our app(SP) uses only ‘openid email’ as scopes. This leads to limitations for end-users in what username attribute can be used. I found that it’s possible to create custom claims in Security > API.
I did that specifying scopes openid and email. Tried several options: id_token and userinfo, but during checking via postman I don’t see my custom claims. Btw, when I configured it for id_token, I saw it in OKTA’s token preview, but when I tried it via postman {{url}}/oauth2/v1/introspect it doesn’t show my custom claims.
Can you ensure you’re using the right Authorization Server to generate an actual token and call the introspect endpoint?
You can only create custom claims on custom authorization servers, so you must make your /authorize, /token, and /introspect calls to the same server you customized, e.g. https://oktaDomain/oauth2/aus1234567890/v1/* The URL for your introspect call shows that you are instead calling the Org Authorization Server, which is un-customizable, so I’m guessing that’s the same one you are requesting tokens from, despite it not being the one you created the custom claim for.
You can find the issuer URL for the server you did customize in the console under Security → API → Authorization Servers → {{Your Authorization Server}} → Settings → Issuer
More details about composing your base URL found in our docs.