Hey,
I am trying to obtain groups info about user when he/she logs into app.
On /v1/authorize I send scope: openid groups and response_type=code in queries and then ask for /v1/token to obtain id_token but it doesn’t include groups list.
I already added proper groups claim expression and it sends me the list when I am using https://okta-oidc-fun.herokuapp.com/ and use response_type=id_token.
Can I obtain groups list when using code as response_type?
I have the exact same issue, responseType=id_token works, the groups are there, but with responseType=code I exchange that for an id_token, which has no groups.
If both ID token and access token are requested, then the ID token gets automatically minified and the rest of the claims, including the groups claim, are available through a separate request to /userinfo endpoint. Here is a cURL example
If you have the API Access Management feature enabled on your Okta org (available under Admin >> Security >> API >> Authorization Servers), then you can hardcode the groups claim to be displayed always inside the ID token, rather than being displayed only on /userinfo.
I got it working using the /userinfo endpoint, thank you. I was using the Sign-In widget, but now I’m trying out the “redirect method” (as described here https://developer.okta.com/docs/guides/implement-auth-code/use-flow/). Even if I set the scope=‘openid email groups’ in the link that I use do direct the user to the login form hosted on my okta domain, then later I am not able to get the groups from the /userirfo endpoint.
Does the redirect work differently somehow than the Sign-In widget when asking for scopes?