I’m trying to provision OIDC SPA apps as IaC on Terraform for a passwordless
email magic-link enrollment flow. Each environment creates a fresh app, so I need to set
the app’s “Email Verification Experience” (EVE) callback URI either trough the okta terraform provider resources or direct API calls (not ideal , but would suffice).
What I’ve found so far:
- The Terraform provider (okta/okta) has no field for it on
okta_app_oauth, and an older
forum answer says the magic-link callback isn’t settable via Terraform (Email magic link Terraform question). - It does not appear on the public Apps API either. GET
/api/v1/apps/{appId}returns no
EVE-related field, and diffing the same app with EVE set vs unset shows no difference in
the returned settings. - The Admin Console sets it via an internal endpoint:
POST /api/v1/internal/apps/{appId}/settings/oidc
with the fieldemail_magic_link_redirect_uriin the payload. - Calling that internal endpoint with an SSWS API token returns 401/403 (it appears to
require an Admin Console session, not an API token). Expected, but had to try.
Questions:
- Is there any supported public API (Apps API or other) to set the EVE callback
(email_magic_link_redirect_uri) on an OIDC app? - If not, is there a supported alternative or an EA feature that exposes it?
- Is the Admin Console currently the only supported way to configure it?
Trying to confirm whether this is genuinely not doable today before raising a feature
request.
Thanks in advance