I am using Okta.Aspnet with the redirect model. I have a custom attribute added to the user profile but it doesn’t show up with the HttpContext claims. The custom attribute contains all the AD groups the user is a member of and needs to parsed to determine if they are authorized to view the page.
If you parse the raw ID token/pass the Access Token to the Userinfo endpoint, are the expected claims being returned? Are these attributes added to the user’s Okta profile, or their application profile?
If I decode the id_token and the access token from claims I don’t see the claim data. I believe it is a part of the user’s Okta profile. I can see the information if, after authenticating, I open a new tab and navigate to /api/v1/users/me. I tried using webclient and download string on the url but I got a 403 forbidden. I was hoping that I could have it available in HttpContext.GetOwinContext().Authentication.User.Claims to make things simple. I will search more post about the userinfo endpoint.
Thanks for the help! I have the webrequest working but not sure about what url to use. Below are the ones I tried and the results I recieved. What am I doing wrong?
Dim requestURL = "https://" & BaseURL & "/api/v1/users/me" '(400) Bad Request.
Dim requestURL = "https://" & BaseURL & "/api/v1/userinfo" '(405) Method Not Allowed.
Dim requestURL = "https://" & BaseURL & "/v1/userinfo" '(404) Not Found.
Dim claims = HttpContext.GetOwinContext().Authentication.User.Claims
Dim access_token = claims(13).Value '
Dim Request As HttpWebRequest = HttpWebRequest.Create(requestURL)
Request.Method = "GET"
Request.Timeout = 60000
Request.ContentType = "application/json"
Request.Headers.Add("Authorization", "Bearer " & access_token)
Dim Response As WebResponse = Request.GetResponse()
The part that goes before /v1/userinfo should match the iss claim value in your Access token, that way you are sending the Access token back to the same authorization server that issued the token originally
We aren’t using a custom server. When I try that url and add SWSS to the header I get a 401 unauthorized from my dev account and our company account. Is there some extra permission that my account needs? Is this method of requesting user data really the only way to get a custom profile attribute? It is odd to me that I added an attribute to the user profile and then request that scope but don’t receive it.
Dim requestURL = BaseURL & "/oauth2/v1/userinfo"
Dim access_token = claims(13).Value
Dim Request As HttpWebRequest = HttpWebRequest.Create(requestURL)
Request.Method = "GET"
Request.Timeout = 60000
Request.ContentType = "application/json"
Request.Headers.Add("Authorization", "SSWS " & access_token)
Dim Response As WebResponse = Request.GetResponse() '(401) Unauthorized.
I changed the header value to Bearer and I am using the access token from HttpContext.GetOwinContext().Authentication.User.Claims after I sign in and getting a 401 error. Is that the right place to get the access token?
I have the request working now. I update the baseurl to come from the claims and it works. The issue now is that I don’t get the custom attribute with it.
Dim claims = HttpContext.GetOwinContext().Authentication.User.Claims
Dim BaseURL As String = claims(2).Value
Dim requestURL = BaseURL & "/v1/userinfo"
Dim access_token = claims(13).Value
Dim Request As HttpWebRequest = HttpWebRequest.Create(requestURL)
Request.Method = "GET"
Request.Timeout = 60000
Request.ContentType = "application/json"
Request.Headers.Add("Authorization", "Bearer " & access_token)
Dim Response As WebResponse = Request.GetResponse()
Dim MyStream As Stream = Response.GetResponseStream
Dim SReader As New StreamReader(MyStream, Encoding.UTF8)
Dim ResponseData As String = SReader.ReadToEnd
The response returned is;
{“sub”:“00u5bmc1blRLMQEFN5d7”,“name”:“Jeremiah Haney”,“locale”:“en_US”,“email”:“jeremiah.haney@.org",“preferred_username”:"jeremiah.haney@.org”,“given_name”:“Jeremiah”,“family_name”:“Haney”,“zoneinfo”:“America/Los_Angeles”,“updated_at”:1654705387,“email_verified”:true}
Does the user you are testing with have a value set for this custom attribute? And just to confirm, this attribute is in the Okta User profile or the application profile?
Ah, if you’re using the Org Authorization Server, can you try mapping the value from the Okta User Profile into a custom attribute in the OIDC Application User Profile? For a custom AS, the profile data should be coming from the Okta profile, but for the built-in Org As, it should be coming from the application profile instead (if memory serves).
I now have a custom authorization server with the custom attribute added as a claim. But my claims iss value still shows oauth2/default. If I replace default with the server id I get a 400 error. Do I need to change something in my startup.cs?
You made a new Auth Server? Can you update the AuthorizationServerId in OktaMvcOptions to the ID for the server you are using (if its not the “Default” one)?