Include reserved claim "oid" in token

Questions OAuth/OIDC
1

Hi everyone,
We have a SaaS application that can currently use Azure AD as an Identity Provider for SSO. The SaaS application is using OIDC to federate to Azure AD. As an identifier to map the authenticated user from Azure AD, the SaaS application is using the claim “oid”, which is the “Object ID” of a resource in Azure AD.
To migrate from Azure AD to Okta, I tried to provide an additional claim for the corresponding Authorization Server in Okta. However, when trying to add the claim “oid”, it is not possible to include “oid”, as it is a “Reserved claim” in Okta (Token inline hook reference | Okta Developer).
I can’t seem to find any further explanation or details about “Reserved claims” and how each claim can be included in a token. For the “oid” claim I cannot figure out, how Okta can provide this claim.

Thus, my questions are:

  1. Is “oid” a claim that is included in a specific scope? Or are there any other details about “Reserved claims” in Okta that I cannot find?
  2. Is there any other way, how I can include the “oid” claim in a token for OIDC?
2

Hi @tdin, oid is a reserved claim and cannot be created as a custom claim. Do you have an application that is expecting the oid value? Are you looking to pull this value in from Azure?

3

Hi @louie, thanks for your response.
Yes, there is an application that is expecting the oid value and that implemented only Azure AD in mind as an available IDP.
We want to showcase customers of that application that they can use Okta as an IDP and manage their identities solely with Okta instead, so I’m not looking to pull this value in from Azure.
Is there any possibility to provide the “oid” claim with an unique identifier for a user?

4

@tdin thank you for clarifying your use case. Doesn’t look like Okta uses this claim as much as Azure does - as we don’t have it documented - see Okta reserved claims vs. Microsoft reserved claims.

Also it is not one of the required claims listed in the OIDC Spec; I am assuming that is why it is not exposed.

Please share your use case with our Product Team on our Ideas Page for the team to consider.

5

Hi @sigama, thanks for the clarification. I will note this limitation that Okta cannot provide “oid” as a claim.
I will try to contact the developers of the application to integrate.
Out of interest: Is there any further information about the reserved claims beside the link you provided and more information of each one of them, if we encounter issues with them in the future?

6

@tdin unfortunately that is all we have atm, however this is always the spec to supplement which Okta adheres to OIDC Spec.

7

I have a similar situation where our app supports both Azure AD and Okta based on the client, and we used oid as the unique identifier with Azure but cannot with Okta