Unable to upload application logo for OIDC and SAML Apps

The Early Access feature for Application logo operations (Apps | Okta Developer) doesn’t work for SAML or OIDC applications.

It works successfully for Bookmark applications.

When running for an OIDC application (created via the web UI or via Terraform, i.e via APIs), the logo upload process fails with:

  "errorCode":"App instance has no login link to set logo for",
  "errorLink":"App instance has no login link to set logo for",

I’m unable to find any docs specifically about the “login link object” (also mentioned in the api docs “Note: You must have a valid login appLinks object to update the logo of an application.”)

The application object does have an appLink object in the manifest but is unclear if this is related:

  "id": "XXXXXXXXX",
  "name": "oidc_client",
  "label": "My Web App",
  "status": "ACTIVE",
  "lastUpdated": "2021-06-28T23:05:20.000Z",
  "created": "2021-06-28T23:05:20.000Z",
  "accessibility": {
    "selfService": false,
    "errorRedirectUrl": null,
    "loginRedirectUrl": null
  "visibility": {
    "autoSubmitToolbar": false,
    "hide": {
      "iOS": true,
      "web": true
    "appLinks": {
      "oidc_client_link": true
  "features": [],
  "signOnMode": "OPENID_CONNECT",
  "credentials": {
    "userNameTemplate": {
      "template": "${source.login}",
      "type": "BUILT_IN"
    "signing": {
      "kid": "XXXXXXXXXX"
    "oauthClient": {
      "autoKeyRotation": true,
      "client_id": "XXXXXXXXX",
      "token_endpoint_auth_method": "client_secret_basic"
  "settings": {
    "app": {},
    "notifications": {
      "vpn": {
        "network": {
          "connection": "DISABLED"
        "message": null,
        "helpUrl": null
    "oauthClient": {
      "client_uri": null,
      "logo_uri": null,
      "redirect_uris": [
      "post_logout_redirect_uris": [
      "response_types": [
      "grant_types": [
      "application_type": "web",
      "consent_method": "REQUIRED",
      "issuer_mode": "ORG_URL",
      "idp_initiated_login": {
        "mode": "DISABLED",
        "default_scope": []
  "_links": {
    "uploadLogo": {
      "href": "https://dev-XXXXXX.okta.com/api/v1/apps/XXXXXXXX/logo",
      "hints": {
        "allow": [
    "appLinks": [
        "name": "oidc_client_link",
        "href": "https://dev-XXXXXXXX.okta.com/home/oidc_client/XXXXXXXX/aln177a159h7Zf52X0g8",
        "type": "text/html"
    "groups": {
      "href": "https://dev-XXXXXXXX.okta.com/api/v1/apps/XXXXXXXX/groups"
    "logo": [
        "name": "medium",
        "href": "https://ok12static.oktacdn.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png",
        "type": "image/png"
    "users": {
      "href": "https://dev-XXXXXXXX.okta.com/api/v1/apps/XXXXXXXX/users"
    "deactivate": {
      "href": "https://dev-XXXXXXXX.okta.com/api/v1/apps/XXXXXXXX/lifecycle/deactivate"

We’ve found support in the Okta terraform provider is mixed for early access features, even those more mature such as factor sequencing. Sorry for the basic question, but have you checked if that’s supported in the provider?

Thanks abole! This actually came up originally from the terraform provider (issue link: Unable to set App Logo for SAML apps · Issue #506 · okta/terraform-provider-okta · GitHub) but wasn’t getting any traction there, so dug into the raw APIs and looks to be a problem with those itself

1 Like