Claims in access token for OpenID Connect

ewan · January 10, 2018, 4:56pm

Is it possible to get claims such as groups and other stuff we have setup back in the access token when using the OpenID Connect login flow?

jmelberg · January 10, 2018, 5:05pm

@ewan: Yes, you can add groups and other custom scopes to your access token.

This question/answer should get you on the right path.

ewan · January 10, 2018, 5:14pm

Thanks, can you clarify a bit though?

Its not that I’m making the wrong OAuth requests, its that I need to set the groups/scopes up correctly in OKTA?

jmelberg · January 10, 2018, 6:00pm

Of course. The first link in the provided answer walks you through setting up groups or a custom scope with Okta via the API. If you’d like to use the UI to set this up:

Note: This requires the Classic UI. You can toggle the view by looking for the gear icon on the upper left of your admin view.

Navigate over to your app in Okta
- Click on the Sign On tab
Under OpenID Connect ID Token, click on Edit
- Change the Group claim filter to Regex with the value .*

This will allow return User groups when the groups scope is requested during authorization.

For adding custom scopes, you can use the Developer Console.

Navigate to API > Authorization Servers
Click on the Scopes tab
Select Add Scope

Similar to groups, you need to request this custom scope during authorization for it to appear in the tokens.

For adding custom claims:

Navigate to API > Authorization Servers
Click on the Claims tab
Select Add Claim
- Choose a Name for your custom claim, then map it using the Okta Expression Language.
- Ex: appuser.username

Does that make sense?

ewan · January 11, 2018, 10:08am

Thanks @jmelberg

That makes a lot of sense. However!!!

I added the Group Claim Filter : This made groups appear int the user profile. Not the access token.

I Added a Custom Scope, but it was invalid to use in the Authentication code request.

I Added a Custom Claim,
include in token type : AccessToken
value type: Groups
regex
.*
include in: any scope

but it did not appear in any token even with groups added to the scope

ewan · January 11, 2018, 1:39pm

OK! sorted. it appears my problem is was using the default endpoint

/auth2/v1

rather than the more advanced endpoint called default.

auth2/default

If anyone else is using the IdentityModel.OidcClient the trick is to use

Authority = “https://youname.oktapreview.com/oauth2/default”,

rather than

Authority = “https://youname.oktapreview.com”,

(as well as taking the steps above to add your scope/claims)

acamposo · December 17, 2019, 3:02pm

To set up the Group claim filter, is there an api way to set it up?

dragos · December 18, 2019, 4:45am

Hi @acamposo

There is no option to configure the claims for OIDC apps through API. The administrative panel uses an internal API to do the request, based on the values added by the user in the form.

system · January 18, 2024, 12:44am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.