API Scopes based on User Profile Attribute


I am trying to add a basic role-based access control to my APIs as follows:

GET /api/test (needs scope ‘test.get’ in incoming access_token)
POST /api/test (needs scope ‘test.post’ in incoming access_token)

I have these scopes created in an Okta Authorization Server. However, how do I ensure that the scopes included in the access_token when http://{okta-auth-server}/token is called is based on a specific user profile attribute. One of the user profile attribute (say ‘tester’ = true or false) will determine if scope ‘test.post’ can be requested by a user or not, and hence it might or might not be present in access_token generated.


Hi @jmac

In order to have custom claims added inside an access token, you will need to use a custom authorization server created through API Access Management. Okta authorization server does not support custom access token claims.

When configuring the custom claim, the expression should be something like

user.tester == 'true' ? 'test.post' : null

Thanks @dragos. Yes, that would work. But it’s unfortunate that I won’t be able to do the same with scopes, because scopes seem to directly be there for this purpose of indicating whether a given user has permissions to an API method or not.

In the expression, it would have to be something like below. Correct? Instead of using the scope ‘test.post’ (because the scope is available to anyone who requests for it from the specific client):

user.tester = ‘true’ ? user.role == “tester” : null