Get Group Claims Using Access Token

I am using the .net FRAMEWORK with ‘UseOktaMvc’ in the middleware. It is authenticating the user and returning the id token and access token, scoped claims are also returned. I have included ‘groups’ in the scope w/o success, no group claims are returned. The groups are active directory groups that are imported into authorization server.

The solution was to decrypt the access_token.


        app.Use(async (context, next) =>
        {
            if (context.Authentication.User.Identity.IsAuthenticated)
            {
                // Get claims from access_token
                var accessToken = ((ClaimsIdentity)context.Authentication.User.Identity).Claims.Where(x => x.Type == "access_token").FirstOrDefault().Value;
                var handler = new JwtSecurityTokenHandler();
                var token = handler.ReadJwtToken(accessToken);

                // Add roles from claims
                var claims = new List<Claim>();
                foreach (var group in token.Claims.Where(x => x.Type == "allgroups")) 
                {
                    claims.Add(new Claim(ClaimTypes.Role, group.Value));
                }

                if (claims.Count > 0)
                {
                    var identity = new ClaimsIdentity();
                    identity.AddClaims(claims);

                    var identities = new List<ClaimsIdentity> { identity };
                    context.Authentication.User.AddIdentities(identities);
                }
            }

            await next.Invoke();
        });

If you’re using a custom authorization server (such as the one named “Default”, more details here about auth server types), you configure the claims on the authorization server.

If you’re using the Org AS (which will give you a thin ID token, as described here), you are configuring the claims on the application itself. In which case, you need to send the access token back to THAT server’s Userinfo endpoint instead: https://org.okta.com/oauth2/v1/userinfo (aka, remove /default from your path since that references a separate server)

Can you try using the Org AS Userinfo endpoint (https://org.okta.com/oauth2/v1/userinfo) and see if that works?

Updated my solution. It seems excessive, but do I need to verify the access_token I just received?

I mean, if you’re sending it to /userinfo, Okta is going to verify the token