Need more options? Use Custom API Actions!

Okta Workflows provide many connectors to end systems with a great variety of actions available. But like it often is with tools like this, that -one- option that we found in the systems API documentation, just is not available among the connector action cards. However, there is a hero on the horizon and to the rescue: custom API action.

Andreas Faltin
05. January 2022

Andreas is a cloud architect in Cloudworks and an Okta Technical Champion. He is helping customers on their digital Identity journey by designing and implementing complex IAM solutions. These have a high amount of automation to achieve high impact with minimal user friction.

This is a technical description in a series about Okta Workflows

Custom API action cards

Many Okta Workflows connectors have the option of using the action card “custom API action”. These cards are generic API call with POST/GET/PUT/PATCH/DELETE towards the end system that is configured in the connector.

For example, in the OKTA API we can trigger a forgot password reset for a user by calling “/api/v1/authn/recovery/password” with a JSON body containing the username and the factor to be used for the reset.

ForgotPassword Okta API documentation "Forgot password" part 1

Forgot-password Okta API documentation "Forgot password" part 2

With this information at hand, we can simply use this in an Okta Workflow together with the available Okta custom API action, even if we do not have this option available in the list of pre-defined actions:

CustomApiAction Example trigger "Forgot password" API through Okta custom API action

The relative URL is the full API call without the base URL.

Example with Okta:

Full URL
https://<youroktaorg>.okta.com/api/v1/authn/recovery/password
Relative URL
/api/v1/authn/recovery/password

Example with Microsoft Graph:

Full URL
https://graph.microsoft.com/v1.0/users/{id}/manager/$ref
Relative URL
/users/{id}/manager/$ref

Note: The relative URL does not always start at the first "/". Check the vendors API documentation for the relative or the base URL.

Of course, there is also the generic API connector available in the actions, but the benefits of the “custom API action” is the connector that is configured in the Okta Workflow connections.

API-Connector Generic API Connector in the Okta Workflows

We are just leveraging the existing access and permissions to call the custom API call without the requirement to take care of authentication to the API endpoint, which – for some APIs – can be bothersome. Of course, the access configured requires sufficient rights in the endpoint. These can exceed the access rights that the connector usually requires.