How to get Application Groups instead of User Groups in my token?



Hello everyone,

I’m trying to create a claim returning the groups of an application requesting a token via client credentials flow but I don’t know how to do this.

For my web interface (implicit flow with users) I managed to get the groups of my users by creating a groups scope and a claim who map groups. Using the same claim and scope on my client credentials app does not return any groups.

The weird thing is that in my claim I don’t specify if I want application or user groups, i’m just using a Value Type Groups and a Start With Filter.

So is there a way to get application groups in my token?

I also have a question regarding application properties available in claims, I can return the app.clientId but where I can finds other application properties?

They are not specified in the following documentation:

Thank you in advance.


Your client credentials flow doesn’t really have a user associated with it, and consequently no user groups. If you just want a list of groups assigned to an application, you can use the Okta API and an API token (assuming this is all server side since you’re using client credentials) to get groups assigned to an app:


Thank you for your answer,

I want to avoid another API call if I can and prefer to get the groups directly in my claims as I do for my other app with users.

I’m aware there is no users in client credentials flow but apps are also assignable to Okta groups. Do you know if there is a possibility to retrieve groups with a custom claim (with an expression or group type claim)?


Hi mgremont,

where you able to resolve this?


Hello derikvlog,

I chose an another way to serve my need, so now I don’t need application groups in the token.
I retrieve the “groups” and other applications information in my database with the cid of my application.

So it is not really solved in the perspective of a full Okta solution but I found an another way to achieve my goals.


ok, thanks for the update


I also have run across a need for what @mgremont was asking help with. This post helped me find another method to meet my requirements. Here’s what I did:

  1. Using Okta API Token, POST the following to https://{{okta.domain}}/api/v1/apps
    "name": "oidc_client",
    "label": "Sample OAuth Service",
    "signOnMode": "OPENID_CONNECT",
    "credentials": {
      "oauthClient": {
        "token_endpoint_auth_method": "client_secret_basic"
    "settings": {
      "oauthClient": {
        "client_uri": "http://localhost:8080",
        "logo_uri": "",
        "redirect_uris": [],
        "response_types": [
        "grant_types": [
        "application_type": "service"
    "profile": {
    	"groups": [
    		"Admin" <-- the groups you want for the app
  1. In my auth server:

  2. Check it in Token Preview. There should be a token claim called “groups” with the groups set in the initial profile