Hello, I’m currently using OIDC and have my own authenticator.
There I call the /introspect API with the provided token from the user, I also need to find out the groups that this user belongs too in order to do some customizations, I couldn’t find an API that returns that for the user though. Is there any?
Yup, I agree with @phi1ipp’s recommendation. Use Groups Claims to store the group membership information within the user’s tokens or Userinfo output. Additionally, end-users do not have sufficient Admin permissions to make an API request to get the list of groups they’re a member of themselves.
You will not be sending the token to the Introspect endpoint to get this information. The groups claim will be present either in the token payload directly or at the /Userinfo endpoint, not /Introspect.
If so, how have you created your custom Groups claim on the Default Server? Did you set it to show up in the ID Token always? Only in Userinfo? In the Access Token?
If you make a more targeted Groups claim, like starts with a substring like “abc” that would only ever match against less than 100 groups, does it work?
My bad, that got changed while I was taking the screenshot. I actually had it setup with regex and tried both read* or just .* and they don’t work as well.
Do you still have this issue if you request an actual token? I believe Token Preview might have a limitation where it cannot display the groups claim when it evaluates to over 100 matching groups, but an actual token should work fine.
Yes, doesn’t work in the token or token preview.
Considering this limitation I also tested changing the regex to match a single group only and it still didn’t work.
Hello Daniel, tagging in here to verify the settings on your Authorization Server. I did some repro and I think we should try setting it to “Groups” and then the Filter to “Matches regex” - also, please make sure you are using .* exactly, as that should read all Okta groups. I’ve included a screenshot to align this to that will hopefully assist. Let us know if this works!