Access to custom attributes (or roles) without use of API token within OpenID session

newbie-okta · January 17, 2023, 5:19am

hi all,

I apologise in advance if this question is from my ignorance of how Okta works. (as I’ve only recently started working with it)

Presently I’m using the OpenIdConnect call to establish an Okta session.
And this allows vision on these attributes (via the /userInfo call, when the session is established)

eg:
{
“sub”: “xxxxxxxxxxxxxxxxxxxxx”,
“name”: “John Smith”,
“locale”: “AU”,
“preferred_username”: “john.smith@nowhere.com”,
“given_name”: “John”,
“family_name”: “Smith”,
“zoneinfo”: “America/Los_Angeles”,
“updated_at”: 1667464743
}

To retrieve the roles of a specific user, this API call was used: /api/v1/users/[userID]/groups (Users | Okta Developer), which worked fine during testing on UAT.

But our client isn’t keen on providing an API token to their database.
However the users role needs to be known for implementing tiered access functionality to the website for each Okta session.

Our client claims it should be possible to retrieve this via querying attributes, but how are Okta session attributes accessed? (outside of those listed above) Is their another call somewhere that does this? (without the need of an API token)

If this just isn’t possible without an API token, that would be good to know, at least then I can go back to the client with a specific request: please give me API access.

I’m attempting to do this in C#.

Thanks for you time.

sigama · January 17, 2023, 5:42pm

Hi @newbie-okta, if I understand correctly you want group information? If so you can add a group scope to your /token or /userinfo call.

newbie-okta · January 17, 2023, 11:46pm

Thanks for you response Sigama.

When I try making a separate call with groups included on to the url.
ie: /v1/userinfo/groups

Okta returns “method not allowed”.

I also tried adding groups to the scopes list:
“openid profile groups” (where before it was just “openid profile”, & based on the doco I’ve assumed it’s groups and not group)
Which errors:
‘invalid_scope’. Error_Description (may be empty): ‘One or more scopes are not configured for the authorization server resource’

I think I’m getting closer and will continue with this trial and error approach, I appreciate your help.

regards,

sigama · January 19, 2023, 5:35pm

Hey @newbie-okta happy to help!

Two things:

Are you using a custom authorization server? I explain the difference here - Okta Authorization Servers for OpenID Connect and OAuth 2.0 Integrations - YouTube
Did you configure a group claim within that authz server? - Okta Help Center (Lightning)

I explain common issues here - Okta Authorization Servers for OpenID Connect and OAuth 2.0 Integrations - YouTube

Post		Replies	Views
The roles are not visible in the access token for grant type Client Credentials grant type OAuth/OIDC	5	1360	March 6, 2024
Getting access_token without a UI OAuth/OIDC	3	10832	January 9, 2018
Using sessionToken how can get access_token and id_token OAuth/OIDC python	19	46891	August 5, 2022
Problem with Fetching List of Users via API OAuth/OIDC	11	1867	February 16, 2024
Defining user's permissions after signing in with Okta (based on groups?) OAuth/OIDC	2	1985	February 14, 2024

Access to custom attributes (or roles) without use of API token within OpenID session

Related Topics