Example of adding AD groups to groups claim in access token


#1

Does anyone have an example of adding AD groups membership to a groups claim in an access token?

It looks like the only way to do this is with getFilteredGroups.

would it be something like this?

getFilteredGroups({“00gn335BVurvavwEEL0g3”, “00gnfg5BVurvavAAEL0g3”}, “(group.objectClass[0] == ‘okta:windows_security_principal’) ? 'AD: ’ + group.profile.windowsDomainQualifiedName : 'Okta: ’ + group.name”, 10)

I am assuming the whitelist is the list of groups that are valid for this app?


How to get AD groups in id_token?
#2

Yes, assuming the group IDs and group name expression you wrote evaluate properly, that is the pattern you would follow to get group claims into an access token.

There is more information at the following links:

https://developer.okta.com/docs/how-to/creating-token-with-groups-claim.html

https://developer.okta.com/reference/okta_expression_language/#getfilteredgroups-details


Claims in access token for OpenID Connect
#3

I have the basics working. Do I have to use Group IDs or can I use the name?

Next, I want to add this to the app profile.

I am doing the following:

POST https://tenant.okta.com/api/v1/apps/<App ID>
{
“profile”: {
“groupwhitelist”: [
"<group ID>",
"<group ID>"
]
}

}

It returns

{
“errorCode”: “E0000022”,
“errorSummary”: “The endpoint does not support the provided HTTP method”,
“errorLink”: “E0000022”,
“errorId”: “oaeGAz0uNuMQiigDTQY-RgcAQ”,
“errorCauses”: []
}


#4

Are you posting the full object, or just the profile property?


#5

Just the profile.

I have an existing app that I want to add the profile to.


#6

You’ll have to post the full object. You can do a GET, then add the profile property to it, and POST it back.


#7

Will it keep the same Client ID?


#8

Yes. You can also do a PUT with

{
    "name": "<app_name>",
    "label": "<app_label>",
    "status": "ACTIVE",
    "signOnMode": "OPENID_CONNECT",
    "profile": {
        "whitelist": [
          "fooo"
        ]
    }
}

Just include the existing values for “name”, “label”, “status”, and “signOnMode”.


#9

{
“errorCode”: “E0000022”,
“errorSummary”: “The endpoint does not support the provided HTTP method”,
“errorLink”: “E0000022”,
“errorId”: “oaeTG5qSqqQTEquPtEjAIndlQ”,
“errorCauses”: []
}

Is it a different endpoint? I am using https://tenant.okta.com/api/v1/apps


#10

Here’s the full request:

curl -X PUT \
  https://<myOrg>.oktapreview.com/api/v1/apps/<appId> \
  -H 'accept: application/json' \
  -H 'authorization: SSWS <redacted>' \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -d '{
    "name": "oidc_client",
    "label": "Native OIDC app",
    "status": "ACTIVE",
    "signOnMode": "OPENID_CONNECT",
    "profile": {
        "whitelist": [
          "fooo"
        ]
    }
}'

#11

I was missing the App ID.

Thanks for your help.