No Groups Returned from /userinfo

brucewmac · November 26, 2021, 4:15pm

I’m attempting to get a user’s groups from an authorization code flow, but it is not being returned from the /userinfo endpoint after the access token is returned. Any ideas?

Environment overview:

Okta developer trial account
Authorization client grant types: [authorization code, refresh token]
OpenID Connect Token > Groups claim type: “Filter”
OpenID Connect Token > Groups claims filter: groups Starts with .*

Flow:

Initiate login:

https://${oktaDomain}/oauth2/v1/authorize?redirect_uri=http://localhost:8080&client_id=${clientID}&response_type=code&scope=openid+email+groups&nonce=nonce&state=state

User authenticates and code is sent to redirect URI
Code is exchanged for user access token.
Request is sent to user info with issued access token:

${oktaDomain}.okta.com/oauth2/v1/userinfo

Response does not contain groups:

{
    "sub": "00",
    "email": "hello@example.com",
    "email_verified": true
}

Notes:
I am aware that the auth code flow returns a thin token with no groups claims, but the request to the userinfo endpoint should return the group claims as specified in the docs.

brucewmac · November 29, 2021, 4:42pm

Solved:
I needed to set the Groups claim filter to matches regex rather than starts with for the regex expression to work.

Post		Replies	Views
Returning Groups in the OpenID connect userinfo API call OAuth/OIDC	14	26170	August 28, 2018
UserInfo not returning groups OAuth/OIDC	4	1178	February 7, 2025
Obtain groups from Org Authorization Server OAuth/OIDC	5	62	December 19, 2025
Returning Groups in the OpenID connect userinfo API call, AGAIN OAuth/OIDC	6	12889	January 17, 2024
Okta Groups - Cannot retrieve any group info Questions	2	4129	January 24, 2024

No Groups Returned from /userinfo

Related topics