Can not mapping the groups to Spring Security Authorities

following this article
https://developer.okta.com/blog/2017/10/27/secure-spa-spring-boot-oauth
I create a groups claim to my authorization server in okta console and try to maps the values in the groups claim to Spring Security Authorities by using the okta-spring-boot-starter

when I set the claim include in token type to id token,I can get the groups values from the /userinfo but can’t get them in the Spring Security principal
when I set the claim include in token type to access token,I even can’t get the groups values from the /userinfo

is that possible to automatically maps the values in the groups claim to Spring Security Authorities without any other settings or have I miss something?

Hey @caccwin!

What are your okta.* config properties? (obscure any id’s or secrets). Can you take a screenshot of your authorization server configuration in your Okta Dev/Admin Console? (specifically where the claims are configured).

Let us know!
-Brian


this is the claim configuration
I use the implicit flow and the spring application is work as a resource server and just need to check the assess token no matter it is from which front-end api,in this case when I use spring security I just need to config the userInfoUri to the resource server
by using okta-spring-boot-starter I just config the okta.oauth2.issuer to my okta authorization server and I can get the userinfo in the spring security principal which including the access token but the authorities is null(when i access the okta api /userinfo I can get the groups in the response)

Hey @caccwin,

I think I see the issue, change the Type field for your groups claim in the table above, this should either be both or just access (depending if you want the groups claim in your id_tokens as well.)

thank you for reply me bdemers,
change the claim type to access token will cause I can’t get the groups values from the /userinfo by an access token,but the groups will mapping to the Authorities automatically in my back-end spring application.
but I didn’t see any option that I can set the claim type to both…
anyway, thanks for help!

Hey @caccwin I misspoke earlier, there isn’t a both option. Instead you need to create two entries for the groups claim, one for each type of token (id and access).

Keep us posted!