Get Group Claims Using Access Token

StateDeptDeveloper1 · May 11, 2022, 6:57pm

I am using the .net FRAMEWORK with ‘UseOktaMvc’ in the middleware. It is authenticating the user and returning the id token and access token, scoped claims are also returned. I have included ‘groups’ in the scope w/o success, no group claims are returned. The groups are active directory groups that are imported into authorization server.

The solution was to decrypt the access_token.

        app.Use(async (context, next) =>
        {
            if (context.Authentication.User.Identity.IsAuthenticated)
            {
                // Get claims from access_token
                var accessToken = ((ClaimsIdentity)context.Authentication.User.Identity).Claims.Where(x => x.Type == "access_token").FirstOrDefault().Value;
                var handler = new JwtSecurityTokenHandler();
                var token = handler.ReadJwtToken(accessToken);

                // Add roles from claims
                var claims = new List<Claim>();
                foreach (var group in token.Claims.Where(x => x.Type == "allgroups")) 
                {
                    claims.Add(new Claim(ClaimTypes.Role, group.Value));
                }

                if (claims.Count > 0)
                {
                    var identity = new ClaimsIdentity();
                    identity.AddClaims(claims);

                    var identities = new List<ClaimsIdentity> { identity };
                    context.Authentication.User.AddIdentities(identities);
                }
            }

            await next.Invoke();
        });

andrea · May 12, 2022, 12:09am

If you’re using a custom authorization server (such as the one named “Default”, more details here about auth server types), you configure the claims on the authorization server.

If you’re using the Org AS (which will give you a thin ID token, as described here), you are configuring the claims on the application itself. In which case, you need to send the access token back to THAT server’s Userinfo endpoint instead: https://org.okta.com/oauth2/v1/userinfo (aka, remove /default from your path since that references a separate server)

Can you try using the Org AS Userinfo endpoint (https://org.okta.com/oauth2/v1/userinfo) and see if that works?

StateDeptDeveloper1 · May 18, 2022, 2:08pm

Updated my solution. It seems excessive, but do I need to verify the access_token I just received?

andrea · May 18, 2022, 6:46pm

I mean, if you’re sending it to /userinfo, Okta is going to verify the token

Post		Replies	Views
Claims in access token for OpenID Connect OAuth/OIDC	8	14301	December 18, 2019
Unable to get claims from default custom authorization server OAuth/OIDC	3	1721	February 15, 2024
How to get Application Groups instead of User Groups in my token? OAuth/OIDC api	14	12185	February 14, 2020
How to add Groups claim for the Org Authorization Server for a specific application Questions	3	4095	December 10, 2020
Help for ASP.Net Core 8.0 Blazor/User AD Group claims from Okta using Okta.AspNetCore 4.6.1 OAuth/OIDC dotnet	2	786	June 19, 2024

Get Group Claims Using Access Token

Related topics