I’m attempting to get a user’s groups from an authorization code flow, but it is not being returned from the /userinfo endpoint after the access token is returned. Any ideas?
Environment overview:
- Okta developer trial account
- Authorization client grant types: [authorization code, refresh token]
- OpenID Connect Token > Groups claim type: “Filter”
- OpenID Connect Token > Groups claims filter:
groups Starts with .*
Flow:
- Initiate login:
https://${oktaDomain}/oauth2/v1/authorize?redirect_uri=http://localhost:8080&client_id=${clientID}&response_type=code&scope=openid+email+groups&nonce=nonce&state=state
- User authenticates and code is sent to redirect URI
- Code is exchanged for user access token.
- Request is sent to user info with issued access token:
${oktaDomain}.okta.com/oauth2/v1/userinfo
- Response does not contain groups:
{
"sub": "00",
"email": "hello@example.com",
"email_verified": true
}
Notes:
I am aware that the auth code flow returns a thin token with no groups claims, but the request to the userinfo endpoint should return the group claims as specified in the docs.