How to fetch users from Okta using Python

Editor's note: This article is part of a series on building third-party API integrations. Explore Merge if you’re looking to add 180+ integrations across HR, SCIM, payroll, ATS, CRM, accounting, ticketing, marketing automation, and file storage with one unified API.

Okta is a robust and flexible access management tool that offers identity management services. It serves as a consolidated platform for managing employees' identities, encompassing single sign-on, multi-factor authentication, and lifecycle management features. Furthermore, its ability to integrate smoothly with various applications streamlines the HR process and boosts productivity by automating user management tasks.

Integrations with Okta often require pulling user data to other platforms for use cases like auto-provisioning, org chart management, etc. Integrations like these can oftentimes enhance the system's security and efficiency, among other benefits.

In this article, we'll walk through how you can build an integration with Okta by successfully authenticating and and fetch users using Python. Buckle up.

{{blog-cta-100+}}

Authentication configuration in Okta

To make authenticated API requests to Okta, you'll need to include an API token in your HTTP header. Okta has a few different options for authentication, but here we will walk through Okta's Basic Authentication. If you need help finding your API key, we have a help center article with instructions on how to find it.

The header you include in your requests should be in the following format: <code class="blog_inline-code">Authorization: SSWS {API-KEY}</code>. This means that you substitute <code class="blog_inline-code">{API-KEY}</code> with your actual API token. Be cautious to protect this token and avoid exposing it in public places like GitHub, client-side code, etc.

This API token works as a bearer token which is a method that servers and clients communicate authentication and privileges. This token is generated in your Okta dashboard, specifically in the tokens tab of the API section. Each API request you make will need this token included in the header.

Fetching users from Okta

The script below uses the requests library to send the GET request to the Okta API. It then parses the response as JSON and adds the users to a list. The script uses a while loop to continue fetching users as long as there is a next link in the response headers. When there is no next link, it means we've fetched all the users and the script breaks out of the loop.

Remember to replace <code class="blog_inline-code">your-okta-domain</code> and <code class="blog_inline-code">your-api-key</code> with your actual Okta domain and API key.

python
import requests
import json

# Define the base URL
base_url = "https://{DOMAIN}/api/v1/users"

# Define the API Key
api_key = "{API-KEY}"

# Initialize the headers
headers = {
    "Authorization": "SSWS " + api_key,
    "Accept": "application/json",
    "Content-Type": "application/json"
}

# Initialize the URL
url = base_url

# Initialize an empty list to store the users
users = []

# Use a while loop to paginate through the results
while url:

    # Send the GET request
    response = requests.get(url, headers=headers)

    # Parse the response
    users_data = json.loads(response.text)

    # Add the users to the list
    users.extend(users_data)

    # Check for a next link in the response headers
    if 'next' in response.links:
        url = response.links['next']['url']
    else:
        url = None

# Print the users
for user in users:
    print(user)

‍

You should see the list of users from Okta as the output.

[
  {
    "id": "00ub0oNGTSWTBKOLGLNR",
    "status": "ACTIVE",
    "created": "2013-06-24T16:39:18.000Z",
    "activated": "2013-06-24T16:39:19.000Z",
    "statusChanged": "2013-06-24T16:39:19.000Z",
    "lastLogin": "2013-06-24T17:39:19.000Z",
    "lastUpdated": "2013-07-02T21:36:25.344Z",
    "passwordChanged": "2013-07-02T21:36:25.344Z",
    "profile": {
      "firstName": "Isaac",
      "lastName": "Brock",
      "email": "isaac.brock@example.com",
      "login": "isaac.brock@example.com",
      "mobilePhone": "555-415-1337"
    },
    "credentials": {
      "password": {},
      "recovery_question": {
        "question": "Who's a major player in the cowboy scene?"
      },
      "provider": {
        "type": "OKTA",
        "name": "OKTA"
      }
    },
    "_links": {
      "self": {
        "href": "https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR"
      }
    }
  }
]

‍

Conclusion

And that's it! You've successfully authenticated and fetched users from Okta.

But what happens when Okta is merely one among many integrations that your team must develop and sustain, and your next customer asks you for a JumpCloud, Azure Active Directory or OneLogin integration?

This is where a Unified API, such as Merge, comes into play. At Merge, we’ve built an API that lets you easily integrate once to offer 40+ HRIS, SCIM and Payroll integrations. Our Unified API has also smoothed out pagination and authentication.‍

You can learn more about Merge by scheduling a demo with one of our integration experts.