how Can we add group roles claim in okta access token or id token

Question

I am working on a react app and want to retrieve all group roles not group names from the access token or ID token. I have attempted to add custom claims but couldn’t find any examples of using the "Okta Expression Language" to obtain this information.

I aim to add a custom claim called "group_roles". What expression should I use for the claim value?

Expressions found online but not working:

user.groups.roles

appuser.groups.roles

user.getGroups({'group.type': {'OKTA_GROUP', 'APP_GROUP'}})

user.groups.stream().filter(group → group.active).findFirst().orElse(null).name

Example:

An Okta user belongs to two groups:

ManagerGroup with roles : manager and supervisor

UserGroup with a single role : user

Desired Output:

"group_roles" :"manager, supervisor, user"

Answer 1

If you want to add a custom claim called group_roles to your tokens and include all the roles from your groups:

1 - Make sure your groups in Okta have roles defined:

• Go to Directory > Groups > Group Profile in the Okta admin.
• Add a custom attribute to the group profile and set the roles, like manager, supervisor, etc.

2 - Create a custom claim

• Go to Security > API > Authorization Servers in Okta.
• Open your Authorization Server and go to Claims.
• Add a new claim:
  • Name: group_roles
  • Include in: Access Token or ID Token.
  • Value type: Expression.
  • Expression: Use this if roles are stored in the groupRoles attribute:

user.groups.filter(group.groupRoles != null).map(group.groupRoles).flatten()

If roles are in group names, use this:

user.groups.filter(group.name.startsWith("Role-")).map(group.name.substringAfter("Role-"))

This should work :)