Authorization server not including claims in Access Token when it contains expression in

I’m trying to get existing user attributes as part of access token. I’m trying the client credential flow and in the Authorization server I have added the claim as user.firstName for some reason the access token does not contain the claims when I use OKTA’s expression language. Any idea How to get the claims in the access token ?

I have attached few screenshots on how I configured the claims, can someone let me know what I’m doing wrong?


What you are trying to do just isn’t possible with Client Credentials flow.

As the Client Credentials flow does NOT involve a user (no user auth involved, only credentials needed to authenticate are the client credentials), there is no user in scope from which you can pull profile attributes into the token claims. The only dynamic information you can access will be related to the scope (access.scope) or the application (app.clientId, app.profile.*, etc)

@andrea Thanks for the response, is it possible to get application owner information using app ?

Not directly, no, but you could look into storing information like that in the application profile and then pull that value into a claim.

Check out this guide to see what I’m talking about: How to get OIDC/OAuth application attributes like name or label as claims in id_token/access token? | Okta Help Center

Thanks for the response, I tried the Authorization grant type and I was able to retrieve the claims

Yup, that’s a good option if you are working on application that should be issued tokens to a specific user. Glad you got what you needed working!

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.