How to see a user's groups

I’ve set up Okta authentication using a dev account for a simple nodejs / express app. I’m trying to determine which groups the user belongs to without success. I’m new to Okta and only have a little experience with using oauth2, so I’m sure I’m missing something obvious.

I have created the groups, required them for the app, and added them to my one and only user:

I have created a scope for my one and only Authorization Server (default):

I have created a claim and linked it to the above scope and groups:

I am requesting this scope from my custom application:

I am dumping the returned user context data from my express page after login. The second console.log is redundant but what the heck… I’m desperate!
Screen Shot 2021-09-01 at 8.32.44 AM

The output does not contain the expected groups data when I log in:
Screen Shot 2021-09-01 at 8.33.32 AM

I’ve looked at other threads about determining groups, but I must have missed something. Is there an example that outlines how to do this? A troubleshooting checklist? It seems like a common enough requirement. Thanks for your time!

Hey there! What happens if you try including groups in the id token and/or userinfo request instead? If you want to return all groups for a user, I’d also recommend using the “Matches regex” filter option, where the expression would be: .*

Thanks so much for the speedy and helpful response tyty… Changing the claim to an ID token type did the trick. Much appreciated!

I left the filter alone and it seems ok. I did a quick test, and if I add a group that isn’t linked to the application, but still matches the filter it still comes through. I’d like to filter out groups I’m not interested in as much as I reasonably can.

Thanks again!

There’s no built in way to filter out groups based on the groups assigned to the application, which is why we typically recommend making groups in Okta whose name starts with a specific string, such as “Application A” and create individual groups in this fashion for any roles your application has, e.g. “Application A - Admins”, 'Application A - Read Only", “Application A - End Users”, etc.

If you name the groups that your application needs to know about like that, then you can configure your claim expression to do a substring match for “Application A” and then only groups that start with that string will be included in the claim.

Thanks Andrea. That’s the approach I was going for starting these groups with Mileage, so it looks like I’m on the right track, and with tyty’s tweak to my configuration I think I’m off the the races.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.