Okta Developer Exam Study Guide

Introduction

Congratulations, you are one step closer toward earning your Okta Certified Developer certification!

This exam study guide is designed to help you prepare for the Okta Developer exam. Passing this exam is a requirement for attaining Okta Certified Developer certification. Detailed exam topics and available preparation resources are outlined in this guide. Reading this guide in no way guarantees a passing score on the Okta Developer exam.

Using this study guide

At minimum, we highly recommend you thoroughly review each topic listed within the Exam Subject Areas section of this study guide. Make sure you understand and are familiar with each topic. Every single topic within that section relates to at least one question or one task on the exam. If you are not familiar with a topic, research it by either using one of the corresponding provided preparation resources, or search the Okta Help Center, Okta Product Documentation library, or the Okta Developer Platform. Some topics are best learned through hands-on experience with the Okta service.

Candidate Description

Okta Certified Developers are technically proficient at building secure, seamless experiences, using Okta APIs and SDKs. Developers have experience working with RESTful APIs and developing web applications. They have general understanding of authentication and authorization standards such as OpenID Connect (OIDC) and OAuth, as well as how Okta supports these standards for building authentication, flexible authorization, and role-base access control. Developers also have experience configuring authorization with API Access Management and implementing Single Sign-On (SSO) with OIDC. They have working knowledge of Okta Lifecycle Management and administrative APIs.

The primary audience for the Okta Certified Developer certification are individuals who meet the following requirements at minimum:

  • Have 4+ years experience in a software development role
  • Have 6+ months hands-on experience implementing custom identity solutions with Okta
  • Have used Okta API Access Management to secure APIs.
  • Have created custom authorization servers, defined scopes and claims, and created policies and rules to secure APIs.
  • Have experience using Okta REST APIs and I know how to pass the correct API parameters in requests.
  • Have built client apps that authenticated users against Okta.
  • Have experience configuring OIDC and OAuth apps in Okta.
  • Know how to assign and unassign apps to users using Okta Users and Groups APIs.
  • Know how to validate an authenticated user’s session.
  • Understand the design principles of Okta APIs, including how to use pagination and how to filter query parameters on attributes.
  • Know how to identify and work with Okta API rate limits.
  • Know where to find the most up to date documentation and resources on Okta APIs.
  • Have used Okta APIs to query logs and events.
  • Have created, updated, and deleted users, groups, and apps using Okta APIs.
  • Know when to use Okta REST APIs, Sign-in Widgets, and SDKs.
  • Understand the various Okta supported OIDC and OAuth flows, and know when to use them.
  • Understand the differences between an org authorization server and a custom authorization server in the context of OIDC and OAuth.
  • Understand how an Okta policy and the rules associated with that policy affect API calls and responses.
  • Know how to enforce Okta multifactor authentication for users in client apps.
  • Know how to interpret the common Okta API error codes.
  • Understand the different ways to create Okta sessions for Single Sign-On, including, redirectUrl, OIDC authorize, and Legacy Sessions API.
  • Have implemented the Okta Sign-in Widget with customizations.
  • Know how to do implicit and hybrid flows from the Okta Sign-in Widget.
  • Know how to create sessions in Okta using Okta APIs and SDKs.
  • Know how to configure trusted origins (CORS, Redirect), and understand the effects of the configuration of trusted origin when redirecting users.

About this Exam

Number and Types of Questions

This exam has two parts.

• Part I: 45 Discrete Option Multiple Choice Questions

• Part II: Four Performance-Based, Hands-on Use Cases

Exam takers complete Part I and then are permitted to start Part II.

Exam takers are not permitted to return to Part I once they have completed it and submitted their responses for grading.

Time Allotted

Part I: 60 minutes

Part II: 90 minutes

IMPORTANT:

• Each part is timed separately. This also means any time left over from Part I does NOT carry over to Part II.

• As this is a 2 hours and 30 minutes exam, please come fully prepared to sit through the entire exam. There is no break between parts I and II of this exam.

Exam Fee

250 USD (100 USD for each subsequent retake)

Prerequisites

None (Recommended training and preparatory resources listed below)

Understanding the Types of Items Included on this Exam

Part I of this exam includes Discrete Option Multiple-Choice (DOMC) items. Part II contains Performance-based, hands-on use cases.

Understanding the DOMC Item Type

DOMC is a powerful measurement tool that produces reliable test scores. It does so by removing several “contaminants” that affect test outcomes but are unrelated to the knowledge and skills being tested. The DOMC item type levels the playing field, more fairly measuring candidate skills by improving:

  • Readability. Because test takers are required to read less, the exam tends to take less time and places fewer demands on the slow reader or the non-native English speaker.
  • Fairness. When savvy test takers are unsure of an answer, they look for clues by comparing options or gleaning information from other items on an exam. DOMC removes this test taking advantage and serves as a powerful method to assess a test taker’s actual knowledge.
  • Security. Instead of displaying all options at the same time, options are randomly presented one at a time. For each presented option, test takers must make a YES or NO decision to indicate whether they think the option is correct. Answer options are presented in random order, and in most instances, test takers are NOT presented with all the available options associated with a DOMC item. Item exposure is limited by presenting only a subset of the available options to any given test taker. Limiting item exposure makes it difficult for an exam to be compromised.

Scoring of a DOMC Item

Test takers can be assured that the DOMC item type is scored fairly and with precision.

  • If a test taker is presented with a correct option and responds YES, then that response is scored as “correct". A DOMC item can be programmed to require one or more correct responses in order to be complete and to be considered answered correctly. Typically, however, only one correct response is required.
  • If a test taker is presented with a correct option and responds NO, then that item is scored as “incorrect”.
  • If a test taker is presented with an incorrect option and responds YES, then that item is scored as “incorrect”.
  • If a test taker is presented with an incorrect option, and that test taker responds NO (technically, a correct response), scoring of the item is postponed and another option is presented.

Note: Even after a test taker responds correctly or incorrectly to an item, additional correct or incorrect options might be presented but the test taker’s responses to those options will not be scored at all. This is done to prevent test takers from guessing the correctness or incorrectness of a response.

The DOMC item format may require test takers to make some adjustments to their test-taking approaches. The reward of such effort is confidence that those test takers who are certified are truly competent in the areas tested on the exam and will represent excellence in the field.

To learn more about DOMC items, visit http://trydomc.com/home. In addition, the Okta Developer Standard Practice exam will help you become accustomed to the new test format. We highly recommend that test takers become familiar with the format of this item type before taking any Okta certification exams.

Understanding the Performance-based Use Cases in Part II of this Exam

Part II of this exam includes four performance-based hands-on use cases. Each use case consists of three or more tasks that exam takers are asked to complete within Okta Preview Orgs. This part of the exam allows exam takers to demonstrate their skill with the Okta service and Okta APIs in a natural way that mimics how developers use Okta on the job.

A use case begins with some general instructions that apply to all the tasks in that use case. The instructions for a use case are presented on a dedicated page labeled Instructions.

Okta Developer Exam Study Guide.

Succeeding the instructions are the individual tasks, each on its own dedicated page and labeled accordingly.

Each task must be completed in the order presented. Tasks build on each other, so it is important to complete Task 1 in order to move on to Task 2 and so forth.

Okta Developer Exam Study Guide.

Exam takers can go back to previous tasks and make changes as deemed necessary; however, it is important to note how changes made to a preceding task affect other tasks within the use case.

Scoring of a Performance-based Use Case

Use cases are graded upon the submission of Part II of the exam or immediately at the end of the 90-minute time clock allotted for Part II.

Navigating Part II of this Exam

Logging in to Your Okta Org

When you get to the landing page for Part II of the exam, you are presented with a notice that your Okta Org is being created. Once your Org is created, you are presented with the following pieces of information:

1. Link to log into your org

2. The administrator username and password for your org

3. A downloadable file containing a set of Okta API collections for Postman

Submitting Part II of the Exam

You are provided with a red button labeled Submit Exam at the bottom of the landing page for Part II. Once you have completed all of the use cases in Part II and you are ready to submit Part II, click the Submit button. Once you do, you will be presented with a warning letting you know once you submit Part II, any configurations you make in your Okta org thereafter will not be included in the grading of your configurations for Part II.

Exam Scheduling

Okta certification exams are administered and proctored by Examity®. Okta has partnered with Examity®, a secure online proctoring service, to protect the integrity of our certification exams in the market. Online proctoring means that exams can be taken from almost any location at a time that is convenient for you, without travel to a test center. Your Okta Developer Exam must be scheduled at least 24 hours in advance of the time you wish to sit for the test in order to avoid the additional fee associated with on-demand testing.

Preparing for the Okta Developer Exam

A combination of instructor-led training courses, self-paced learning, self-study, and on-the-job experience will prepare a candidate to take this exam.

Training

Okta Education Services offers a range of classes and training materials to help exam takers prepare for this certification exam. Although attending a training class alone does not guarantee success on an Okta certification exam, we strongly recommend that Okta Developer exam takers attend the Okta Customer Identity for Developer course in preparation for this exam. This course covers 78% of the topics measured in the Okta Developer exam. You can register for this course here: https://www.okta.com/services/training/.

Other Resources

  • The Okta Help Center contains a knowledge library of articles and videos, some of which are pertinent to topics covered on this exam.
  • The Okta Content Library offers searchable white papers with a rich body of information to explore before your exam.
  • The Okta Developer Platform provides extensive Okta Developer documentation and community forums to use in preparation for the exam.
  • Join the Okta Community to review questions, discussions, ideas, and blogs for additional exam preparation.

Developer Exam Subject Areas

The following tables list the topics that are covered in Parts I and II of this exam. These topics are grouped into topics areas, and topic areas roll up into domains/exam sections. Use these tables as an outline to guide your study and validate your readiness for the Okta Developer certification exam.

Part I

Exam Domain

Percentage of Part I Related to Domain

Authentication

9%

Compare and Evaluate Authentication Methods

 

  • Understand pros and cons of authentication types (e.g., custom login page vs. Okta login page)
  • Understand the Authentication API transactional model

Preparation resources:

Understand Methods for Creating an Okta Session

 

  • Contrast the different ways to set a session in Okta
  • Retrieve a Session Cookie using OIDC Connect Az Endpoint
  • Manage an Okta Session via the Okta Sessions API

Preparation resources:

SSO and API Access Management with OIDC and OAuth

18%

Enable an OAuth Client Application to Securely Access Services

 

  • Use the authorization code flow to obtain tokens
  • Validate tokens
  • Use a refresh token to obtain a new access token
  • Use the /revoke endpoint to revoke a token
  • Identify trusted and untrusted clients and the proper flows to use with each

Preparation resources:

Describe client types and flows

 

  • Explain why is authorization code flow more secure than implicit flow
  • Define which flow to use when a software or service needs to access an API using access token
  • Explain how OIDC achieves SSO
  • Explain which flow is appropriate for app types
  • Explain the difference between introspect call and signature validation
  • List all possible actors in an OIDC flow

Preparation resources:

Optimize the API consumption

 

  • Optimize the API consumption (performance)
  • Optimize the API consumption (security)

Preparation resources:

Lifecycle Management

16%

Use the Core API to Manage Users

 

  • Demonstrate understanding of the Users API and which operations can be performed
  • Manage Users via the Users API

Preparation resources:

User Objects, User States, and User Profile mastering

 

  • Demonstrate understanding of User Objects, User States, and User Profile Mastering Options

Preparation resources:

Use the Core API - Groups

 

  • Manage Groups using the Groups API
  • Manage Group membership using the Groups API

Preparation resources:

Just-in-Time Provisioning (JIT)

 

  • Demonstrate understanding of how JIT works as well as when to use JIT

Preparation resources:

Administrative APIs

20%

Use the Core API - Schemas

 

  • Demonstrate understanding of the Okta User Schema
  • Demonstrate understanding of Okta Application Schemas

Preparation resources:

Use the Core API - Policy

 

  • Demonstrate understanding of Okta Policies and Rules and how these affect operations

Preparation resources:

Use the Core API - Factors

 

  • Demonstrate understanding of multi-factor authentication in Okta
  • Demonstrate understanding of the Factors API and which operations can be performed

Preparation resources:

Use the Core API - OAuth

 

  • Understand OAuth configuration in Okta
  • Understand API Access Management

Preparation resources:

Use the Core API - Apps

 

  • Understand applications in Okta

Preparation resources:

Debug Techniques

9%

Debug API-Related Issues

 

  • Investigate API-related issues using sys log, Administrator Dashboard, APIs, and tasks

Preparation resources:

Debug API Requests

 

  • Determine when to make API calls
  • Valid user states for API calls

Preparation resources:

Design Principles

18%

Apply the Okta API Design Principles

 

  • Make Okta API requests with the correct HTTP Verbs
  • Make Okta API requests using HTTP headers correctly
  • Make Okta API requests identifying the origin using User-Agent and X-Forwarded-For
  • Read and Understand the Okta API response headers
  • Read and Understand the Okta API response errors
  • Read and Understand the Okta API HTTP response codes

Preparation resources:

Okta API Rate Limiting

 

  • Read and Understand the Okta API Rate Limiting

Preparation resources:

Redirect or CORS as Trusted Origin

 

  • Identify when to use Redirect or CORS as Trusted Origin

Preparation resources:

App Logout and Global Logout

 

  • Implement App Logout and Global Logout (Okta)

Preparation resources:

Okta Hooks

9%

Inline Hooks

 

  • Implement token inline hooks
  • Implement registration inline hooks
  • Implement SAML assertion inline hooks
  • Implement password import inline hooks

Preparation resources:

Event Hooks

 

  • Create event hooks
  • Implement event hook objects
  • Implement event hook auth scheme objects

Preparation resources:

Working with the Sign-In widget for Authentication

2%

Okta Sign-in Widget Customization and Configuration

 

  • Configure and customize the Okta Sign-In Widget

Preparation resources:

 

Part II

Exam Domain

Percentage of Part II Related to Domain

Onboard new users using Okta’s Management SDK and User and Group APIs

27%

  • Manage users with Okta’s Management SDK and User and Group APIs

Preparation resources:

Federate an App through OIDC

33%

  • Provide federated access to an app using OIDC
  • Display claim data from the ID token

Preparation resources:

Securing an API using OAuth and Securely accessing an API from a client app using OAuth

20%

  • Secure an API using OAuth by verifying there is a valid bearer of token
  • Securely access API from a client application using OAuth in Okta

Preparation resources:

Implement the Okta Sign-In Widget for Authentication Purposes

20%

  • Implement a custom authentication experience with the Okta Sign-In Widget
  • Implement and enforce multifactor authentication
  • Create a session for a user

Preparation resources:

 

Sample Exam Items

Know what to expect on the day of the exam. Take the Okta Developer Standard Practice Exam to familiarize yourself with both the exam content and the format of the DOMC item type.

Click the button below to learn more.

Developer Standard Practice Exam

Please note, we do not have items on this practice exam that are in the format of the performance-based tasks included in Part II of the Developer Exam. One way we recommend you prepare for Part II of this exam is to sign up for a free Okta Developer Org and practice performing tasks like those described in the Exam Domains for Part II provided above.

Preparation Videos for Part II

In Part II, you will be required to use a few special tools to complete the use cases. Training videos on using these tools are provided through the links below.

1. Downloading and setting up Postman

2. Creating an OIDC App and testing it with OIDC Debugger

3. Creating a glitch.com account and remixing a Glitch project

Subject Matter Experts for the Okta Developer Exam

Okta Certification exams are designed and built by subject matter experts who have extensive real world experiences implementing and administering the Okta service.

Here is the list of subject matter experts who helped design and/or build this exam.

Kam Ahuja

Ona Allison

Praveen Atluri

Chris Barry

Frank Benus

Brandon Black

Keith Casey

Dan Cinnamon

Andy Clarke

HenkJan de Vries

Dragos Gaftoneanu

Brent Garlow

Chris Gustafson

Xuewei (Phoebe) He

Kees Hendriks

Thomas Kirk

Jim Knutson

Joost Koiter

Frederick Lee

Patrick Linnane

Eric Lynch

Andy March

Stefan Mationg

Muli Motola

Jeff Nester

Shawn Recinto

Bryan Rembold

Roger Renecke

Ryan Schaller

Micah Silverman

David Snyder

Venu Sripada

Neal Tillery

Jeff Tucker

Matt Undy

Jay Venkatraj

Dr. Steve Watts