Access to custom attributes (or roles) without use of API token within OpenID session

Questions OAuth/OIDC
1

hi all,

I apologise in advance if this question is from my ignorance of how Okta works. (as I’ve only recently started working with it)

Presently I’m using the OpenIdConnect call to establish an Okta session.
And this allows vision on these attributes (via the /userInfo call, when the session is established)

eg:
{
“sub”: “xxxxxxxxxxxxxxxxxxxxx”,
“name”: “John Smith”,
“locale”: “AU”,
“preferred_username”: “john.smith@nowhere.com”,
“given_name”: “John”,
“family_name”: “Smith”,
“zoneinfo”: “America/Los_Angeles”,
“updated_at”: 1667464743
}

To retrieve the roles of a specific user, this API call was used: /api/v1/users/[userID]/groups (Users | Okta Developer), which worked fine during testing on UAT.

But our client isn’t keen on providing an API token to their database.
However the users role needs to be known for implementing tiered access functionality to the website for each Okta session.

Our client claims it should be possible to retrieve this via querying attributes, but how are Okta session attributes accessed? (outside of those listed above) Is their another call somewhere that does this? (without the need of an API token)

If this just isn’t possible without an API token, that would be good to know, at least then I can go back to the client with a specific request: please give me API access.

I’m attempting to do this in C#.

Thanks for you time.

2

Hi @newbie-okta, if I understand correctly you want group information? If so you can add a group scope to your /token or /userinfo call.

1 Like
3

Thanks for you response Sigama.

When I try making a separate call with groups included on to the url.
ie: /v1/userinfo/groups

Okta returns “method not allowed”.

I also tried adding groups to the scopes list:
“openid profile groups” (where before it was just “openid profile”, & based on the doco I’ve assumed it’s groups and not group)
Which errors:
‘invalid_scope’. Error_Description (may be empty): ‘One or more scopes are not configured for the authorization server resource’

I think I’m getting closer and will continue with this trial and error approach, I appreciate your help.

regards,

4

Hey @newbie-okta happy to help!

Two things:

  1. Are you using a custom authorization server? I explain the difference here - Okta Authorization Servers for OpenID Connect and OAuth 2.0 Integrations - YouTube

  2. Did you configure a group claim within that authz server? - Okta Help Center (Lightning)

I explain common issues here - Okta Authorization Servers for OpenID Connect and OAuth 2.0 Integrations - YouTube

1 Like