 'true' - 'false' description: |- - Removes all active identity provider sessions. This forces the user to authenticate upon the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user. + Removes all active identity provider sessions. This forces the user to authenticate upon the next operation. By default, OpenID Connect and OAuth refresh and access tokens issued to the user are revoked. Token revocation can be disabled if needed. For more information and examples: https://developer.okta.com/docs/reference/api/users/#user-sessions name: okta-clear-user-sessions diff --git a/Packs/Okta/Integrations/Okta_v2/README.md b/Packs/Okta/Integrations/Okta_v2/README.md index 396cceb486f0..4e1fafe6f064 100644 --- a/Packs/Okta/Integrations/Okta_v2/README.md +++ b/Packs/Okta/Integrations/Okta_v2/README.md @@ -2161,7 +2161,7 @@ Deletes the specified user. ### okta-clear-user-sessions *** -Removes all active identity provider sessions. This forces the user to authenticate upon the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user. +Removes all active identity provider sessions. This forces the user to authenticate upon the next operation. By default, OpenID Connect and OAuth refresh and access tokens issued to the user are revoked. Token revocation can be disabled if needed. For more information and examples: https://developer.okta.com/docs/reference/api/users/#user-sessions From 75ceefc8405fb3d9b7c8a7535d91b7b039d38489 Mon Sep 17 00:00:00 2001 From: almog2296 Date: Thu, 5 Feb 2026 15:33:47 +0200 Subject: [PATCH 5/5] update tests from ai review --- Packs/Okta/Integrations/Okta_v2/Okta_v2_test.py | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/Packs/Okta/Integrations/Okta_v2/Okta_v2_test.py b/Packs/Okta/Integrations/Okta_v2/Okta_v2_test.py index fd3ddb52b6a1..95096da0858a 100644 --- a/Packs/Okta/Integrations/Okta_v2/Okta_v2_test.py +++ b/Packs/Okta/Integrations/Okta_v2/Okta_v2_test.py @@ -7,6 +7,7 @@ Client, apply_zone_updates, assign_group_to_app_command, + clear_user_sessions_command, create_group_command, create_user_command, create_zone_command, @@ -1402,7 +1403,8 @@ def test_clear_user_sessions_with_oauth_tokens(mocker): mock_http_request = mocker.patch.object(client, "http_request", return_value="") client.request_metadata = {} - client.clear_user_sessions("TestUserID456", revoke_oauth_tokens=True) + args = {"userId": "TestUserID456", "revokeOauthTokens": "true"} + readable_output, outputs, raw_response = clear_user_sessions_command(client, args) mock_http_request.assert_called_once_with( method="DELETE", @@ -1410,12 +1412,13 @@ def test_clear_user_sessions_with_oauth_tokens(mocker): params={"oauthTokens": "true"}, resp_type="text", ) + assert "TestUserID456" in readable_output def test_clear_user_sessions_without_oauth_tokens(mocker): """ Given: - - Arguments for clear_user_sessions_command with revokeOauthTokens set to false (default). + - Arguments for clear_user_sessions_command with revokeOauthTokens set to false. When: - Running clear_user_sessions_command. Then: @@ -1425,7 +1428,8 @@ def test_clear_user_sessions_without_oauth_tokens(mocker): mock_http_request = mocker.patch.object(client, "http_request", return_value="") client.request_metadata = {} - client.clear_user_sessions("TestUserID789", revoke_oauth_tokens=False) + args = {"userId": "TestUserID789", "revokeOauthTokens": "false"} + readable_output, outputs, raw_response = clear_user_sessions_command(client, args) mock_http_request.assert_called_once_with( method="DELETE", @@ -1433,3 +1437,4 @@ def test_clear_user_sessions_without_oauth_tokens(mocker): params=None, resp_type="text", ) + assert "TestUserID789" in readable_output