I am wondering if there is a set format for Okta API tokens. Our team is interested in adding a RegEx for Okta API tokens to one of our tools which scans our pipeline output for exposed credentials. It seems to start with two zeros and have a total of 42 chars that can be [A-Za-z0-9-] so the regex would be /00[\w\d-]{40}/
Will the format ever change? For instance three zeros or 1 zero at the start?
You should not assume a set structure for Okta’s API tokens. We do not currently have plans on changing this but that is not to say that it will not change in the future.
A different approach you could use would be to start using OAuth Bearer tokens which have the benefit of being short-lived, and then you could be scanning your pipeline for private keys.
Okay that is helpful to know. We do have plans to switch to OAuth Bearer tokens in the future. Just to be 100% certain, when you say scan the pipeline for private keys you mean set a RegEx to match any JWK format (or PEM if applicable)? Would that RegEx ever have any false positives do you think?
Private keys have a very well-known structure, so I’d suggest scanning whichever form that you are making use of that in, whether it be JWK or PEM/X.509.
The JWK might be a little harder to get a regex built for, but scanning for private keys is a good practice no matter what they are acting as credentials for.
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.