Reputation: 11227
Okta not returning custom claims in tokens
I just signed up for a dev test account with Okta to test OIDC using Okta's auth service and user management.
Using their management portal, I created a second group called Test Group along with the default group of Everyone and added my single user to both groups.
I then added an application called My SPA and assigned the Test Group access to this application.
Using the classic UI, I then edited the OpenID Connect ID Token section and set Group claims type to Expression and added groups as the claim name and getFilteredGroups(app.profile.groupwhitelist, "group.name", 40) as the expression.
I then went and edited the authorization server. I added a claim called 'groups' with a RegEx of *. to be used with any scope, access tokens and always include.
I then use the Token Preview selecting my user and using implicit grant flow but no groups show up.
How do you get a user's groups to show up as claims in the ID or Access Token from an Okta auth server?
Edit Screen shots of what I have:
Upvotes: 5
Views: 3300
Answers (3)
Reputation: 510
I think the Groups here are created in order to park users in respective buckets (e.g. Admins / Users etc) so that by knowing the Group of User, the role can be derived for Authorizations. However, I will recommend to use Okta's Custom Attribute in Users' Profile so that the User Info can have required attribute. The Custom Attribute can be set as Dropdown styled Enumeration to choose from and can also be marked as Mandatory while adding User in system. https://support.okta.com/help/s/article/How-to-create-dropdown-enumerated-custom-attributes-in-Okta?language=en_US
Adding Custom Attribute - https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-add-custom-user-attributes.htm
And Mapping Attributes to Okta Profile - https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-about-attribute-mappings.htm
Hope this also helps.
Upvotes: 0
Reputation: 212
You need to add the "groups" scope. In the scope, add "groups" in addition to profile and openid
Upvotes: 0
Reputation: 8634
I’ve only ever used the Developer Console to configure things. Here’s how I did it:
Navigate to API > Authorization Servers, click the Authorization Servers tab and edit the default one. Click the Claims tab and Add Claim. Name it "groups" or "roles", and include it in the ID Token. Set the value type to "Groups" and set the filter to be a Regex of .*.
Upvotes: 6
Related Questions
- Get "groups" claims from Okta using the OpenID Connect Authorization Code Flow
- RFC - Adding Group Claims from OKTA to Role Claims in .net Framework Using OIDC
- client ID in okta not showing
- Okta introspect endpoint always returns false
- OKTA Authorization Server ‘namespace’ for custom claims
- Asp.net MVC integration with Okta - Issue Okta Claims replaced after SigninManager.SignIn
- RBAC - scopes or custom claim
- Failing Okta OAuth2 token validation in AspNetCore
- OAuth 2.0 and Open Id Connect claims issue
- Custom Claims in Access Token