How to get AD groups in id_token?

Hello !

I try to get active directory groups in the id_token. How to do this ?

I have already okta groups with claims in my application but i need the ad groups.

Do i change the groups claims filter ?

Thanks in advance !

In this post : Example of adding AD groups to groups claim in access token

They talk about getFilteredGroups, how use it ?

1 Like

Here’s the documentation for getFilteredGroups: https://okta.github.io/reference/okta_expression_language/#getfilteredgroups-details

@john.gronberg may be able to help here too.

1 Like

We’ve also got a how-to guide here: https://developer.okta.com/docs/how-to/creating-token-with-groups-claim.html

@nate.barbettini FYI

1 Like

Thx for your response.

My company don’t have any authorization server in OKTA.
My local admin can’t create a custom authorization server, he don’t have any menu for this in the admin website.

For the id_token i have to use this url : https://${okta.urlOrga}/oauth2/v1/authorize?
client_id=${okta.clientId}
&response_type=id_token
&nonce=1234567
&scope=openid email groups
&state=test
&redirect_uri=${window.location.href}`

I have the api token to add claims but i don’t have the permission.

Can i have get ad groups in the id_token without a custum authorization server ?

No, sorry.

You need a custom authorization server to customize the claims returned in the token. That’s what a custom AS is for.

Yes you can get the AD groups without having the custom authorization server and API access management license.