Group IDs in access token claims

I am having trouble getting group claims in an access token which are IDs rather than names.

My use case is that I am building a customer access control system, and want to tie groups to Role Based Access Control through the JWT. I want RBAC bindings to use IDs rather than names so the group names can change without breaking RBAC assignments. Round trips during authorization in back end microservices to convert names to IDs would add too much latency.

I have a couple of existing group claims, like

  • Groups.startsWith(“OKTA”,“ACCT#CG#”,100)
  • groups: matches regex ^(?!(ACCT#U#|ACCT#CG#|ORG#).$).

How can I do something similar, but return an array of group IDs rather than an array of group name strings?

It looks like it is not possible to include group IDs in claims. Below is the outcome of a support case on the same:

  • Okta Support - 2019-04-15 18:20:32: I shall research more on this and will provide an update soon.
  • Okta Support - 2019-04-17 21:43:07: I have been looking at our docs and it looks like we have a way to get the groups ids as claims using the Static whitelisting method. Please refer to https://developer.okta.com/docs/how-to/creating-token-with-groups-claim/#create-groups-claims-with-a-dynamic-whitelist and https://developer.okta.com/reference/okta_expression_language/#conversion-functions for more details on how to implement the static whitelisting. The ‘getFilteredGroups’ example mentioned in the above link has ‘group.name’ as the second argument, can you please try with like below : getFilteredGroups(app.profile.groupwhitelist, “group.id”, 40)
  • Von Jones - 2019-04-17 23:06:18: The problem with this approach is scale. We have > 100K groups near term, growing to > 500K. We plan 500K apps near term, expanding to ~3M. Multiplexing this many groups onto this many apps just to get group IDs seems hugely complex, if it would even scale and perform with the bloating of the app profile and the sheer volume of data we are talking about being evaluated with every token request. It would have to be repopulated every few minutes as groups and apps are added. It just doesn’t see it as the right direction. Can we find another way? If I could eliminate the whitelist parameter and say to not filter any groups but just to name the ID, it could work, but I have not seen that. I had tried using Spring Expression Language projection, but I can’t seem to get an array of group objects from the published methods. From what I can tell, the standard group methods return arrays of strings rather than arrays of group objects, IE “Groups.startsWith(“OKTA”,“ACCT#CG#”,100).![]” gives an array of the correct number of entries, but since ids on not on the string arrays, it is an array of the right number of null values. If I could just get an array of group objects, or a map of group objects for the user, one could probably combine collection selection and projection to get it done.
  • Okta Support - 2019-04-19 23:04:21: Hi Von, I understand your concern. Unfortunately, we do not seem to have an option to add the group ids with the dynamic group expression. I have reached out to our internal teams to see if there is any other way. I shall keep you posted if I have any updates.
  • Von Jones - 2019-04-22 13:07:20 Thanks for pushing in. I appreciate the support.
  • Okta Support - 2019-04-22 17:17: Unfortunately, it looks like we do not have a solution for your requirement at the moment except static whitelisting. I suggest you to create a Feature Request for the same in Okta Community (https://support.okta.com/help/s/article/Submit-Product-Ideas-to-the-Okta-Community). Let me know if you need any help.