Get Group Claims Using Access Token

StateDeptDeveloper1 · May 11, 2022, 6:57pm

I am using the .net FRAMEWORK with ‘UseOktaMvc’ in the middleware. It is authenticating the user and returning the id token and access token, scoped claims are also returned. I have included ‘groups’ in the scope w/o success, no group claims are returned. The groups are active directory groups that are imported into authorization server.

The solution was to decrypt the access_token.

        app.Use(async (context, next) =>
        {
            if (context.Authentication.User.Identity.IsAuthenticated)
            {
                // Get claims from access_token
                var accessToken = ((ClaimsIdentity)context.Authentication.User.Identity).Claims.Where(x => x.Type == "access_token").FirstOrDefault().Value;
                var handler = new JwtSecurityTokenHandler();
                var token = handler.ReadJwtToken(accessToken);

                // Add roles from claims
                var claims = new List<Claim>();
                foreach (var group in token.Claims.Where(x => x.Type == "allgroups")) 
                {
                    claims.Add(new Claim(ClaimTypes.Role, group.Value));
                }

                if (claims.Count > 0)
                {
                    var identity = new ClaimsIdentity();
                    identity.AddClaims(claims);

                    var identities = new List<ClaimsIdentity> { identity };
                    context.Authentication.User.AddIdentities(identities);
                }
            }

            await next.Invoke();
        });

andrea · May 12, 2022, 12:09am

If you’re using a custom authorization server (such as the one named “Default”, more details here about auth server types), you configure the claims on the authorization server.

If you’re using the Org AS (which will give you a thin ID token, as described here), you are configuring the claims on the application itself. In which case, you need to send the access token back to THAT server’s Userinfo endpoint instead: https://org.okta.com/oauth2/v1/userinfo (aka, remove /default from your path since that references a separate server)

Can you try using the Org AS Userinfo endpoint (https://org.okta.com/oauth2/v1/userinfo) and see if that works?

StateDeptDeveloper1 · May 18, 2022, 2:08pm

Updated my solution. It seems excessive, but do I need to verify the access_token I just received?

andrea · May 18, 2022, 6:46pm

I mean, if you’re sending it to /userinfo, Okta is going to verify the token

Post		Replies	Views
Groups claims - Id token and access token Questions	13	6684	April 6, 2020
Claims in access token for OpenID Connect OAuth/OIDC	8	14425	December 18, 2019
Getting groups in .net core 2.2 mvc app Questions	2	4877	September 11, 2019
Get user claims from access token not token id Questions	3	4783	March 11, 2020
Tokens, userinfo endpoint and claims Questions	1	3834	January 24, 2024

Get Group Claims Using Access Token

Related topics