Okta not returning custom claims in tokens

Asked 7/6, 2018 at 15:34 Answered 28/6, 2021 at 8:42

I just signed up for a dev test account with Okta to test OIDC using Okta's auth service and user management.

Using their management portal, I created a second group called Test Group along with the default group of Everyone and added my single user to both groups.

I then added an application called My SPA and assigned the Test Group access to this application.

Using the classic UI, I then edited the OpenID Connect ID Token section and set Group claims type to Expression and added groups as the claim name and getFilteredGroups(app.profile.groupwhitelist, "group.name", 40) as the expression.

I then went and edited the authorization server. I added a claim called 'groups' with a RegEx of *. to be used with any scope, access tokens and always include.

I then use the Token Preview selecting my user and using implicit grant flow but no groups show up.

How do you get a user's groups to show up as claims in the ID or Access Token from an Okta auth server?

Edit Screen shots of what I have:

Danadanae answered 7/6, 2018 at 15:34 Comment(0)

I’ve only ever used the Developer Console to configure things. Here’s how I did it:

Navigate to API > Authorization Servers, click the Authorization Servers tab and edit the default one. Click the Claims tab and Add Claim. Name it "groups" or "roles", and include it in the ID Token. Set the value type to "Groups" and set the filter to be a Regex of .*.

Zamarripa answered 7/6, 2018 at 15:48 Comment(4)

That's everything I described above. When you do this, are you able to see the new claim when you use the Token Preview option of the Portal? – Danadanae 7/6, 2018 at 15:53

Maybe you made the change to the Okta AS, not your custom one? Here's a screenshot proving it works for me when I modify the "default" AS. flickr.com/photos/mraible/41932672544/in/dateposted-public – Zamarripa 7/6, 2018 at 18:20

Thanks Matt, I included images to show you what I'm seeing as well. Everything seems the same as yours -- minus the roles claims. – Danadanae 7/6, 2018 at 20:36

Found my problem! If you notice in my screenshot, I added a RegEx of * instead of .* . Thanks so much to @sara-daqiq for helping me catch that! – Danadanae 15/6, 2018 at 18:27

You need to add the "groups" scope. In the scope, add "groups" in addition to profile and openid

Twine answered 7/6, 2018 at 22:39 Comment(1)

This didn't seem to help. – Danadanae 8/6, 2018 at 11:14

I think the Groups here are created in order to park users in respective buckets (e.g. Admins / Users etc) so that by knowing the Group of User, the role can be derived for Authorizations. However, I will recommend to use Okta's Custom Attribute in Users' Profile so that the User Info can have required attribute. The Custom Attribute can be set as Dropdown styled Enumeration to choose from and can also be marked as Mandatory while adding User in system. https://support.okta.com/help/s/article/How-to-create-dropdown-enumerated-custom-attributes-in-Okta?language=en_US

Adding Custom Attribute - https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-add-custom-user-attributes.htm

And Mapping Attributes to Okta Profile - https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-about-attribute-mappings.htm

Hope this also helps.

Earnest answered 28/6, 2021 at 8:42 Comment(0)

Recommended topics

Hot tags