Okta supports client level claims. We have multiple approaches depending on how you want to accomplish your goal and what product you are using from Okta (SSO vs API Access Management).
- SSO product is intended for more standard enterprise scenarios where you want to pass user identity claims in ID tokens from the directory (traditional federation use case)
- API Access Management product provides a custom OAuth Authorization Server + OpenID Provider for your application where you can fully customize the ID Token and Access Token.
Each OAuth client is modeled as an Application in Okta. Each application can define its own schema for users assigned to the application called App User schema in Okta terminology. This is managed by visiting Directory->Profile Editor in the Admin UI,
These attributes can be referenced when issuing claims. Our SSO product doesn’t provide granular control of claim mappings and just passes the entire profile with the
profile scope. The API Access Management product lets you define custom claim mappings using expressions. This approach is useful if you want to persist data specific to a user + app.
We also have support for custom properties as part of the application. This is useful if you want to persist data that is specific to the client and not client + user. These properties need to specified via the API but can be referenced in claim mapping using Okta EL.
The free developer product includes support for both products. I recommend using a custom Authorization Server as it provides the most amount of flexibility.