No 'groups' scope in the console for the default Authorisation Server

In the Okta docs re OIDC Scopes one of the supported scopes is groups.

However, in the console for the default Authorisation Server there is no groups scope:

So, I had to setup a groups scope:

scope

And, a groups claim:

So that ‘groups’ are included in my (OIDC Implicit Flow) access token’s claims:

{
    "ver": 1,
     ...
    "aud": "api://default",
     ...
    "scp": [
        "email",
        "address",
        "groups",
        "openid",
        "profile",
        "phone"
    ],
    "sub": "rob.ferguson@robferguson.org",
    "groups": [
        "Everyone",
        "User",
        "Administrator"
    ]
}

Is this the correct approach?

N.B. I also had to create some Groups (e.g., User and Administrator), assign the Groups to my Application and add Users to the Groups.

1 Like

Hi @Robinyo

Yes, this is the correct approach. By default, the scope groups is not automatically configured for custom authorization servers and needs to be manually added, together with a claim to retrieve the user’s group memberships.

1 Like

Thank you for posting this and sharing the screenshots. I’ve done the same but the claims simply aren’t pulling up (for groups).

Hi @RobOfTodosSantos

Make sure your Claims Filter is correct as ‘Matches regex’ is not the default option.

Make sure you have created some Groups (e.g., User and Administrator), assigned the Groups to your Application and added some Users to your Groups.

Make sure you have included the ‘groups’ scope:

  oidc: {
    clientId: '<CLIENT_ID>',
    issuer: '<ISSUER_ID>',
    redirectUri: 'http://localhost:4200/implicit/callback',
    scope: 'openid profile email phone address groups',
    testing: {
      disableHttpsCheck: true
    }
  }

Take a look at some working sample code:

Also see this post.

Cheers
Rob

Thank you. I am seeing a structural difference. It sees I’m asking for the claims and getting them but not asking for the authentication token.

Adding to this, in Okta, i can see the groups in the Token Preview…I just can’t get to them in Angular. :confused: