Getting groups scope when using response_type=code

Hey,
I am trying to obtain groups info about user when he/she logs into app.
On /v1/authorize I send scope: openid groups and response_type=code in queries and then ask for /v1/token to obtain id_token but it doesn’t include groups list.
I already added proper groups claim expression and it sends me the list when I am using https://okta-oidc-fun.herokuapp.com/ and use response_type=id_token.

Can I obtain groups list when using code as response_type?

Hey, I prepared a gist with code I am using in PHP:

Hi mgolebiowski, did you ever get this solved?

I have the exact same issue, responseType=id_token works, the groups are there, but with responseType=code I exchange that for an id_token, which has no groups.

Hi @dragos maybe you know? Sorry for pinging you so directly, saw you in the other thread – maybe you know :slight_smile:

Hi @mkay

If both ID token and access token are requested, then the ID token gets automatically minified and the rest of the claims, including the groups claim, are available through a separate request to /userinfo endpoint. Here is a cURL example

curl --location --request GET 'https://dragos.oktapreview.com/oauth2/v1/userinfo' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer {{accessToken}}'

If you have the API Access Management feature enabled on your Okta org (available under Admin >> Security >> API >> Authorization Servers), then you can hardcode the groups claim to be displayed always inside the ID token, rather than being displayed only on /userinfo.

Hi @dragos

I got it working using the /userinfo endpoint, thank you. I was using the Sign-In widget, but now I’m trying out the “redirect method” (as described here https://developer.okta.com/docs/guides/implement-auth-code/use-flow/). Even if I set the scope=‘openid email groups’ in the link that I use do direct the user to the login form hosted on my okta domain, then later I am not able to get the groups from the /userirfo endpoint.

Does the redirect work differently somehow than the Sign-In widget when asking for scopes?

Thanks!