How to use request headers in custom expression for conditional access rules?

Loading

Skip to Navigation Skip to Main Content

Search

Search

Select Language

0D54z0000A3rrfSCQQOkta Classic EngineAuthenticationAnswered2026-02-17T09:00:23.000Z2024-04-01T10:22:18.000Z2024-05-31T14:50:54.000Z

fqjid (fqjid) asked a question.

April 1, 2024 at 10:22 AM

How to use request headers in custom expression for conditional access rules?

Is it possible to use request headers like userAgent to write custom expression for conditional access rules?

There are no examples for this in Okta expression language documentation but something like this is used in Office 365 custom filter.

https://help.okta.com/oie/en-us/content/topics/apps/office365/custom-client-filter.htm

Image is not available

Can such expression used for any app or is this specific to Office 365?

For example, is request.userAgent.contains(“some-value”) a valid expression for another app?

Can we use headers other than user agent to write custom expressions?

For example, is request.customHeader.contains(“some-value”) a valid expression?

Thank you in advance for help / guidance.

Authentication

Top Rated Answers

Paul S. (Okta, Inc.)
2 years ago
Hello @fqjid (fqjid) Thank you for reacting out to our Community!

These expressions are specific to Office365. However if you have Device Trust setup on your Org you should be able to do something similar, please see article below with Conditional Access for Okta:
https://support.okta.com/help/s/article/Conditional-access-based-on-device-security-posture?language=en_US
--
Subscribe Today: The Okta Community is on YouTube
Expand Post
Selected as Best

All Answers

Paul S. (Okta, Inc.)
2 years ago
Hello @fqjid (fqjid) Thank you for reacting out to our Community!

These expressions are specific to Office365. However if you have Device Trust setup on your Org you should be able to do something similar, please see article below with Conditional Access for Okta:
https://support.okta.com/help/s/article/Conditional-access-based-on-device-security-posture?language=en_US
--
Subscribe Today: The Okta Community is on YouTube
Expand Post
Selected as Best
sdqdl (sdqdl)
Edited April 5, 2024 at 10:36 AM
Thank you! @Paul S. (Okta, Inc.) for the response.

I chanced upon this: https://support.okta.com/help/s/article/how-to-use-rawuseragent-in-a-custom-expression-for-the-authentication-policy-rule?language=en_US
and found that checking for equality works i.e.

request.userAgent == 'FooBar'

works.

However when I rewrite it as:
String.stringContains(request.userAgent, 'FooBar')

I get a validation error:

Unable to resolve String in expression String.stringContains(request.userAgent,'FooBar')
Expression String.stringContains(request.userAgent, 'FooBar') does not resolve to type Boolean

The document for custom expressions says that String.stringContains is a supported function.

Can you please help understand why it's not working in this case? Is it a bug?

If yes, can you please let me know how to create a ticket for it?

Thank you and regards.

Expand Post
User17114007401613433056 (Customer)
2 years ago
@Paul S. (Okta, Inc.) I am experiencing the same behavior reported by @fqjid (fqjid).
Error: Unable to resolve String in expression String.stringContains('oktapreview.com','preview'), errorSummary: conditions.elCondition.condition: Expression String.stringContains('oktapreview.com', 'preview') does not resolve to type Boolean.

Any ideas?
Expand Post
- nfmez (nfmez)
  2 years ago
  Hello @User17114007401613433056 (Customer) I would recommend to open a case with support for additional assistance.
  Expand Post

This question is closed.

Recommended content

Forum

Okta Group Rule Custom Expression not filtering out using all conditions

Forum

access request request type x acess request conditions

Forum

How to set value in HTTP Request header?

Forum

How to access child object for Oktaworkflow

Loading

How to use request headers in custom expression for conditional access rules?