Include custom field in userInfo response without custom authorization server

Questions
1

Hello, my company doesn’t have the authorization server license, so I need to find another way to include a custom field in the response. The custom field was added to the user profile.

It could be either in the token or in the /userInfo API, as long as I can get it, it’s fine.

My authorization process right now is using the access token I get from.
URL/oauth2//v1/token

Anyway I can do it without custom auth server?

2

I believe it’s not achievable with the options you presented. Maybe you can try to call user api with the received access_token to get user profile information, if you wanna give it a try.

3

If the attribute is mapped from the Okta User profile into the Application User Profile, this should work so that, as long as you request the profile scope, any non-null attributes in the user’s application profile will be included (within the ID token if its requested by itself or from Userinfo if both the ID and Access tokens are requested together.

Steps for this are explained in more detail here: How to add custom attributes of user profile as claims in token | Okta Help Center

1 Like
4

The step 3 in the link you provided uses the Authorization server config, my org doesn’t have access to that. Is there any other way to do that?

5

If you look at Step 4, you’ll see it mentions you do not need to complete Step 3 for the Org Authorization Server. As long as the attributes have been mapped into the Application Profile, you should be all set!

6

I tried that, it didn’t work though.

The setup with the authorization server works in my demo account, but it doesn’t work just by adding the attribute.

I went to
Profile editor → My app → Mappings

Screenshot 2023-03-14 at 9.12.41 PM
Screenshot 2023-03-14 at 9.12.41 PM989×234 11.3 KB

Screenshot 2023-03-14 at 9.13.00 PM
Screenshot 2023-03-14 at 9.13.00 PM1012×323 9.91 KB

I dont get isChatModerator in the /userInfo api or in the token.

7

I also checked the user profile and user profile in application assignment and the value is there.

Screenshot 2023-03-14 at 9.15.23 PM
Screenshot 2023-03-14 at 9.15.23 PM726×257 8.16 KB

8

If you got back an Access Token, did you try sending it to your userinfo endpoint (https://oktaDomain/oauth2/v1/userinfo)?

9

Yes, I did.

I got the token from oauth2/v1/token

Sent it to /userinfo and the custom field I added is not in the response.

10

Want to share where you configured this attribute (so we can check its set up in the same OIDC application you are requesting tokens for) and confirm that you have requested the profile scope?

11

Hey, what exactly can I show?

12

Hmm, I guess that’s a little tricky to share without showing too much… Can you at least confirm that the token that was issued bears an aud (reminder to check in the ID token for this, not the Access token) that matches the Client ID for the application that you added these profile attributes to?

13

I am using a demo account so I can share the info here.

So request URL
Request URL:

https://dev-5634618.okta.com/oauth2/default/v1/token

Payload:

  1. client_id:

0oa5z60xbgkoaV61D5d7

  1. redirect_uri:

http://localhost:3001/login/callback

  1. grant_type:

authorization_code

  1. code_verifier:

57cb45fd8a7ad42332a7cb6c1c61c254bfea3759af9

  1. code:

uElAlOjNIoPKykhprHIMuL7wst519Qdj5Tw7R8QxKTY

I checked the aud and it matches the app.

If you want to check the response, here it is.

{"token_type":"Bearer","expires_in":3600,"access_token":"eyJraWQiOiJDMnpwMVRNLXdDazhRWXY0V1lRVUtUWlpWa0owYk54YWFSZ0xNcXpsVkpjIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULnREbXhOV3FKNVVSZW9yMEJHOFZoSE1GQkNzUDVpUXVJQnNQM3J3MWpxWWsiLCJpc3MiOiJodHRwczovL2Rldi01NjM0NjE4Lm9rdGEuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiYXBpOi8vZGVmYXVsdCIsImlhdCI6MTY3OTYxMTU3MSwiZXhwIjoxNjc5NjE1MTcxLCJjaWQiOiIwb2E1ejYweGJna29hVjYxRDVkNyIsInVpZCI6IjAwdTV6NHJveWNEMUx6MWhYNWQ3Iiwic2NwIjpbImVtYWlsIiwib3BlbmlkIiwicHJvZmlsZSJdLCJhdXRoX3RpbWUiOjE2Nzk2MTE1NjksInN1YiI6ImZpeWFrZTI0MDBANWsydS5jb20iLCJncm91cHMiOlsiRXZlcnlvbmUiLCJyZWFkb25seSJdfQ.GLiwpGCWeDIsmDB2CMtYbrKeFopU29N77_CVyaQSPRgVQQrmWdmrfXSSCt-5c57bUK7d5078sI5WQX20VrNP0YtFTse9emTIpBGKcswCEIuBTpilkC5qhutu1iHzrKGqJFqA3RRYrINRlgZmzjib5NNBk_eKOq2iaxjzOOoWWTbdcTy5bNnBP8zkp3_Tc-ycb4PVgJXr82yVgFYHnHucPR1_aVFSoDZKOAA9JqOiKMt2f8ZOOxtQ-DLjxqOQR2ms6qJMfaqiFS399OmoGPCj_JfNK0Iv9L3A_Vikl6JavwpbmWPDWP45mDvA5kFpeZl5kham1GJOSGHwLdocO3qVCw","scope":"email openid profile","id_token":"eyJraWQiOiJDMnpwMVRNLXdDazhRWXY0V1lRVUtUWlpWa0owYk54YWFSZ0xNcXpsVkpjIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHU1ejRyb3ljRDFMejFoWDVkNyIsIm5hbWUiOiIiLCJlbWFpbCI6ImZpeWFrZTI0MDBANWsydS5jb20iLCJ2ZXIiOjEsImlzcyI6Imh0dHBzOi8vZGV2LTU2MzQ2MTgub2t0YS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiIwb2E1ejYweGJna29hVjYxRDVkNyIsImlhdCI6MTY3OTYxMTU3MSwiZXhwIjoxNjc5NjE1MTcxLCJqdGkiOiJJRC53MEFHXzRXbEtWQVdaTGNYcWxZUmFPM2xhQkxIUDVrWkFUYlpRVHJvSU1RIiwiYW1yIjpbInB3ZCJdLCJpZHAiOiIwMG81eWlrOGNscXFLZ1JoVzVkNyIsIm5vbmNlIjoiTW9abFVEaWRHUHdCeTFnbEhMSFdWcVI5ejI1a3FLTHVxNjR1bkN3M1VveTgwSDV6T05Xeml3Z1J3YkIyUTVRTCIsInByZWZlcnJlZF91c2VybmFtZSI6ImZpeWFrZTI0MDBANWsydS5jb20iLCJhdXRoX3RpbWUiOjE2Nzk2MTE1NjksImF0X2hhc2giOiJOU2NnU2xhYzY2TC1ETFlpMTdxNFpnIiwiZ3JvdXBzIjpbIkV2ZXJ5b25lIiwicmVhZG9ubHkiXX0.DFnndeSxunm4TwkOnt1aFefHBD3DFD6Glx9zrgauBegRawsbgrmIs7y5IE_6RkL8p3LZqMkudOCxualkJW2uK8cyO_rmcatjKajNfLyLzVRLqne0ZqBbNPrnKdffagh79zXdrKVNnROiFQQEUTX3BlC-1B-iYaGpNaMU91BKCe9GffVdQaAof2IWR5MyyUlyoMc-MYAiuQdfeJy8DG0arjbe0nIAdAu-SPj2tCU2Xx6S3kWisBJZYLP4RyQ96w4fZU5pUHKJHn8FH6asmyCBefbV1peFfcMmQmkpB59je3CuOTeMTc7odSWD1Utwe9jKInC8GAm3TNvIaUE-eB1EWA"}

Now calling https://dev-5634618.okta.com/oauth2/default/v1/userinfo with the access token, this is the response, my custom property is not there.

{
    "sub": "00u5z4roycD1Lz1hX5d7",
    "name": "",
    "locale": "en_US",
    "email": "fiyake2400@5k2u.com",
    "website": "Test",
    "gender": "Male",
    "nickname": "testmod",
    "preferred_username": "fiyake2400@5k2u.com",
    "given_name": "Test",
    "family_name": "User",
    "zoneinfo": "America/Los_Angeles",
    "updated_at": 1678843309,
    "email_verified": true,
    "groups": [
        "Everyone",
        "readonly"
    ]
}
14

Hi @danielcosta,

From your developer org, can you please try to perform the request to https://dev-5634618.okta.como/oauth2/v1/authorize (to get the auth code), https://dev-5634618.okta.com/oauth2/v1/token (to get the JWTs) and then https://dev-5634618.okta.com/oauth2/v1/userinfo to get the profile claims? Please use also “profile” scope

https://dev-5634618.okta.com/oauth2/v1/* is the free authorization server, while the https://dev-5634618.okta.com/oauth2/default/v1/* is the one that requires licensing.

You can find all available endpoints for the free authorization server at https://dev-5634618.okta.com/.well-known/openid-configuration (it works on all orgs, you can change subdomain to match your production one).

1 Like
15

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.