For the OIDC authorization code flow, when I make a request to /userinfo with the access token, it only returns these attributes;
sub
name
locale
email
preferred_username
given_name
family_name
zoneinfo
updated_at
email_verified
However there are some extra attribute mappings on the app profile mapping. I can validate it via preview and see that user.primaryPhone is also mapped.
Additionally, I configured a custom claim as below. But still, I don’t see this attribute in the response body returned from /userinfo endpoint. Is there anything I’m missing here ?
The default auth server, iss claim is Okta server url, and the url I’m making request to is okta_ server_url/oauth2/v1/userinfo
I also tried sending extra query params as “openid profile email phone address” but didn’t work.
hmm… And the user you’re testing with definitely has values for these attributes? Are the values only present in the Okta user profile (aka Universal Directory, or UD) or are they also mapped into the application user profile?
The default auth server, iss claim is Okta server url, and the url I’m making request to is okta_ server_url/oauth2/v1/userinfo
Not sure how I missed this earlier. It doesn’t sound like you are currently issuing tokens by the Default authorization server, as /oauth2/v1/userinfo refers to a different server, the Org Authorization Server.
If you request a token from the Org server with scopes openid phone for a user that definitely has a primaryPhone set, https://oktadomain/oauth2/v1/authorize, do you still not see the phone come back in userinfo? What if you instead switch to using the default server, https://oktadomain/oauth2/default/v1/authorize, does it also not work?
We recently tried creating a custom auth server. Now /userinfo returns attributes set for the user. Also custom claims created for the auth server are sent inside the ID token. No problem so far. Thank you.
