Reputation: 6075
How can we screen by user groups from Okta on .NET Core?
I'm using ASP.NET Core MVC for a web app and using a policy to screen pages. When I create a requirement, I'm able to find all of the regular claims that come with OpenID Connect (name, ver, iss, aud, iat, etc.) but not groups, even though I've added groups in the OpenID Connect token configuration in Okta.
Startup.cs:
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthorization(options => {
options.AddPolicy("ActionPrivilegeRequired", policy => policy.Requirements.Add(new ActionPrivilegeRequirement()));
});
}
ActionPrivilegeRequirement.cs:
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, ActionPrivilegeRequirement requirement)
{
var groupMembership = context.User.FindFirst(
c => c.Type == "groups").Value;
// ...
return Task.CompletedTask;
}
What do I need to do to add an Okta user's group membership to the user object's claims?
Update:
I've updated the OpenId middleware to include groups in the scope:
OpenIdConnectOptions opts = new OpenIdConnectOptions()
{
//...
};
opts.Scope.Clear();
opts.Scope.Add("openid");
opts.Scope.Add("profile");
opts.Scope.Add("groups");
and confirmed that the server request to [Okta endpoint]/oauth2/v1/token and the client request to /authorize include groups, but still haven't found groups in the claims.
Upvotes: 2
Views: 2200
Answers (2)
Reputation: 130
FYI 2.0 no longer adds everything from the user info endpoint due to cookie bloat. To get groups to show up in my claims I added this to the AddOpenIdConnect options...
options.ClaimActions.Add(new CustomJsonClaimAction(ClaimTypes.Role, ClaimTypes.Role, (x) => string.Join(",", x["groups"].Values<string>())));
Upvotes: 0
Reputation: 205
If you're not doing this already - did you add the groups scope to the /authorize request? It looks like you've configured the groups on the Okta admin side, but need to request it from the client as well.
If you are requesting the groups scope, there are some other things to look into:
Do you have more than 100 groups that would be returned? There is a note at the bottom of scope dependent claims doc that talks about this limit.
If you verify that you are making the request with the groups scope, and it's still not working - can you check the id_token that is returned from Okta and verify whether it includes the groups or not? If it does, then this could be a bug in the .NET sdk (which we can open an issue for).
Upvotes: 3
Related Questions
- How can I get all groups a user belongs to using Okta's API?
- Get "groups" claims from Okta using the OpenID Connect Authorization Code Flow
- RFC - Adding Group Claims from OKTA to Role Claims in .net Framework Using OIDC
- How to add user groups to ID token in Okta?
- How can we implement Role based access control in okta for .net core web application
- Using Okta to authorize external API Calls
- OKTA Authentication with ASP.Net Core throws unhandled exception when user not assigned to client application
- Getting list of groups user is associated with in Okta
- How can I efficiently find out if a user is a member of a group using the Okta API?
- Add Okta user to Okta group Python sdk