Custom user profile attribute not showing under claims

I am using Okta.Aspnet with the redirect model. I have a custom attribute added to the user profile but it doesn’t show up with the HttpContext claims. The custom attribute contains all the AD groups the user is a member of and needs to parsed to determine if they are authorized to view the page.

How do I access the custom attribute?

Here is what I have in Startup.cs.

        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType)
        app.UseCookieAuthentication(New CookieAuthenticationOptions())
        app.UseOktaMvc(New OktaMvcOptions() With {
            .OktaDomain = OktaDomain,
            .ClientId = ClientID,
            .ClientSecret = ClientSecret,
            .RedirectUri = "https://localhost:44314/Account/Login",
            .PostLogoutRedirectUri = "https://localhost:44314/Account/SignOut",
            .GetClaimsFromUserInfoEndpoint = True,
            .Scope = New List(Of String) From {
                "openid",
                "profile",
                "email"
            }
        })

If you parse the raw ID token/pass the Access Token to the Userinfo endpoint, are the expected claims being returned? Are these attributes added to the user’s Okta profile, or their application profile?

If I decode the id_token and the access token from claims I don’t see the claim data. I believe it is a part of the user’s Okta profile. I can see the information if, after authenticating, I open a new tab and navigate to /api/v1/users/me. I tried using webclient and download string on the url but I got a 403 forbidden. I was hoping that I could have it available in HttpContext.GetOwinContext().Authentication.User.Claims to make things simple. I will search more post about the userinfo endpoint.

This is the endpoint I’m talking about: OpenID Connect & OAuth 2.0 API | Okta Developer. You send the Access Token as bearer auth for the userinfo endpoint for the auth server used to mint the token, a la https://issuer/v1/userinfo

Thanks for the help! I have the webrequest working but not sure about what url to use. Below are the ones I tried and the results I recieved. What am I doing wrong?

    Dim requestURL = "https://" & BaseURL & "/api/v1/users/me" '(400) Bad Request.
    Dim requestURL = "https://" & BaseURL & "/api/v1/userinfo" '(405) Method Not Allowed.
    Dim requestURL = "https://" & BaseURL & "/v1/userinfo" '(404) Not Found.


    Dim claims = HttpContext.GetOwinContext().Authentication.User.Claims
    Dim access_token = claims(13).Value '
    Dim Request As HttpWebRequest = HttpWebRequest.Create(requestURL)
    Request.Method = "GET"
    Request.Timeout = 60000
    Request.ContentType = "application/json"
    Request.Headers.Add("Authorization", "Bearer " & access_token)
    Dim Response As WebResponse = Request.GetResponse()

URL should look more like https://OktaDomain/oauth2/v1/userinfo or, if you’re using a custom authorization server, https://OktaDomain/oauth2/{{authorizationServerId}}/v1/userinfo.

The part that goes before /v1/userinfo should match the iss claim value in your Access token, that way you are sending the Access token back to the same authorization server that issued the token originally

We aren’t using a custom server. When I try that url and add SWSS to the header I get a 401 unauthorized from my dev account and our company account. Is there some extra permission that my account needs? Is this method of requesting user data really the only way to get a custom profile attribute? It is odd to me that I added an attribute to the user profile and then request that scope but don’t receive it.

    Dim requestURL = BaseURL & "/oauth2/v1/userinfo"
    Dim access_token = claims(13).Value
    Dim Request As HttpWebRequest = HttpWebRequest.Create(requestURL)
    Request.Method = "GET"
    Request.Timeout = 60000
    Request.ContentType = "application/json"
    Request.Headers.Add("Authorization", "SSWS " & access_token)
    Dim Response As WebResponse = Request.GetResponse() '(401) Unauthorized.

You don’t authorize this call with an SSWS, you use the user’s Access Token as a Bearer token.

I changed the header value to Bearer and I am using the access token from HttpContext.GetOwinContext().Authentication.User.Claims after I sign in and getting a 401 error. Is that the right place to get the access token?

I have the request working now. I update the baseurl to come from the claims and it works. The issue now is that I don’t get the custom attribute with it.

    Dim claims = HttpContext.GetOwinContext().Authentication.User.Claims
    Dim BaseURL As String = claims(2).Value

    Dim requestURL = BaseURL & "/v1/userinfo"
    Dim access_token = claims(13).Value
    Dim Request As HttpWebRequest = HttpWebRequest.Create(requestURL)
    Request.Method = "GET"
    Request.Timeout = 60000
    Request.ContentType = "application/json"
    Request.Headers.Add("Authorization", "Bearer " & access_token)
    Dim Response As WebResponse = Request.GetResponse()

    Dim MyStream As Stream = Response.GetResponseStream
    Dim SReader As New StreamReader(MyStream, Encoding.UTF8)

    Dim ResponseData As String = SReader.ReadToEnd

The response returned is;
{“sub”:“00u5bmc1blRLMQEFN5d7”,“name”:“Jeremiah Haney”,“locale”:“en_US”,“email”:“jeremiah.haney@.org",“preferred_username”:"jeremiah.haney@.org”,“given_name”:“Jeremiah”,“family_name”:“Haney”,“zoneinfo”:“America/Los_Angeles”,“updated_at”:1654705387,“email_verified”:true}

Any idea why I don’t get more data about the user including the custom attribute?

Does the user you are testing with have a value set for this custom attribute? And just to confirm, this attribute is in the Okta User profile or the application profile?

The attribute was added to the Okta user profile and I added a value for myself.

Ah, if you’re using the Org Authorization Server, can you try mapping the value from the Okta User Profile into a custom attribute in the OIDC Application User Profile? For a custom AS, the profile data should be coming from the Okta profile, but for the built-in Org As, it should be coming from the application profile instead (if memory serves).

I now have a custom authorization server with the custom attribute added as a claim. But my claims iss value still shows oauth2/default. If I replace default with the server id I get a 400 error. Do I need to change something in my startup.cs?

You made a new Auth Server? Can you update the AuthorizationServerId in OktaMvcOptions to the ID for the server you are using (if its not the “Default” one)?