Custom claims in the client_credentials access token

gabriel.vince · September 24, 2020, 12:06pm

Hello all,

using (trying to) Okta for application-level authentication for an external API Gateway. The APIs are intended for external parties, so we can have only the application-level authentication - client_credentials grant access token. Basically it is working well.

As the only information in the access token is the subject (application id), but we’d like to pass more information, such as group membership, application name, …

I assumed I can add custom claims to the API authorization server

following the topic How to get Application Groups instead of User Groups in my token?

add a scope
add a claim with an expression “app.profile.groups”
request a token with the scope

. When requesting the client_credentials token, additional custom claims are not present.

Did I miss something? Do I need to map the claims to a scope? Or the appId (subject) is the only claim available for the client_credentials grant type?

Thank you in advance

andreaskouras · September 24, 2020, 4:51pm

In the post you linked to, the poster modified the application profile for their app to include an attribute to hold the groups associated with the app. Have you completed this step? This update MUST be made via API, as there is not currently any way to add these attributes in the admin console, but we do have a feature request filed for such functionality.

This guide may also help you, as it also discusses storing information about an OIDC/OAuth application within its application profile and how to configure the claim. Note that since you are using client credentials flow, you will want to configure your claims to appear in the access token instead of the id token, as in this example.

gabriel.vince · September 30, 2020, 9:13am

Indeed I missed the update step.

So - I need a manually generated SSWS token or an additional application with scope allowing to update the application metadata.

Thank you for your guidace