All Group attributes returned in OIDC tokens

I have an application that I am porting to Okta. The application has 1:N functional capabilities (edit customer, approve order, etc.) that are granted based by being part of a group. A very basic representation:
Group 1: “editCustomer”
Group 2: “approveOrder”

I have found that in Okta you can create group attributes and was thinking that we could create a “approveOrder” attribute and set it to true group Group 2 and null for Group 1, however it’s not that simple because we would like to have these returned as claims in the token.

When retrieving the token, Okta appears to only recognize the first group that the user is in based on the priority defined in Applications => Assignments => Group. So, if a user happened to be in multiple groups granting different functions, Okta only provides the function information for the first group based on the priority. Is there a way to tell Okta to retrieve all the permissions from every application group the user is in where a value is not null?

If not, is there an alternate way to achieve the same goal, perhaps using expression language?

We noticed that when you create an application attribute that you can set it to “string array” type and when you do this and choose “Group” for attribute type an additional “group priority” option displays. This only happens for the “Array” types. In testing so far we can use this assign various array permissions to different groups and use that priority feature to merge permissions across groups.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.