Claims in access token for OpenID Connect


#1

Is it possible to get claims such as groups and other stuff we have setup back in the access token when using the OpenID Connect login flow?


#2

@ewan: Yes, you can add groups and other custom scopes to your access token.

This question/answer should get you on the right path.


#3

Thanks, can you clarify a bit though?

Its not that I’m making the wrong OAuth requests, its that I need to set the groups/scopes up correctly in OKTA?


#4

Of course. The first link in the provided answer walks you through setting up groups or a custom scope with Okta via the API. If you’d like to use the UI to set this up:

Note: This requires the Classic UI. You can toggle the view by looking for the gear icon on the upper left of your admin view.

  1. Navigate over to your app in Okta
    • Click on the Sign On tab
  2. Under OpenID Connect ID Token, click on Edit
    • Change the Group claim filter to Regex with the value .*

This will allow return User groups when the groups scope is requested during authorization.

For adding custom scopes, you can use the Developer Console.

  1. Navigate to API > Authorization Servers
  2. Click on the Scopes tab
  3. Select Add Scope

Similar to groups, you need to request this custom scope during authorization for it to appear in the tokens.

For adding custom claims:

  1. Navigate to API > Authorization Servers
  2. Click on the Claims tab
  3. Select Add Claim

Does that make sense?


#5

Thanks @jmelberg

That makes a lot of sense. However!!!

I added the Group Claim Filter : This made groups appear int the user profile. Not the access token.

I Added a Custom Scope, but it was invalid to use in the Authentication code request.

I Added a Custom Claim,
include in token type : AccessToken
value type: Groups
regex
.*
include in: any scope

but it did not appear in any token even with groups added to the scope


#6

OK! sorted. it appears my problem is was using the default endpoint

/auth2/v1

rather than the more advanced endpoint called default.

auth2/default

If anyone else is using the IdentityModel.OidcClient the trick is to use

Authority = “https://youname.oktapreview.com/oauth2/default”,

rather than

Authority = “https://youname.oktapreview.com”,

(as well as taking the steps above to add your scope/claims)