Custom Claim Expression to Concatenate Group Names Based on User Membership

Questions OAuth/OIDC
1

Hi Okta Community,

I’m trying to add a new custom claim (let’s call it “source”) to my tokens in the Custom Authorization Server. This claim should dynamically check which Okta groups a user belongs to and concatenate the group names into a single string value.

Use Case:

  • If user is in Group A only → claim value = “A”

  • If user is in Group B only → claim value = “B”

  • If user is in both A and B → claim value = “A,B”

What I’ve Tried:

isMemberOfGroupName("A") && isMemberOfGroupName("B") ? "A,B" : 
isMemberOfGroupName("A") ? "A" : 
isMemberOfGroupName("B") ? "B" : ""

The Problem:

I see this get easily bombarded and hard to maintain as groups keep adding. I am trying to find a better way.

Questions:

  1. What’s the recommended Okta Expression Language approach for this scenario?

  2. Do we have any better approach for solving this?

Any guidance on a scalable, maintainable best practice expression would be greatly appreciated!

2

What about using a different group function (like user.getGroups) that will return the names of groups that match as a list, and then converting that list to a comma separated string?

To match your example, you could do something like the following:

Arrays.toCsvString(user.getGroups({‘group.profile.name’: {‘A’,‘B’}}).![name])

Testing that in my own org, I got a claim that looks like this:

“groups”: “A,B”

1 Like
3

Awesome, I will give this a try. Thanks @andrea

4

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.