Is there an API to get the current user own groups?

Hello, I’m currently using OIDC and have my own authenticator.

There I call the /introspect API with the provided token from the user, I also need to find out the groups that this user belongs too in order to do some customizations, I couldn’t find an API that returns that for the user though. Is there any?

It’d make sense to include groups into the token, so that you can get them out of it, w/o calling Okta

2 Likes

Yup, I agree with @phi1ipp’s recommendation. Use Groups Claims to store the group membership information within the user’s tokens or Userinfo output. Additionally, end-users do not have sufficient Admin permissions to make an API request to get the list of groups they’re a member of themselves.

1 Like

Hey, I tried the solution you and @phi1ipp proposed, but I can’t seem to get the groups in my token.

I am generating the token using
https://dev-5634618.okta.com/oauth2/default/v1/token

Then in my server side I use this token to call https://dev-5634618.okta.com/oauth2/default/v1/introspect to get the details of the user, but I can’t get the groups in this response, I checked the token in jwt.io as well and the groups are not there.

You will not be sending the token to the Introspect endpoint to get this information. The groups claim will be present either in the token payload directly or at the /Userinfo endpoint, not /Introspect.

Make sure you aren’t following the configuration steps for the Org Authorization Server. Are you following the guide to configure a groups claim on a custom authorization server?

If so, how have you created your custom Groups claim on the Default Server? Did you set it to show up in the ID Token always? Only in Userinfo? In the Access Token?

1 Like

Hey, I wasn’t sure which of the approaches to follow so I tried with both of them.

But I don’t get the token, not even in the token preview.

You might be running into the limitation mentioned here: Limitations of Group functions | Okta Help Center

If you make a more targeted Groups claim, like starts with a substring like “abc” that would only ever match against less than 100 groups, does it work?

1 Like

Tried that too, didn’t work as well.

@danielcosta are these Okta groups the user is part of? Also, can you please take a screenshot of how you have that groups claim configured? TY!

1 Like

Hey, attaching the screenshots.

The regex update to read* was following the last recommendation, I had .* before and it didn’t work as well.



Your problem is that you do “starts with” and place there whatever is supposed to be “matches regex”.

1 Like

My bad, that got changed while I was taking the screenshot. I actually had it setup with regex and tried both read* or just .* and they don’t work as well.

Do you still have this issue if you request an actual token? I believe Token Preview might have a limitation where it cannot display the groups claim when it evaluates to over 100 matching groups, but an actual token should work fine.

1 Like

Yes, doesn’t work in the token or token preview.
Considering this limitation I also tested changing the regex to match a single group only and it still didn’t work.

Do you have the same issue if you switch your claim to show up in ID token instead of Access token?

1 Like

Also, can you share screenshots of your current config where you have Matches Regex set to .* and how you’re checking the output in Token Preview?

1 Like

Hello Daniel, tagging in here to verify the settings on your Authorization Server. I did some repro and I think we should try setting it to “Groups” and then the Filter to “Matches regex” - also, please make sure you are using .* exactly, as that should read all Okta groups. I’ve included a screenshot to align this to that will hopefully assist. Let us know if this works!

1 Like

Hey, Im not sure what changed, that’s exactly what I had setup. But now it’s working.

1 Like