Background:

If a Yubikey OTP token is programmed and uploaded to Okta it will go to Unassigned status. When that Yubikey is assigned to a user it will go to Active status. You can reprogram that Yubikey, but Yubikeys in Active status cannot be uploaded again. You can revoke the Yubikey and it will go to Revoked status, and at that point the Yubikey can be re-uploaded.

In the past:

I have a script that uses the Okta API to revoke Yubikey OTP tokens. When we were on the Okta Classic Engine my script would go through all of the Yubikeys that we needed to re-upload and revoke them one at a time by sending an HTTP DELETE query to the "deactivate" URL provided by the API lookup call.

Current problem:

We recently switched to OIE and my script is no longer working. My query to look up the Yubikey returns the same response it returned under the Classic Engine:

(All examples are taken from the Okta documentation, not production data.)

"deactivate": {

 "href": "https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3/factors/ykfxduQAhl89YyPrV0g3",

 "hints": {

   "allow": [

     "DELETE"

   ]

I send a "DELETE" query to that exact URL and get an error that suggests that the user doesn't exist.

'errorCode': 'E0000007', 'errorSummary': 'Not found: Resource not found: 00uu0x8sxTr9HcHOo0g3 (User)'

I can go through the web UI and see that the user does exist, but has the status Deactivated. Looking at the Yubikey report, I see that the status of the Yubikey OTP token is Active, so I can't upload a replacement seed value.

I'm at a loss for how to revoke and re-upload these tokens via the API, since I'm doing everything I need to according to the API response and API documentation. These tokens can be revoked manually, but you can only revoke one token at a time, which is very time consuming if you have a lot of Yubikeys to revoke.