Custom Claims not present in access_token

Hi

I am following this article in terms of creating a custom claim and getting that value back in the access_token. I am able to see the claim when I hit the /claims endpoint. However when I hit the /token endpoint and I follow the Authorization Code Flow, and decode the access_token I don’t see the custom claim the way I supposed to see.

Any help would be great here.

Thank you,
Harish

And you configured the claim to be included in the Access Token, not the ID Token right? Did you set it be included with any scope or only a specific one?

Another possible cause would be if the custom claim is mapped to an application or UD user profile attribute that is not populated for the user you are testing with. Any claim that evaluates to a null value will not be present in the token.

Thank you for the response. Yes, claims are configured to be included in Access Token. Attaching the screenshot of my claim for reference.

Also, just to make sure, I am getting this access token as part of the authorization code flow. My understanding is that the access token I get as part of the flow should contain the claim information.

One more thing, as part of the authorization code flow, the scopes I am requesting for as part of the redirect_uri is openid profile, not sure if I need include any other scopes for these claims to be shown.

What type of application are you working with and what value are you trying to pull into the token? My guess is that app.domain is evaluating as null, thus the claim is not being included in the token.

I do see the docs make mention of this expression, but it seems to be intended more for OIN applications than custom ones:https://developer.okta.com/docs/reference/okta-expression-language/#application-properties

I am trying to pull in the anything unique to the app. For example, app name or app.clientid. I tried all types of app’s properties, but nothing seems to show up. In fact, I also used appuser.profile just to see if the claim is coming through in the token, which I know has value

Can you try using the following expression instead: app.clientId

If you are looking to include the application name or label, you will need to create a profile attribute for the application so that you can include it in a claim (a la app.profile.label). Complete details are provided in this help center article.

I tried app.clientId still no luck. Not sure why. I am using default Authorization Server. Does that matter?

It shouldn’t. I tested with the Default server as well and app.clientId was working for me.

If you test using Token Preview, are you able to see it included in the access token there?

If nothing else, your access token should have a ‘cid’ claim in the payload, which already corresponds to the clientId for the application.

I haven’t tested that. How do I do that?

When you are configuring the custom claim for your default server, you should see on the top a tab to the right of “Claims” that says “Token Preview.”


This tool lets you preview the payload of ID and Access tokens based on the application, grant type, user, and scopes you provide