Fetching the groups a logged in user belongs to

I’ve logged my user in by redirecting to the authorization_endpoint with a scope of “groups openid email”, after successful login at that endpoint the user is redirected again back to my application with the code as a GET parameter.

I’m then making a request to the token_endpoint, this returns an id_token, and an access_token.

I can extract groups from the access_token returned, but this is not the full list. There are about 50-60 groups depending on the user, and I’m only seeing 7 in the access_token.

So I then make a request to this url: {okta_site}/api/v1/users/me/groups

In the header for this request I’m including a, “Authorization”: "Bearer: " + token

If I include the access_token returned from the step above, I get a 400 internal server error with no information. If I include the id_token returned I get a 401 unauthorized error. This leads me to believe I do have the right endpoint, but there is some error that I’m not seeing.

I’ve tried many other URLs and configurations, I’ve searched online and this seems to be a common problem but none of the solutions I found work. If I hit that groups endpoint from my browser after logging into okta I can see all of the groups my user should have. How can I get the full list of groups for a user?

Any help would be greatly appreciated.

Groups can be added to access/ID tokens by configuring them as described here. This might be the easiest method to investigate and add missing groups to access/ID tokens.

Alternatively, {okta_site}/api/v1/users/{{userId}}/groups is an Okta Admin Management endpoint and needs Okta scopes issues by Okta Org authorization server. This can only be done by an user with appropriate admin roles. Here is a guide to implement this.

{okta_site}/api/v1/users/me endpoints rely on session cookie for authentication. That might be why this works in your browser

1 Like