Custom user properties and user object discrepancies

Questions OAuth/OIDC
1

I have custom user properties defined at the application level for users. I think that I figured out the answer to my first question but I’ll go ahead and ask anyway.

  • When retrieving a user via /api/v1/users/${userId} I do not see any custom properties returned in the profile. The /api/v1/apps/${applicationId}/users/${userId} will return the user with custom properties I need. My question is: Is the apps API the only method in which I can get custom properties. If so that is problematic in that my app has to know the application Id which of course I do not store in my application and would necessitate a bunch of extra api calls along with knowledge of at least the app name by my application in order to query for the id
  • Second question: Why the discrepancy between the user object returned via the users API (User object) and the apps API (Application User object). For example the former returns firstname and lastname while the latter returns given_name and family_name. I see that happens in the Okta app mappings but why?? It will make it difficult to use a common schema if I need to interact with both API’s. There are other differences such as the contents of the credentials property that aren’t part of the mapping. Any suggestions for dealing with the differences?

Some background: I’m building a custom interface in my application for maintaining user profiles and in most cases the users API would meet the needs, however, in a particular use case I need to search for users having a certain value in a custom property.

2

I kind of see how/why the Okta app user is different in that the Okta app is about scoping things for OAuth authentication purposes just a bummer the Okta user profile wasn’t made to match but I’m sure there was a reason for that.

Anyway, it’s making me rethink my design a bit. I am storing authorization data for my application into the custom properties. The reason for putting them into the Okta apps is that I wanted to sandbox them for our different environments (dev, staging, production, etc.) into separate apps in order for users to have different permissions in each environment.

3

I think that I have a working solution and wanted to float it here to get feedback.

If I move the custom property from the Okta app into the default user profile and then map it both ways in the application profile I would then have access to it in one place in the user profile. What I’m unsure about and wanted to validate is that the mapped attribute is still available to my authorization serve’s claims?

This is an example of the current claims in my auth server for the app level custom properties

Name                Value                       Scopes    Type   Included
user_permissions	appuser.user_permissions	profile	access	Always
4

Moving the custom attribute from appuser.profile to user.profile looks like it will accomplish what I need.

5

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.