Access token with groups for a Service application (Machine-to-Machine)

thiwwy · March 14, 2019, 2:07pm

I am implementing a Service Application (Machine-to-machine) and one of the requests is to get the groups assigned to this Application. Ideally, I want to get this information from the access token, but I am happy to hear others solutions.

I already tried to add new Scopes and Claims in the Authorization Server, but the claims that I get from the Access Token are still the same (ver, jti, iss, aud, iat, exp, cid, scp, sub).
This happens only for the authentication Machine-to-Machine. When I do the same from a web application I can easily get all the claims that I need.

bdemers · March 14, 2019, 2:44pm

What stack are you on?
It sounds like you are creating an OAuth2 resource server? (accepting Bearer tokens)

thiwwy · March 14, 2019, 4:15pm

Yep, exactly.

bdemers · March 14, 2019, 4:33pm

What language/stack/framework are you on? we can probably point you to an example.

thiwwy · March 14, 2019, 4:34pm

Thanks. I am working in Java 8, using Spring Boot.

bdemers · March 14, 2019, 5:21pm

Perfect!
Take a look at: https://github.com/okta/samples-java-spring/tree/master/resource-server
You can use the scopes in an PreAuthorize annotation too:

github.com

okta/samples-java-spring/blob/master/resource-server/src/main/java/com/okta/spring/example/ResourceServerExampleApplication.java#L45


        .and()
            .oauth2ResourceServer().jwt();
    }
}


@RestController
@CrossOrigin(origins = "http://localhost:8080")
public class MessageOfTheDayController {


    @GetMapping("/api/userProfile")
    @PreAuthorize("hasAuthority('SCOPE_profile')")
    public Map<String, Object> getUserDetails(JwtAuthenticationToken authentication) {
        return authentication.getTokenAttributes();
    }


    @GetMapping("/api/messages")
    @PreAuthorize("hasAuthority('SCOPE_email')")
    public Map<String, Object> messages() {


        Map<String, Object> result = new HashMap<>();
        result.put("messages", Arrays.asList(

You can use the out-of-the-box Spring OAuth 2 bits too

All that said like part of your problem might be minting the initial token. What oauth configuration properties/yaml do you have set?

thiwwy · March 14, 2019, 7:37pm

Hello bdemers

Thanks a lot for your help!
Unfortunately, I need a solution for Service (Machine-to-machine), while your example is for Single-Page App (SPA). The main difference is that, as I can see from the documentation:

“The Client Credentials flow never has a user context, so you can’t request OpenID scopes. Instead, you must create a custom scope” (https://developer.okta.com/authentication-guide/implementing-authentication/client-creds)

I added a costumeScope as suggested an I updated the claims to associate “groups” to that scope but nothing changed.

I try to give some context.
Forget the front-end side because it’s already working fine.
I have a Service that authenticates to Okta (Application Service Machine-to-Machine). The authentication works fine, I am making a POST to the /token endpoint and I get access_token as result. What I am trying to do is to extract from this access token the groups assigned to the application service related.

So, in my case I have in Okta the application Service that I called “ServiceTest” and I assigned to it the groups “admin” and “developers”. When I run my service it authenticates on Okta using the Client Id and the Client Secret that I can find in “ServiceTest”. The authentication works fine and I get as reply the access token. What I am trying to do now is to get from the access token the claim “groups” (by groups I mean the groups assigned to the “ServiceTest”, so in this case “admin” and “developers”). I tried to use a costumeScope and to associate to it the claim “groups” but I still get the same claims as before. I tried to do the same using a Single-Page App and in this case I have the all the claims that I need. This is what I did in Okta:

shwetys · September 9, 2021, 7:01am

Did you find the solution for the above problem. We also need to get the groups associated with a client for M2M authentication. Would really appreciate if someone has a step by step set up to get the groups as claims fo client credentials authentication

gomze · September 9, 2021, 5:48pm

Bumping it up. I need help on this too