Can't get "groups" claim in Spring Boot OIDC app

I have a Spring Boot app that is using the Okta starter, and unable to get the “groups” claim for a user once they authenticate. Here’s my setup:

I have an Okta application created that includes the following in the “OpenID Connect ID Token” section:
Groups claim type: Filter
Groups claim filter: groups
Matches regex “.*” (without quotes)

The application is setup with:

spring-boot-starter-parent:3.3.2
okta-spring-boot-starter:3.0.7

I include the following properties in application.properties

okta.oauth2.issuer=
okta.oauth2.client-id=
okta.oauth2.client-secret=
okta.oauth2.redirect-uri=/authorization-code/callback

I have a controller method with the following parameter:
@AuthenticationPrincipal OidcUser oidcUser

With this I’m able to call oidcUser.getClaims(), and while I receive claims, I do not have one for groups.

Any way to get the groups claim for the user without a custom Authorization Server? (Not licensed for that)

Thanks.

From what I can tell I believe this is an issue where the “groups” claim is not sent along with the access token, and therefore is not available via the Spring Boot library. This can be fixed with a customization to the Authorization Server, but nothing beyond that.
My solution was to manually handle the authentication process, by redirecting the user to the “oauth2/v1/authorize” endpoint, then taking the “code” query parameter that was returned and calling the “oauth2/v1/token” endpoint. As long as I setup the groups claim for the application in Okta, then I could retrieve the groups of the current user on the returned id token.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.