No 'groups' scope in the console for the default Authorisation Server

In the Okta docs re OIDC Scopes one of the supported scopes is groups.

However, in the console for the default Authorisation Server there is no groups scope:

So, I had to setup a groups scope:

scope

And, a groups claim:

So that ‘groups’ are included in my (OIDC Implicit Flow) access token’s claims:

{
    "ver": 1,
     ...
    "aud": "api://default",
     ...
    "scp": [
        "email",
        "address",
        "groups",
        "openid",
        "profile",
        "phone"
    ],
    "sub": "rob.ferguson@robferguson.org",
    "groups": [
        "Everyone",
        "User",
        "Administrator"
    ]
}

Is this the correct approach?

N.B. I also had to create some Groups (e.g., User and Administrator), assign the Groups to my Application and add Users to the Groups.

2 Likes

Hi @Robinyo

Yes, this is the correct approach. By default, the scope groups is not automatically configured for custom authorization servers and needs to be manually added, together with a claim to retrieve the user’s group memberships.

1 Like

Thank you for posting this and sharing the screenshots. I’ve done the same but the claims simply aren’t pulling up (for groups).

Hi @RobOfTodosSantos

Make sure your Claims Filter is correct as ‘Matches regex’ is not the default option.

Make sure you have created some Groups (e.g., User and Administrator), assigned the Groups to your Application and added some Users to your Groups.

Make sure you have included the ‘groups’ scope:

  oidc: {
    clientId: '<CLIENT_ID>',
    issuer: '<ISSUER_ID>',
    redirectUri: 'http://localhost:4200/implicit/callback',
    scope: 'openid profile email phone address groups',
    testing: {
      disableHttpsCheck: true
    }
  }

Take a look at some working sample code:

Also see this post.

Cheers
Rob

Thank you. I am seeing a structural difference. It sees I’m asking for the claims and getting them but not asking for the authentication token.

Adding to this, in Okta, i can see the groups in the Token Preview…I just can’t get to them in Angular. :confused:

Thanks for sharing the steps and screenshots.
Actually, I had done the same steps as you mentioned in order to populate the groups field.
What I’m concerning and wondering is they’re showing ‘groups’ claim and scope in their documentation but not able to try it. Check this out https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/add-groups-claim-org-as/

Whenever I call a query with scope ‘openid groups’ as the guide says, it would err out with ‘groups’ scope is missing or not configured. That’s weird!

@sanguyen That document provides the steps for configuring the “groups” claim when you’re using the Okta Org as the authorization server (oauth2/v1/authorize). When you’re using a custom authorization server (oauth2/default/v1/authorize), you can setup custom scopes and claims using the method that Robinyo demonstrated.

1 Like

Hey there,

I know this is old, but I have tried everything above and groups is still not showing in the Token Preview. By everything, I mean every combination I could try

Default server using the “Groups” on the main App screen
Default server also tried manually adding scopes/claims but I think as @warren pointed out that should not be necessary?
Custom Auth Server - all steps above, and fiddled around with individual settings like Pattern/Group, all .* etc.
All users are assigned to “User - Admin” to give this a shot
Definitely passing the scope “groups” as this was giving me errors until I went to Security → Scopes and allowed it.
Using the Token Preview, have tried all combinations within PKCE / Implicit.

groups is never returned.

Wondering if there is anything else I could try?

Thanks!

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.