Auth Server Claim RESOURCE Expression Refactor

Hi colleagues,

We have migrated from other tooling to okta and we copy the expression we had on the other tooling. The following works on Okta, but as the teams get onboarded, I cant add more lines to this expression because it’s to big. Can someone give me an idea how this would look like refactored?

The following is the definition on terraform:

resource "okta_auth_server_claim" "this_group_member" {
  auth_server_id = okta_auth_server.bigteam.id
  name           = "group_membership"
  value          = "Arrays.flatten(Groups.contains(\"ldap_sun_one\",\"ldapgroup-bigteam-\",100)!=null?Groups.contains(\"ldap_sun_one\",\"ldapgroup-bigteam-\",100):{},Groups.contains(\"ldap_sun_one\",\"ldapgroup-smallteam01-\",100)!=null?Groups.contains(\"ldap_sun_one\",\"ldapgroup-smallteam01-\",100):{},Groups.contains(\"ldap_sun_one\",\"ldapgroup-smallteam02-\",100)!=null?Groups.contains(\"ldap_sun_one\",\"ldapgroup-smallteam02-\",100):{},Groups.contains(\"ldap_sun_one\",\"ldapgroup-smallteam03-\",100)!=null?Groups.contains(\"ldap_sun_one\",\"ldapgroup-smallteam03-\",100):{},Groups.contains(\"ldap_sun_one\",\"ldapgroup-smallteam04-\",100)!=null?Groups.contains(\"ldap_sun_one\",\"ldapgroup-smallteam04-\",100):{},Groups.contains(\"ldap_sun_one\",\"ldapgroup-smallteam05-\",100)!=null?Groups.contains(\"ldap_sun_one\",\"ldapgroup-smallteam05-\",100):{},Groups.contains(\"ldap_sun_one\",\"ldapgroup-smallteam06-\",100)!=null?Groups.contains(\"ldap_sun_one\",\"ldapgroup-smallteam06-\",100):{},Groups.contains(\"ldap_sun_one\",\"ldapgroup-smallteam07-\",100)!=null?Groups.contains(\"ldap_sun_one\",\"ldapgroup-smallteam07-\",100):{},Groups.contains(\"ldap_sun_one\",\"ldapgroup-smallteam08-\",100)!=null?Groups.contains(\"ldap_sun_one\",\"ldapgroup-smallteam08-\",100):{})"
  scopes         = ["${okta_auth_server_scope.this.name}"]
  claim_type     = "RESOURCE"
}

the goal is (example) if the user is part of a ldap group ldapgroup-bigteam-admin, ldapgroup-smallteam07-developer and ldapgroup-smallteam08-support

the claim would be:

group_membership = [
“ldapgroup-bigteam-admin”,
“ldapgroup-smallteam07-developer”,
“ldapgroup-smallteam08-support”
]

We have come up with a way to make it shorter but still not seems to be right. It works, but when new groups needs to join this rule, it will fail dramatically.

Arrays.flatten(
	isMemberOfGroupNameContains(\"ldapgroup-bigteam-\")?Groups.contains(\"ldap_sun_one\",\"ldapgroup-bigteam-\",100):{},
	isMemberOfGroupNameContains(\"ldapgroup-smallteam01-\")?Groups.contains(\"ldap_sun_one\",\"ldapgroup-smallteam01\",100):{},
	isMemberOfGroupNameContains(\"ldapgroup-smallteam02\")?Groups.contains(\"ldap_sun_one\",\"ldapgroup-smallteam02\",100):{},
	....
)

we also tried with GROUPS type instead of EXPRESSION regex, no success. We used the following regex:

resource "okta_auth_server_claim" "this_group_member" {
  auth_server_id    = okta_auth_server.this.id
  name              = "group_membership"
  value_type        = "GROUPS"
  group_filter_type = "REGEX"
  value             = "(ldapgroup-(smallteam01|smallteam02|smallteam03|smallteam04|smallteam05|smallteam06)-.*|different-team007)"
  scopes            = ["${okta_auth_server_scope.this.name}"]
  claim_type        = "RESOURCE"
}

If you only need your claim to contain information about specific groups that don’t have a common pattern, you could look to use a static allow list, as described in this guide: Customize tokens returned from Okta with a static allow list | Okta Developer