using (trying to) Okta for application-level authentication for an external API Gateway. The APIs are intended for external parties, so we can have only the application-level authentication - client_credentials grant access token. Basically it is working well.
As the only information in the access token is the subject (application id), but we’d like to pass more information, such as group membership, application name, …
I assumed I can add custom claims to the API authorization server
following the topic How to get Application Groups instead of User Groups in my token?
- add a scope
- add a claim with an expression “app.profile.groups”
- request a token with the scope
. When requesting the client_credentials token, additional custom claims are not present.
Did I miss something? Do I need to map the claims to a scope? Or the appId (subject) is the only claim available for the client_credentials grant type?
Thank you in advance