Skip to content

Okta v2: Add revokeOauthTokens argument to okta-clear-user-sessions command #42920

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
almog2296 wants to merge 7 commits into
base: master
Choose a base branch
from
+75 −6
Open

Okta v2: Add revokeOauthTokens argument to okta-clear-user-sessions command #42920

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
bd1c82f
all
almog2296 Feb 4, 2026
cf8bd20
Merge branch 'master' into CIAC-15065-okta-clear-user-sessions-oauth-…
almog2296 Feb 4, 2026
7618589
fix after ai review
almog2296 Feb 4, 2026
b11cc7c
change argument name to revokeOauthTokens and default to true
almog2296 Feb 5, 2026
bcfff53
update readme
almog2296 Feb 5, 2026
75ceefc
update tests from ai review
almog2296 Feb 5, 2026
2e93cef
Merge branch 'master' into CIAC-15065-okta-clear-user-sessions-oauth-…
almog2296 Feb 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions Packs/Okta/Integrations/Okta_v2/Okta_v2.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -483,9 +483,10 @@ def delete_user(self, user_term):
uri = f"/api/v1/users/{encode_string_results(user_term)}"
return self.http_request(method="DELETE", url_suffix=uri, resp_type="text")

def clear_user_sessions(self, user_id):
def clear_user_sessions(self, user_id, revoke_oauth_tokens=False):
uri = f"/api/v1/users/{user_id}/sessions"
return self.http_request(method="DELETE", url_suffix=uri, resp_type="text")
params = {"oauthTokens": "true"} if revoke_oauth_tokens else None
return self.http_request(method="DELETE", url_suffix=uri, params=params, resp_type="text")

def get_zone(self, zoneID):
uri = f"/api/v1/zones/{zoneID}"
Expand Down Expand Up @@ -1030,7 +1031,8 @@ def delete_user_command(client, args):

def clear_user_sessions_command(client, args):
user_id = args.get("userId")
raw_response = client.clear_user_sessions(user_id)
revoke_oauth_tokens = argToBoolean(args.get("revokeOauthTokens", True))
raw_response = client.clear_user_sessions(user_id, revoke_oauth_tokens)
outputs = {
"Okta.Metadata(true)": client.request_metadata,
}
Expand Down
9 changes: 8 additions & 1 deletion Packs/Okta/Integrations/Okta_v2/Okta_v2.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1557,8 +1557,15 @@ script:
- description: Okta User ID.
name: userId
required: true
- description: When true, revokes OpenID Connect and OAuth refresh and access tokens issued to the user.
name: revokeOauthTokens
auto: PREDEFINED
defaultValue: 'true'
predefined:
- 'true'
- 'false'
description: |-
Removes all active identity provider sessions. This forces the user to authenticate upon the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user.
Removes all active identity provider sessions. This forces the user to authenticate upon the next operation. By default, OpenID Connect and OAuth refresh and access tokens issued to the user are revoked. Token revocation can be disabled if needed.
For more information and examples:
https://developer.okta.com/docs/reference/api/users/#user-sessions
name: okta-clear-user-sessions
Expand Down
51 changes: 51 additions & 0 deletions Packs/Okta/Integrations/Okta_v2/Okta_v2_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
Client,
apply_zone_updates,
assign_group_to_app_command,
clear_user_sessions_command,
create_group_command,
create_user_command,
create_zone_command,
Expand Down Expand Up @@ -1387,3 +1388,53 @@ def test_extract_user_and_factor_id_from_url_failure(url):

with pytest.raises(DemistoException, match="Could not extract user ID and Factor ID from the polling URL"):
extract_user_and_factor_id_from_url(url)


def test_clear_user_sessions_with_oauth_tokens(mocker):
"""
Given:
- Arguments for clear_user_sessions_command with revokeOauthTokens set to true.
When:
- Running clear_user_sessions_command.
Then:
- Ensure the clear_user_sessions method is called with revoke_oauth_tokens=True.
- Ensure the API is called with the oauthTokens query parameter.
"""
mock_http_request = mocker.patch.object(client, "http_request", return_value="")
client.request_metadata = {}

args = {"userId": "TestUserID456", "revokeOauthTokens": "true"}
readable_output, outputs, raw_response = clear_user_sessions_command(client, args)

mock_http_request.assert_called_once_with(
method="DELETE",
url_suffix="/api/v1/users/TestUserID456/sessions",
params={"oauthTokens": "true"},
resp_type="text",
)
assert "TestUserID456" in readable_output


def test_clear_user_sessions_without_oauth_tokens(mocker):
"""
Given:
- Arguments for clear_user_sessions_command with revokeOauthTokens set to false.
When:
- Running clear_user_sessions_command.
Then:
- Ensure the clear_user_sessions method is called with revoke_oauth_tokens=False.
- Ensure the API is called without the oauthTokens query parameter.
"""
mock_http_request = mocker.patch.object(client, "http_request", return_value="")
client.request_metadata = {}

args = {"userId": "TestUserID789", "revokeOauthTokens": "false"}
readable_output, outputs, raw_response = clear_user_sessions_command(client, args)

mock_http_request.assert_called_once_with(
method="DELETE",
url_suffix="/api/v1/users/TestUserID789/sessions",
params=None,
resp_type="text",
)
assert "TestUserID789" in readable_output
5 changes: 4 additions & 1 deletion Packs/Okta/Integrations/Okta_v2/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,8 @@ The following scopes are required for the Okta v2 integration to work properly:

For more information, see the '[Implement OAuth for Okta](https://developer.okta.com/docs/guides/implement-oauth-for-okta/main/)' official documentation article.

**Note:** OAuth 2.0 authentication is confirmed to support the 'Revoke all user sessions' functionality. When using the `okta-clear-user-sessions` command with `revoke_oauth_tokens=true`, it revokes OpenID Connect and OAuth refresh and access tokens issued to the user.

### Instance Configuration

| **Parameter** | **Description** | **Required** |
Expand Down Expand Up @@ -2159,7 +2161,7 @@ Deletes the specified user.
### okta-clear-user-sessions

***
Removes all active identity provider sessions. This forces the user to authenticate upon the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user.
Removes all active identity provider sessions. This forces the user to authenticate upon the next operation. By default, OpenID Connect and OAuth refresh and access tokens issued to the user are revoked. Token revocation can be disabled if needed.
For more information and examples:
https://developer.okta.com/docs/reference/api/users/#user-sessions

Expand All @@ -2172,6 +2174,7 @@ https://developer.okta.com/docs/reference/api/users/#user-sessions
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| userId | Okta User ID. | Required |
| revokeOauthTokens | When true, revokes OpenID Connect and OAuth refresh and access tokens issued to the user. Possible values are: true, false. Default is true. | Optional |

#### Context Output

Expand Down
6 changes: 6 additions & 0 deletions Packs/Okta/ReleaseNotes/3_3_34.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@

#### Integrations

##### Okta v2

- Added support for *revokeOauthTokens* argument in the **okta-clear-user-sessions** command.
2 changes: 1 addition & 1 deletion Packs/Okta/pack_metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "Okta",
"description": "Integration with Okta's cloud-based identity management service.",
"support": "xsoar",
"currentVersion": "3.3.33",
"currentVersion": "3.3.34",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand Down
Loading