I have been looking to achieve a very simple and basic functionality of authorization using Okta. Unfortunately there is not a single plain example I could find to accomplish that.
I am user who logged into my app. I belong to a group lets say group1. Upon logging I want a claim that has the values of custom scopes in it. Those scopes represent the permission. And they must be inclined with the groups that user belong to. In our example lets say, I want custom scopes (permissions) that only a user of group1 can access.
I have looked into :
- access policy and rules.
- custom claims
How is it possible using these two things.
In case we use access policy, is it possible to achieve this without using inline hooks? If not, then how exactly the inline hook helps us in this regard?
Hello haroonrb64!
The way we typically see permissions being handled, especially if you are attempting to revise your tokens based on group memberships, would be to use a Groups claim: Customize tokens returned from Okta with a Groups claim | Okta Developer - this would require your app to be able to parse the group memberships to determine permissions based on the attribute coming over that lists them by name.
For your example, if you are attempting to set a claim to a specific name based on group memberships, the best way to accomplish that may be to do the above and then use an Inline Hook to analyze the group memberships and set the claim how you want it: https://developer.okta.com/docs/concepts/inline-hooks/ - this may be extra steps compared to just having your app process the claims itself, but if you need a separate claim based on a set of conditionals that’s likely going to be the easiest way to do it.
1 Like
Thanks for the explanation @daniel.sanders . Just to be really sure, we can not return permissions against a role using only okta. We will definitely have to do an outbound http call that uses inline hook and attach those permissions as a claim.
This is the understanding I had developed after a lot of research on Okta and implemented as well. I was just really confused if there was any other workaround okta has, in order to handle this situation.
Thanks for your detailed reply, But can you please just validate if what I believe is true? And we only have inline hook as an option?