Access token with groups for a Service application (Machine-to-Machine)


#1

I am implementing a Service Application (Machine-to-machine) and one of the requests is to get the groups assigned to this Application. Ideally, I want to get this information from the access token, but I am happy to hear others solutions.

I already tried to add new Scopes and Claims in the Authorization Server, but the claims that I get from the Access Token are still the same (ver, jti, iss, aud, iat, exp, cid, scp, sub).
This happens only for the authentication Machine-to-Machine. When I do the same from a web application I can easily get all the claims that I need.


#2

What stack are you on?
It sounds like you are creating an OAuth2 resource server? (accepting Bearer tokens)


#3

Yep, exactly. :slight_smile:


#4

What language/stack/framework are you on? we can probably point you to an example.


#5

Thanks. I am working in Java 8, using Spring Boot.


#6

Perfect!
Take a look at: https://github.com/okta/samples-java-spring/tree/master/resource-server
You can use the scopes in an PreAuthorize annotation too:

You can use the out-of-the-box Spring OAuth 2 bits too

All that said like part of your problem might be minting the initial token. What oauth configuration properties/yaml do you have set?


#7

Hello bdemers

Thanks a lot for your help!
Unfortunately, I need a solution for Service (Machine-to-machine), while your example is for Single-Page App (SPA). The main difference is that, as I can see from the documentation:

“The Client Credentials flow never has a user context, so you can’t request OpenID scopes. Instead, you must create a custom scope” (https://developer.okta.com/authentication-guide/implementing-authentication/client-creds)

I added a costumeScope as suggested an I updated the claims to associate “groups” to that scope but nothing changed.

I try to give some context.
Forget the front-end side because it’s already working fine.
I have a Service that authenticates to Okta (Application Service Machine-to-Machine). The authentication works fine, I am making a POST to the /token endpoint and I get access_token as result. What I am trying to do is to extract from this access token the groups assigned to the application service related.

So, in my case I have in Okta the application Service that I called “ServiceTest” and I assigned to it the groups “admin” and “developers”. When I run my service it authenticates on Okta using the Client Id and the Client Secret that I can find in “ServiceTest”. The authentication works fine and I get as reply the access token. What I am trying to do now is to get from the access token the claim “groups” (by groups I mean the groups assigned to the “ServiceTest”, so in this case “admin” and “developers”). I tried to use a costumeScope and to associate to it the claim “groups” but I still get the same claims as before. I tried to do the same using a Single-Page App and in this case I have the all the claims that I need. This is what I did in Okta: