Get "groups" claims from Okta using the OpenID Connect Authorization Code Flow

Question

I'm trying to include "groups" claims in what is returned by Okta after a user authenticates. It returns them when the response_type is 'id_token' but not when response_type is 'code'. For the Authorization Code flow I would expect to get the groups claims from the userinfo endpoint but they're not there. However I've read that the authorization code flow is more secure than the hybrid flow (id_token) so I'd like to ensure there is not a way to do this?

My webapp is built on ASPNET Core 3 and I've tried the Okta.AspNetCore Nuget package.

Answer 1

One thing that might trip you up is that Okta do return the tokens you ask for, but the OpenIDConnect handler in your client blocks them.

You need to explicitly map those extra claims in your client, using code like:

options.ClaimActions.MapUniqueJsonKey("website", "website");
options.ClaimActions.MapUniqueJsonKey("gender", "gender");
options.ClaimActions.MapUniqueJsonKey("birthdate", "birthdate");

There is also this option you can set:

options.GetClaimsFromUserInfoEndpoint = true;

Do verify using tools like Fiddler the the claims actually is returned or not.

And yes, authorization code flow is what you should aim to use.

To complement this answer, I wrote a blog post that goes into more detail about this topic: Debugging OpenID Connect claim problems in ASP.NET Core

Answer 2

You can easily add 'groups' claim in access token as well. You can refer to the guide below: https://developer.okta.com/docs/guides/customize-tokens-groups-claim/overview/

Answer 3

/userinfo response should contain all claims (for all flows including authorization code flow) including 'groups' as long as the groups scope is sent in the requests to mint the token.

Could you make sure the user is part of this group and the right scope is passed in the request ?