How to get Application Groups instead of User Groups in my token?

Hello everyone,

I’m trying to create a claim returning the groups of an application requesting a token via client credentials flow but I don’t know how to do this.

For my web interface (implicit flow with users) I managed to get the groups of my users by creating a groups scope and a claim who map groups. Using the same claim and scope on my client credentials app does not return any groups.

The weird thing is that in my claim I don’t specify if I want application or user groups, i’m just using a Value Type Groups and a Start With Filter.

So is there a way to get application groups in my token?

Edit:
I also have a question regarding application properties available in claims, I can return the app.clientId but where I can finds other application properties?

They are not specified in the following documentation:
https://developer.okta.com/reference/okta_expression_language/#application-properties

Thank you in advance.

1 Like

Your client credentials flow doesn’t really have a user associated with it, and consequently no user groups. If you just want a list of groups assigned to an application, you can use the Okta API and an API token (assuming this is all server side since you’re using client credentials) to get groups assigned to an app:

https://developer.okta.com/docs/api/resources/apps#list-groups-assigned-to-application

Thank you for your answer,

I want to avoid another API call if I can and prefer to get the groups directly in my claims as I do for my other app with users.

I’m aware there is no users in client credentials flow but apps are also assignable to Okta groups. Do you know if there is a possibility to retrieve groups with a custom claim (with an expression or group type claim)?

2 Likes

Hi mgremont,

where you able to resolve this?

Hello derikvlog,

I chose an another way to serve my need, so now I don’t need application groups in the token.
I retrieve the “groups” and other applications information in my database with the cid of my application.

So it is not really solved in the perspective of a full Okta solution but I found an another way to achieve my goals.

ok, thanks for the update

I also have run across a need for what @mgremont was asking help with. This post helped me find another method to meet my requirements. Here’s what I did:

  1. Using Okta API Token, POST the following to https://{{okta.domain}}/api/v1/apps
    {
    "name": "oidc_client",
    "label": "Sample OAuth Service",
    "signOnMode": "OPENID_CONNECT",
    "credentials": {
      "oauthClient": {
        "token_endpoint_auth_method": "client_secret_basic"
      }
    },
    "settings": {
      "oauthClient": {
        "client_uri": "http://localhost:8080",
        "logo_uri": "http://developer.okta.com/assets/images/logo-new.png",
        "redirect_uris": [],
        "response_types": [
          "token"
        ],
        "grant_types": [
          "client_credentials"
        ],
        "application_type": "service"
      }
    },
    "profile": {
    	"groups": [
    		"Admin" <-- the groups you want for the app
    	]
    }
}
  1. In my auth server:

  2. Check it in Token Preview. There should be a token claim called “groups” with the groups set in the initial profile

2 Likes

This saved me so much time, I just wish it was available via the UI.

1 Like

This is so much clearer than the Okta docs. Thank you for posting!

Okta, please take a note on explaining this clearly, without delving into the entire spec for every guide.

Hello everyone,

Is the solution suggested @ccrouch still valid? I am not getting the application groups in the token with the steps provided. Infact the group level “profile” properties are not shown in the https://{{okta.domain}}/api/v1/apps (GET)

I am using the default authorization server comes with my account. Should i enable any settings to send group level attributes?

Hi @thiru

Can you please open a support case with us by sending us an email to support@okta.com in order to further check this issue with “profile” property not being displayed?

Regarding the authorization server, your Okta org requires API Access Management in order to successfully declare the claim. This is a free feature on preview and developer orgs and paid for production ones.

The confusing part about it, is that under User Groups, you can add Applications to a group. However an Application going thru the client_credential flow doesn’t get a token back with those group claims. What does it mean to add an Application to a Group?

Anybody understand what kind of group association is actually being made with ccrouch’s method? I was able to get the groups claims by replicating his approach, but the GUI doesn’t actually show that group as having the application as a member. While this works, creating the association within the GUI in a way that is visible to the rest of the org would be very helpful.

It doesn’t necessarily link the information, but @ccrouch describes a way to store the groups information within the application profile which is currently only visible/editable via API.

I created an Okta Idea to track the request to have this exposed in the UI, as this is a common use case for Client Credentials (machine-to-machine) applications. Vote for it here!