Authorization Code Flow - How to retrieve Organization of a User

Hi all,

I would like to integrate web app (Java/Spring Boot) with Okta.
For that I’ve created Okta App (Web) with OpenID.
I’ve add myself as User and Assign myself to this newly created app.
Managed so far to get code (+state) (1st step in Authorization Code Flow) and now I’m exchanging
this code for OpenID Token.

Followed tutorial so far and I’m getting Okta Token back: type, access_token, scope, expires in and id_token.

Claims in id token looks like this:

{
“sub”:“00ubjxeinIPBMY3NA5d6”,
“ver”:1,
“iss”:“https://dev-90739639.okta.com/oauth2/default”,
“aud”:“0oaboia43VYFqsjRg5d6”,
“iat”:1615892770,
“exp”:1615896370,
“jti”:“ID.VIWi1ZZyz0xrU4nFdFYLVVT2GDEO9xDF4AXH3svtjmg”,
“amr”:[“pwd”],
“idp”:“00objxeesZGJZsyyw5d6”,
“nonce”:“foo”,
“auth_time”:1615892758,
“at_hash”:“wglL65gmzft2LnpVaNZwBg”
}

Now here comes the question …

I need somehow to get info about Organization / Tennant of the Authenticated User. Email/Username is not just enough.

Can someone jumps in and tell me how to obtain that information?

P.S. Integrating with other Auth. providers (e.g. Google, there is a Claim “hd” a.k.a. HOSTED DOMAIN that I could use, or for Microsoft there is “tid” a.k.a. TENANT_ID)

Further more,
I’ve tried to add “Custom Claim”

Went to “API > Authorization Servers” and then edited “default”. Tab “Claims” and I’ve added
Claim. See attached image:

But then when I execute request on:
“https://{okta}/oauth2/default/v1/userinfo”

I’m getting only these info:

{
“sub”:“00ubjxeinIPBMY3NA5d6”,
“name”:“Aleksandar Stoisavljevic”,
“locale”:“en-US”,
email":"staleks@gmail.com”,
preferred_username":"staleks@gmail.com”,
“given_name”:“Aleksandar”,
“family_name”:“Stoisavljevic”,
“zoneinfo”:“America/Los_Angeles”,
“updated_at”:1615819495,
“email_verified”:true
}

So as you can see no “org_name” claim?

the iss claim will have details about the authorization server and will contain the full URL of the okta org

“iss” claim that is in “id_token” is the one of app itself, right?
In my case, “iss” is “iss”:“https://dev-90739639.okta.com/oauth2/default".
This one I’m using to communicate to Okta → dev-90739639

But what about other users, I need to get info about their organization, in order to place them to their corresponding tenant.

If it helps, I want to be able to authenticate different users e.g. userA (organization A) and userB (organizationB). I need that organizationX info in order to place userA in Account A and userB in AccountB.

Hope this helps?

Hi @AleksNS,

Id token would have a “idp” claim that will be the Okta org ID or the ID of an Identity Provider if this authentication used Social Authentication or Inbound SAML.

Ref: OpenID Connect & OAuth 2.0 API | Okta Developer

If okta org is not what you are referring to, could you please explain more ? Is this attribute a part of the user’s profile ?

1 Like

Hi @gpadma,

let me try to explain a bit more and afterwards I guess you can give me some idea how to achieve what my goal is.

I have Java/Spring Boot web app that is SaaS solution. For the sake of discussion, let’s say that I have two primary entities: Accounts and Users.
One User (identified by email) will always belong to one Account.

Let’s say that I have following situation of three users:
User1 (user1@companyA.com) belongs to CompanyA and there is User2 (user2@test.com) also belongs to CompanyA. Please note that domain of email can’t be used as Company identifier.

And let’s say I have 3rd user User 3 (user3@companyB.com) that belongs to different CompanyB.

Goal is to allow user1 and user2 to use my application (if Okta Authenticate those two users). So if authentication at Okta passes, I need some more information (e.g. organizationName) in order to identify that user (user1 or user2) belongs to CompanyA or in case of user3 belongs to CompanyB.

I’ve started with Authorization Code Flow, created one user (me) and created Okta Application (web). I’m using my Okta user account for testing. I’m able to get back code and state and afterwards (as you can see from examples above) I’m able to get back OpenID token (access_token, id_token, etc.)
Idea that I have is: once User authentication is performed at Okta, I use email/username in order to create that user at my app.

But you can see now, I need one more info → organization, in order somehow to correlate User and Account at my app.

As stated in one of my initial questions, I’ve already implemented integration with Google and Microsoft.
Using Google as auth. server, there is a “hd - hosted domain” claim that I’m using in order to get organization and then I can identify Account based on that info. For Microsoft, similar there is “tid - tenant id” that I’m using for same purpose.

I was hoping that I can use some property of User, e.g. organization (see attached image)

If I can help you with some more info, I’m here to answer any questions that you may have.

Thank You

If the organization value you want in your token is stored in the user’s profile, you will want to configure your claim to use the expression “user.organization” to pull in this value (when present for the user requesting a token).

Hi @andreaskouras,

I finally managed to get “custom” claim of UserInfo.

{
"sub":"00ubjxeinIPBMY3NA5d6",
"name":"Aleksandar Stoisavljevic",
"locale":"en-US",
"email":"staleks@gmail.com",
"preferred_username":"staleks@gmail.com",
"given_name":"Aleksandar",
"family_name":"Stoisavljevic",
"zoneinfo":"America/Los_Angeles",
"updated_at":1615819495,
"email_verified":true,
"org_name":"test-organization.com"
}

Added “user.organization” as suggested (see image):

Thank You for your help so far.
In case that I have other questions I will feel free to continue this thread.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.