Skip to content

APIGOV-32943 — Okta IDP per-scope policy lifecycle, app name templates, and scope exclude list#1049

Merged
sbolosan merged 23 commits into
mainfrom
APIGOV-32943
Jul 9, 2026
Merged

APIGOV-32943 — Okta IDP per-scope policy lifecycle, app name templates, and scope exclude list#1049
sbolosan merged 23 commits into
mainfrom
APIGOV-32943

Conversation

@sbolosan

Copy link
Copy Markdown
Collaborator

Automated policy management :
When a credential is provisioned, the agent now creates or updates an Okta authorization policy scoped to the specific access being granted. When a credential is deprovisioned, the agent removes the credential from that policy. If it was the last credential on the policy, the agent automatically cleans up the policy entirely rather than leaving empty policies behind in Okta.

Configurable naming :
Okta app and policy names can now be built from a configurable template using placeholders for the Marketplace application name, owning team, credential name, scope, and OAuth flow. Names are validated at startup and length limits are enforced before anything is sent to Okta.

Team name resolution :
When registering an app in Okta, if the owning team isn't immediately available in the local cache, the agent will look it up from the platform and cache it for future use.

Scope filtering :
Scopes returned by Okta (such as openid, profile, email) can be filtered out from what is shown in the Marketplace UI using a configurable exclude list.

@dgghinea dgghinea marked this pull request as ready for review June 25, 2026 15:45
dgghinea and others added 6 commits June 26, 2026 14:02
* APIGOV-31191 validate cache

* APIGOV-31191 improvements and unit tests

* APIGOV-31191 refactor tests

* APIGOV-31191 validate instead of rebuild after 7 days

* APIGOV-31191 get scoped resources from cache

* APIGOV-31191 update shouldRebuildCache

* APIGOV-31191 fix logs

* APIGOV-31191 improvements

* APIGOV-32372 cache rebuild optimizations (#1023)

* APIGOV-32372 rebuild only failed kinds

* APIGOV-32372 fix for listener/cache rebuild race condition

* APIGOV-32372 merge main

* APIGOV-32372 remove else statement

Co-authored-by: Copilot <copilot@github.com>

* APIGOV-32327 wait for clients to be ready

* APIGOV-32372 improvements

* APIGOV-32372 fix for unlock on unlocked mutex error

* APIGOV-32372 guard against listener potential data race

---------

Co-authored-by: Copilot <copilot@github.com>

* APIGOV-31191 sequence and resource count pre validation

* APIGOV-31191 - remove timeout on harverter event sync

* APIGOV-31191 - Cache validation/rebuild refactoring (#1048)

* APIGOV-31191 - remove API calls for metadata check for cache validation

* APIGOV-31191 - Refactoring and cleanup
- Remove entire cache flush. Flush only the kind getting processed and after the API call is successful to avoid cache inconsistency
- Cleanup instance count map that should speed up building APIservice cache items
- Fixes

* APIGOV-31191 - check publishing lock and acquire lock while publishing

* APIGOV-31191 - fixes
- Fix for endless waitForCacheRebuild
- Fix to keep original APIService resource instance in cache when duplicates are added to the cache
- Fix to hook cache rebuild on stream client reconnection instead of harvester error and to address job pool status

* APIGOV-31191 - updates
- remove waitForCacheRebuild and use the error returned from harvester to trigger the job restart

* APIGOV-31191 - fallback to count checks if harvester is not reachable

* APIGOV-31191 - review comments + lock on harvester event sync

* APIGOV-31191 - lock on harvester event sync

* APIGOV-31191 - use APIServiceInstance counts to rebuild APIService cache

* APIGOV-31191 - use CreateOrUpdateResource for processing APIService

* APIGOV-31191 - fix to not make multiple x-agent-details update for APIService

* APIGOV-31191 - clean up event listener pauser

* APIGOV-31191 - fix client adapter

---------

Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Vivek Singh Chauhan <vchauhan@axway.com>
* APIGOV-31452 - send new insights events formats

* APIGOV-31452 - updates on access request

* APIGOV-31452 - add deep logging for event building

* APIGOV-31452 - add missing attribs for service revision id and agent version

* APIGOV-31452 - updated metric v3 events

* APIGOV-31452 - update for product owner

* APIGOV-31452 - fall back to apiserviceinstance by name

* APIGOV-31452 - add logging for unmarshaling

* APIGOV-31452 - update for embedded shape

* APIGOV-31452 - match the actual _embedded.metadata.references shape from the API server

* APIGOV-31452 - addition of owner

* APIGOV-31452 - add SetReporter builder method to CentralMetricBuilder

* APIGOV-31452 - update for published product watch topic

* APIGOV-31452 - revert watch topic logic

* APIGOV-31452 - get published product owner from embedded

* APIGOV-31452 - update unit test coverage

* APIGOV-31452 - add api metric for agents explicitly calling

* APIGOV-31452 - user id path

* APIGOV-31452 - update test coverage

* APIGOV-31452 - update sonar fixes

* APIGOV-31452 - update embed for x agent details apiservice fetch

* APIGOV-31452 - update leg with consumer details

* APIGOV-31452 - remove consumer details

* APIGOV-31452 - review

* APIGOV-31452 - set proxy funcs for on prem agents

* APIGOV-31452 - add backwards compatibility for leg

* APIGOV-31452 - update product block

* APIGOV-31452 - update rev id for on prem

* APIGOV-31452 - apiservicerev setter for some on prem agents

* APIGOV-31452 - update transaction fields

* APIGOV-31452 - update leg direction and proxy

* APIGOV-31452 - update proxy

* APIGOV-31452 - expose SetLegProxy for controller enrichment

* APIGOV-31452 - update on legs

* APIGOV-31452 - set owner from man app

* APIGOV-31452 - product owner fix

* APIGOV-31452 - update source and ip for v7 fixes

* APIGOV-31452 - remove flow header

* APIGOV-31452 - review

* APIGOV-31452 - review and unit test coverage

* APIGOV-31452 - update tests and comments

* APIGOV-31452 - PR comments and proxy updates

* APIGOV-31452 - update based on PR comments

* fix mocks

* fix rebase error

---------

Co-authored-by: Jason Collins <jcollins@axway.com>
Comment thread pkg/agent/handler/credential.go
jcollins-axway
jcollins-axway previously approved these changes Jul 1, 2026
vivekschauhan
vivekschauhan previously approved these changes Jul 1, 2026
alrosca
alrosca previously approved these changes Jul 1, 2026
@sbolosan sbolosan dismissed stale reviews from alrosca, vivekschauhan, and jcollins-axway via 3d3c287 July 7, 2026 20:56
jcollins-axway
jcollins-axway previously approved these changes Jul 8, 2026
vivekschauhan
vivekschauhan previously approved these changes Jul 8, 2026
@sbolosan sbolosan dismissed stale reviews from vivekschauhan and jcollins-axway via f2c19d1 July 9, 2026 16:30
@sbolosan sbolosan merged commit 1a0fbfb into main Jul 9, 2026
2 checks passed
@sbolosan sbolosan deleted the APIGOV-32943 branch July 9, 2026 18:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants