IanF.32900 (Knowledge Services) asked a question.
Whenever we try to update a user's email address using the Okta API, the service modifies the user's email address and their login. In the below example, we want to simply change the user "test@test.com" to have an email address of "foo@foo.com". If we call the API with the below request the user's email AND login are changed to "foo@foo.com". How can we call the API and update ONLY the email address?
Note: We have used both a PUT and a POST and the results are the same.
Example:
Route: API V1 User Endpoint
Body:
{
"profile": {
"honorificSuffix": "",
"firstName": "Test",
"lastName": "User",
"mobilePhone": "5555555555",
"email": "foo@foo.com",
"honorificPrefix": "",
"middleName": "",
"login": "test@test.com"
}
}
Thanks,
Shaun
Are you doing a POST or a PUT and to what endpoint/URL?
POST and PUT both update the login if an email is provided in the request body. We are using the v1 users endpoint.
Have you seen the following documentation:
https://developer.okta.com/docs/api/resources/users/#update-profile
There is a request example and response example where the email address of a user is being updated. In the response example, it shows the login is not getting updated and just the email is. Are you performing the API call just as described in the doc and shown in the example?
Would you be able to provide the full request and response you're getting back (similar to how the Okta doc presents it)?
We are experiencing the same issue. Any time an email address is updated in the API call, the login is set to the new email. Sample request/response in the document do not exhibit this behavior. Is there a bug in the API or can something be changed in the Organization configuration?
The fact that there is no official response to this issue which is clearly a bug in the API is unacceptable.
We have faced with the same issue, is there any progress on it?
Has anyone tried it with the SDK?
Confirmed this is a real problem it also happens in the Okta UI. Seems Login property is hardcoded to change when primary email does. There are a number of reasons why you wouldn't want this including my use case. At the very least there should be a flag in payload or querystring that overrides this behavior.
This cost me a couple of hours of work to figure out a work around so will post here for other's benefit. Essentially requires a double POST to the API.
Also this should work using the REST API but I am using the C# SDK which wraps it:
// Update email
user.Profile.Email = userFile.PreferredEmailAddress;
// Post it
user = await client.Users.UpdateUserAsync(user, user.Id, false);
// Work around for Okta SDK API bug
user.Profile.Login = userFile.Upn;
await client.Users.UpdateUserAsync(user, user.Id, false);
@zo9i3 (zo9i3) This was a smart way of working around it, but it is better to have Okta Support turn off UD_MAP_FIELD_TO_LOGIN.
I worked in Okta as an SE at the time the feature Self Registration was introduced (2019), the thought was that the user should only need to enter the email address, and Okta would use it as login as well. My guess is that most of you, if not all, have the Self Registration feature enabled, and as it was enabled, another feature flag was set:
UD_MAP_FIELD_TO_LOGIN
So when I run in to this, I ask support to turn it off. So if you have the experience where the email address is copied into the login attribute, raise a support ticket with Okta support, and ask them to clear that feature. This is relevant to API, GUI and Inbound federation, and I believe inbound lifecycle.
I've opened an issue on GitHub, you can see it here
https://github.com/okta/okta-sdk-dotnet/issues/470#event-4311403383