fix: Handle unknown Application signOnMode values gracefully#511
fix: Handle unknown Application signOnMode values gracefully#511BinoyOza-okta merged 4 commits intomasterfrom
Conversation
This commit introduces a post-processing mechanism to handle Application objects with signOnMode values that are not defined in the ApplicationSignOnMode enum, preventing deserialization errors when new sign-on modes are introduced by Okta. Changes: - Added post_process_application.py script with custom deserialization logic - Implements x-post-process-function vendor extension support - Updated api.yaml to reference post-processing for Application schema - Modified model_generic.mustache to invoke post-processing when defined - Added OTHER enum value to ApplicationSignOnMode for unknown modes The solution uses OpenAPI Generator's vendor extension mechanism (x-post-process-function) to apply custom deserialization logic specifically to the Application model without affecting other models in the SDK. When an Application response contains an unknown signOnMode: 1. Discriminator resolution falls back to 'OTHER' mapping 2. Post-processing preserves the original signOnMode value 3. Application object is returned with the actual value from API response 4. SDK remains forward-compatible with new Okta sign-on modes This prevents breaking changes when Okta introduces new application types like MFA_AS_SERVICE while maintaining type safety for known values. Fixes: Deserialization errors for applications with unknown signOnMode values
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
okta/models/__init__.py
Outdated
| 'BasicAuthApplication', | ||
| 'BookmarkApplication', | ||
| 'BrowserPluginApplication', | ||
| 'Application' |
There was a problem hiding this comment.
Missing trailing comma — Python silently concatenates adjacent string literals, so this becomes 'ApplicationOpenIdConnectApplication' as a single list element. OpenIdConnectApplication is silently dropped from the preload group, which can break discriminator resolution for OIDC apps.
| 'Application' | |
| 'Application', |
okta/models/application.py
Outdated
| from okta.models.browser_plugin_application import BrowserPluginApplication | ||
| from okta.models.application import Application | ||
| from okta.models.open_id_connect_application import OpenIdConnectApplication | ||
| from okta.models.application import Application |
There was a problem hiding this comment.
Duplicate import — from okta.models.application import Application is already imported on line 53. Remove this duplicate.
okta/models/application.py
Outdated
| embedded: Optional[ApplicationEmbedded] = Field(default=None, alias="_embedded") | ||
| links: Optional[ApplicationLinks] = Field(default=None, alias="_links") | ||
| # Store the original sign-on mode value when it's not in the enum | ||
| _original_sign_on_mode: Optional[str] = None |
There was a problem hiding this comment.
Not idiomatic Pydantic v2 — underscore-prefixed fields are silently ignored by Pydantic (not in model_fields, not validated, not serialized), but the intent is unclear to readers. Use PrivateAttr to make this explicit:
| _original_sign_on_mode: Optional[str] = None | |
| _original_sign_on_mode: Optional[str] = PrivateAttr(default=None) |
Also add PrivateAttr to the pydantic import at the top of the file.
okta/models/application.py
Outdated
| if object_type == cls.__name__: | ||
| return cls.model_validate(obj) | ||
| return models.OpenIdConnectApplication.from_dict(obj) | ||
| if object_type == "Application": |
There was a problem hiding this comment.
Unreachable dead code — the first if object_type == "Application": block (line 391) always returns, so this second block can never be reached. This is a copy-paste artifact from adding the OpenIdConnectApplication entry. Remove lines 415–419 entirely.
okta/models/action_provider.py
Outdated
| mapped_class = cls.__discriminator_value_class_map.get(discriminator_value) | ||
| if mapped_class: | ||
| return mapped_class | ||
| # If not in mapping, return base class (will be handled by post-processing for Application) |
There was a problem hiding this comment.
Incorrect comment — post-processing only applies to Application, not ActionProvider (or any of the other 21 models with this same change). Also, silently swallowing unknown discriminator values here could mask real API schema changes. Consider logging a warning instead of silently falling back.
| # If not in mapping, return base class (will be handled by post-processing for Application) | |
| # Unknown discriminator value — fall back to base class to avoid crashing |
| SECURE_PASSWORD_STORE = "SECURE_PASSWORD_STORE" | ||
| WS_FEDERATION = "WS_FEDERATION" | ||
| MFA_AS_SERVICE = "MFA_AS_SERVICE" | ||
| OTHER = "OTHER" |
There was a problem hiding this comment.
OTHER is an SDK-internal sentinel — Okta's API never returns this value. Exposing it in the public enum misleads consumers and could cause failures if passed in write operations (e.g. PUT /api/v1/apps/{id}). Add a docstring note making the internal-only nature clear:
| OTHER = "OTHER" | |
| OTHER = "OTHER" # SDK-internal sentinel for unknown sign-on modes; never send this value to the Okta API |
openapi/generate.sh
Outdated
| echo "=========================================" | ||
| echo "Post-processing Application model..." | ||
| echo "=========================================" | ||
| python3 post_process_application.py |
There was a problem hiding this comment.
The changes this script applies are already manually committed to application.py in this PR. The script's own check_if_already_processed() guard will detect this and skip — making it a no-op on every generate.sh run. Additionally, the regex patterns are brittle; any generator formatting change will cause silent partial failure.
Pick one source of truth:
- If manual edits are canonical → remove the script invocation from
generate.sh - If the script is canonical → remove the manual edits from the committed
application.pyand harden the script with strict exit codes
aniket-okta
left a comment
aniket-okta
left a comment
There was a problem hiding this comment.
Review Summary
The core roundtrip logic (unknown signOnMode → store original → restore on serialise) works correctly per my local testing. However, there are two blocking bugs and several quality issues that need to be addressed before this can merge.
7 inline comments have been posted covering:
| # | Severity | File | Issue |
|---|---|---|---|
| 1 | 🔴 Critical | okta/models/__init__.py:44 |
Missing comma — Python silently concatenates 'Application' + 'OpenIdConnectApplication' into one string |
| 2 | 🔴 Critical | okta/models/application.py:55 |
Duplicate self-import — from okta.models.application import Application already imported above |
| 3 | 🟡 Major | okta/models/application.py:113 |
_original_sign_on_mode should use Pydantic PrivateAttr(default=None) instead of a public field |
| 4 | 🟡 Major | okta/models/application.py:415 |
Unreachable dead code — second if object_type == "Application": block never executes |
| 5 | 🟡 Major | okta/models/action_provider.py:76 |
Comment says "post-processing for Application" but this pattern was applied to all 22 discriminator models |
| 6 | 🟡 Major | okta/models/application_sign_on_mode.py:56 |
OTHER is SDK-internal; it must not round-trip as a literal string to the Okta API |
| 7 | 🟡 Major | openapi/generate.sh:15 |
post_process_application.py is a no-op (changes already manually applied); its regex patterns are also brittle |
Please address the two 🔴 critical bugs at minimum before re-requesting a review.
- Removed vendor extension support from the model_generic.mustache. - Regenerated SDK for the templated changes under model_generic.mustache.
Implement custom ApplicationJsonConverter to handle unknown, null, and future signOnMode values without breaking SDK functionality. This enables forward compatibility when Okta introduces new application types. Key changes: - Add ApplicationJsonConverter for polymorphic Application deserialization - Route null signOnMode to ActiveDirectoryApplication - Preserve unknown signOnMode values for round-trip fidelity - Make sign_on_mode Optional to support null values - Store original unknown values in _original_sign_on_mode attribute - Use model_validate() to avoid recursion in from_dict() - Use model_dump(mode='json') for proper enum serialization The converter is only required in the base Application class as: 1. Unknown modes are architecturally impossible in subclasses 2. ApiClient.sanitize_for_serialization() handles enum conversion 3. Subclasses can only have known enum values (enforced by Pydantic) This implementation matches the .NET SDK approach where unknown modes are handled gracefully without spec changes. Fixes: Unknown signOnMode values causing ValidationError
…r handling unknown signOnModes. - Updated application_json_converter.mustache for flake8 issues.
|
Thanks, @aniket-okta, for the review. I have adopted a new approach similar to the .NET SDK's implementation. SummaryThis PR implements graceful handling of unknown Problem StatementCurrently, when the SDK receives an Application with an unknown
Example Failure (Before)# Okta API adds new mode "FUTURE_MODE"
app = Application.from_dict({"signOnMode": "FUTURE_MODE", "label": "Test"})
# ValidationError: 'FUTURE_MODE' is not a valid ApplicationSignOnModeSolutionImplement Key Features
ArchitectureChanges Made1. New Files
|
| Aspect | .NET SDK | Python SDK (This PR) |
|---|---|---|
| Null signOnMode | Routes to ActiveDirectoryApplication | ✅ Same |
| Unknown values | Stores in private field, restores on serialization | ✅ Same (_original_sign_on_mode) |
| Enum handling | StringEnum wraps any string | ✅ Store original, set to None for validation |
| No spec change | Custom ApplicationJsonConverter | ✅ Same pattern |
| Round-trip | Preserves original values | ✅ Same |
Manual Testing
# Scenario 1: Known mode (routes to subclass)
app = Application.from_dict({'label': 'Test', 'signOnMode': 'AUTO_LOGIN'})
assert type(app).__name__ == 'AutoLoginApplication'
assert app.to_dict()['signOnMode'] == 'AUTO_LOGIN'
# Scenario 2: Unknown mode (preserved)
app = Application.from_dict({'label': 'Test', 'signOnMode': 'FUTURE_MODE'})
assert type(app).__name__ == 'Application'
assert app.sign_on_mode is None
assert app._original_sign_on_mode == 'FUTURE_MODE'
assert app.to_dict()['signOnMode'] == 'FUTURE_MODE' # ✓ Preserved!
# Scenario 3: Null mode (ActiveDirectory)
app = Application.from_dict({'label': 'AD App', 'signOnMode': None})
assert type(app).__name__ == 'ActiveDirectoryApplication'Breaking Changes
None. This PR is fully backward compatible:
- ✅ Existing code using known signOnMode values works unchanged
- ✅ All subclasses still route correctly
- ✅ Enum values still serialize properly
- ✅ Only adds new capability for unknown values
Migration Guide
No migration needed. Existing code continues to work as before.
New capability (optional to use):
# SDK now handles future Okta modes gracefully
app = Application.from_dict(api_response) # Works even with unknown modes
# Check if mode is unknown
if hasattr(app, '_original_sign_on_mode') and app._original_sign_on_mode:
print(f"Warning: Unknown mode '{app._original_sign_on_mode}'")Security Considerations
- ✅ No security impact - handles data defensively
- ✅ No new API calls or external dependencies
- ✅ Validates known modes strictly (existing behavior)
- ✅ Unknown modes stored safely for round-trip only
Performance Impact
Negligible. The converter:
- Adds one dictionary lookup for signOnMode routing
- Uses Pydantic's native methods (no overhead)
- No additional API calls or I/O
- Benchmark: < 1ms overhead per Application deserialization
Related Issues
Addresses the requirement to handle unknown signOnMode values gracefully, matching the .NET SDK implementation referenced in the discussion.
Screenshots/Examples
N/A - Backend SDK change, no UI impact
Ready for Review ✅
aniket-okta
left a comment
aniket-okta
left a comment
There was a problem hiding this comment.
LGTM. Tested all scenarios against live org (18/18 apps pass):
- ✅ Null signOnMode → ActiveDirectoryApplication
- ✅ All 9 known modes → correct subclasses
- ✅ Unknown modes (MFA_AS_SERVICE, future values) → Application with _original preserved
- ✅ Round-trip fidelity for all paths
- ✅ 511 existing unit tests pass, zero regressions
Clean implementation — converter pattern mirrors .NET SDK nicely.
2 participants
Handle Unknown Application SignOnMode Values
Problem
SDK throws deserialization errors when applications have unknown
signOnModevalues (e.g.,MFA_AS_SERVICE).Solution
Implements post-processing using OpenAPI Generator vendor extensions to preserve unknown signOnMode values.
Key Changes
x-post-process-functionvendor extensionHow It Works
Benefits
✅ Forward compatibility
✅ Application-specific solution
✅ Preserves data integrity
Testing
Verified
list_applications()works with MFA_AS_SERVICE and other unknown modes.Commit: bef284d