How to add Groups claim for the Org Authorization Server for a specific application

Hi, I have a PKCE application, which uses the default authorization server and I followed the guide at the link below to add a “groups” claim to the id_token. But it doesn’t return the “groups” claim and I am not seeing any errors either. It just returns an id_token without a groups claim.
The guide I followed is at: https://developer.okta.com/docs/guides/customize-tokens-groups-claim/add-groups-claim-org-as/

However, If I add the groups claim to the default org authorization server, then it works regardless of whether I have enabled the “groups” claim for my specific application or not as described in the guide above. My questions is why is the groups claim as described in the guide above not working for me?

My second question is why does OKTA always return “username” in my access token as my email instead of the actual username without the “@mycompanydomain.com” part?

The guide you’re following is for the org authorization server. (issuer is https://yourOrg.okta.com)

Can you confirm if you’ve done the following?

• you are using the issuer https://yourOrg.okta.com (NOT https://yourOrg.okta.com/oauth2/default)

• you are requesting the groups scope in the authorize request

• you are testing with the Implicit flow or response_type=id_token (if you are requesting both access and id tokens or using authorization code flow, you will need to make a request to /userinfo with the access token to see the claim)

If you’re looking for the guide to do this with the custom authorization server (where the issuer is https://yourOrg.okta.com/oauth2/default or https://yourOrg.okta.com/oauth2/{authz_server_id}) then you want to look at this guide https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/add-custom-claim/

Thanks! I was using https://yourOrg.okta.com/oauth2/default

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.