Is it possible to get claims such as groups and other stuff we have setup back in the access token when using the OpenID Connect login flow?
@ewan: Yes, you can add groups
and other custom scopes to your access token.
This question/answer should get you on the right path.
Thanks, can you clarify a bit though?
Its not that I’m making the wrong OAuth requests, its that I need to set the groups/scopes up correctly in OKTA?
Of course. The first link in the provided answer walks you through setting up groups
or a custom scope with Okta via the API. If you’d like to use the UI to set this up:
Note: This requires the Classic UI. You can toggle the view by looking for the gear icon on the upper left of your admin view.
- Navigate over to your app in Okta
- Click on the Sign On tab
- Under OpenID Connect ID Token, click on Edit
- Change the Group claim filter to Regex with the value
.*
- Change the Group claim filter to Regex with the value
This will allow return User groups when the groups
scope is requested during authorization.
For adding custom scopes, you can use the Developer Console.
- Navigate to API > Authorization Servers
- Click on the Scopes tab
- Select Add Scope
Similar to groups, you need to request this custom scope during authorization for it to appear in the tokens.
For adding custom claims:
- Navigate to API > Authorization Servers
- Click on the Claims tab
- Select Add Claim
- Choose a Name for your custom claim, then map it using the Okta Expression Language.
- Ex:
appuser.username
Does that make sense?
Thanks @jmelberg
That makes a lot of sense. However!!!
I added the Group Claim Filter : This made groups appear int the user profile. Not the access token.
I Added a Custom Scope, but it was invalid to use in the Authentication code request.
I Added a Custom Claim,
include in token type : AccessToken
value type: Groups
regex
.*
include in: any scope
but it did not appear in any token even with groups added to the scope
OK! sorted. it appears my problem is was using the default endpoint
/auth2/v1
rather than the more advanced endpoint called default.
auth2/default
If anyone else is using the IdentityModel.OidcClient the trick is to use
Authority = “https://youname.oktapreview.com/oauth2/default”,
rather than
Authority = “https://youname.oktapreview.com”,
(as well as taking the steps above to add your scope/claims)
To set up the Group claim filter, is there an api way to set it up?
Hi @acamposo
There is no option to configure the claims for OIDC apps through API. The administrative panel uses an internal API to do the request, based on the values added by the user in the form.
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.