I’m trying to use OPA API to reveal OPA managed Okta Service Account password. This would allow some test tools to get password automatically from OPA.
I was kinda able to reveal password, but there are a few things that makes it unusable in the real situation.
I.e. what is rule_ids, I copied one looking into Service Account in a browser through Dev tools, but there is no rules by this id in Policies in OPA, where is this coming from? How in a real situation anybody would ever know what is the rule_id. Also Rule_ids is not supposed to be a mandatory according to this https://developer.okta.com/docs/api/openapi/opa/opa/tag/okta-universal-directory-accounts/#tag/okta-universal-directory-accounts/operation/revealOktaUniversalDirectoryAccountPassword , but if I remove it, the request to API fails.
“rule_ids”: [
“0cc387a6-7828-48e6-8c7f-962dcf14485d”
],
POST /v1/teams/OPA_Access/okta_universal_directory_accounts/43a7716f-7314-4e86-8420-8c637122f746/reveal_credentials HTTP/1.1
Content-Type: application/json
Accept: application/json
Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImFiODVhMzVhLTIwZmMtNDM4ZS1hOWQwLTFiNGEzNDRjMmJiNCIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3NjU5MDYwNTgsImlzcyI6InNjYWxlZnQuYXV0aC50b2tlbiIsImp0
User-Agent: PostmanRuntime/7.51.0
Postman-Token: aacef725-c9c0-4012-9116-1d44ebc997eb
Host:
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 954
{
“public_key”: {
“alg”: “RS256”,
“e”: “AQAB”,
“kid”: “key-1765851727”,
“kty”: “RSA”,
“n”: "tQRURTnnmL2MvSazfs4JbGtMM0jfo_WccQg3-1_nKc9PZNNYx5JIiLDZmcR5cerw6l1hHVAKWlfpqeqGkDU9HvOI4oqc81S6Epj9Fs_wB0saj1k68TrioED1vL74J,
“use”: “sig”
},
“user_access_method”: {
“identity”: “account_email_here”,
“access_credential”: “managed”,
“brokered”: false,
“short_text”: “”,
“rule_ids”: [
“0cc387a6-7828-48e6-8c7f-962dcf14485d”
],
“checkout_requirements”: {
“required”: true,
“max_checkout_duration_in_seconds”: 60
},
“user_access_type”: “service_account”,
“resource_status”: “checked_out”
}
}
HTTP/1.1 200 OK
Date: Tue, 16 Dec 2025 16:29:32 GMT
Content-Type: application/json
Content-Length: 604
Connection: keep-alive
cache-control: no-cache, no-store
content-security-policy: default-src ‘none’
content-security-policy-report-only: default-src ‘none’
request-id: 1-694188eb-0dd84c073848d4a4020a251a
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
x-frame-options: DENY
x-ratelimit-limit: 2000
x-ratelimit-remaining: 1999
x-ratelimit-reset: 1765902572
x-xss-protection: 1; mode=block
x-envoy-upstream-service-time: 466
server: envoy
{
“password_jwe”: “{\“protected\”:\“eyJhbGciOiJSU0EtT0F2V5LTE3NjU4NTE3MjcifQ\”,\“encrypted_key\”:\“ana-DrSplY8UJLmm8JlE2PApHOkQsXpFOmOHLY3KjUFh1hELCq09Ys88P1rTKdDPxW4c6EGb3O35qzSTM7vbOj_YTogtP7M8kdLk7qmmw5CfGWaoinY8ms_cMAXafF1Epy-AUGDog5bBddg\”,\“iv\”:\“3mMtJs56T6Wn_28L\”,\“ciphertext\”:\“KZn2FGNO1ir9IowRPNHVLC3npjo\”,\“tag\”:\“3MwwocXb4SCHhxDakD7A6g\”}”
}