Not getting group id when accessing UserInfo service Go lang

Hi Team

I am new to okta so apologies if my questions are not clear. So what I am trying to do is get the group id of the logged in user in go lang and use it for further processing

To start with I downloaded a default sample in Go lang

Then inside that default sample there is a profile method that calls UserInfo Service (No Code change done from my side- I am just using the existing sample)

func getProfileData(r *http.Request) map[string]string {
m := make(map[string]string)

session, err := sessionStore.Get(r, "okta-hosted-login-session-store")

if err != nil || session.Values["access_token"] == nil || session.Values["access_token"] == "" {
	return m

reqUrl := os.Getenv("ISSUER") + "/v1/userinfo"

req, _ := http.NewRequest("GET", reqUrl, bytes.NewReader([]byte("")))
h := req.Header
h.Add("Authorization", "Bearer "+session.Values["access_token"].(string))
h.Add("Accept", "application/json")

client := &http.Client{}
resp, _ := client.Do(req)
body, _ := ioutil.ReadAll(resp.Body)
defer resp.Body.Close()
json.Unmarshal(body, &m)

return m


Unfortunately,the User Service returns a blank value for my user group although my user is assigned to one

map[Groups: email_verified: family_name:XXXXX given_name:XXXX locale:en-US name:XXXXXX preferred_username: sub:XXXXXXXupdated_at: zoneinfo:America/Los_Angeles]

My user is already assigned to the group. The screenshot here

There is no code change done from my side in the sample.Prima facie it looks like the UserInfo service is not returning the group Id. I am wondering what I have missed here?

I have added Group to both access token and ID token

Any help on this will really be appreciated

Hi there! You might want to try adding the groups claim to the id token + userinfo like the following:

Hi @tyty

I have already saved the ID token to always. Please see the screenshot above.

Nevertheless I did try your suggestion and that didn’t help. Is there anything else I should look into?

And you’re positive your application is configured to use the correct issuer (set to the issuer url for the authorization server you added the claim to)?

1 Like

I am sorry but I didn’t understand your question completely.Its a preconfigured sample which I downloaded.

Screen Shot 2021-08-29 at 1.13.01 AM|690x162

@andrea The claim is added to the default authorization server.Further the group attribute is coming from UserInfo service but it is coming out to be blank :frowning:

Not Sure what I missed here

If you use the Token Preview tool in the Admin Console, do you see the groups claim show up in either token’s preview payload? If so, that would lead me to believe that the issue is on the application side, in particular its configuration.

@andrea I do see the group info in token’s Preview

Can you give me some pointers on what issue you are talking about in the configuration.

As I said this is a default sample with zero code change from my side

In the LoginHandler of main.go can you confirm you are passing the groups scope added similar to this:

	q := r.URL.Query()
	q.Add("client_id", os.Getenv("CLIENT_ID"))
	q.Add("response_type", "code")
	q.Add("response_mode", "query")
	q.Add("scope", "openid profile email groups")
	q.Add("redirect_uri", "http://localhost:8080/authorization-code/callback")
	q.Add("state", state)
	q.Add("nonce", nonce)

@tyty @andrea I didn’t have group in the scope. I added it.

q := r.URL.Query()
q.Add(“client_id”, os.Getenv(“CLIENT_ID”))
q.Add(“response_type”, “code”)
q.Add(“response_mode”, “query”)
q.Add(“scope”, “openid profile email groups”)
q.Add(“redirect_uri”, “http://localhost:8080/authorization-code/callback”)
q.Add(“state”, state)
q.Add(“nonce”, nonce)

redirectPath = os.Getenv(“ISSUER”) + “/v1/authorize?” + q.Encode()
fmt.Println(“The redirect Path is”, redirectPath)

http.Redirect(w, r, redirectPath, http.StatusFound)

After that I am getting this error


Any advice on what could have gone wrong?

The group scope only exists for the Org Authorization server by default, you’re using a custom server, so you do not need to request it as long as your claim is configured to always appear (and is not set to be scope dependent).

@andrea @tyty Is there anything else you guys advice that I can dig more into.

I can confirm this is the problem with UserInfo service.

map[Groups: email_verified: family_name:xxxx given_name:xxxx locale:en-US name:xxxx sub:00u1ebtg7xN9Prc4G5d7 updated_at: zoneinfo:America/Los_Angeles]

If I decrypt ID/ access token I can see the value of the group.

{map[Groups:[Everyone] amr:[pwd] at_hash:kIy-Fz17yAsaV1tNqlG00g aud:0oa1ebtc62N0czKml5d7 auth_time:1.630424092e+09 exp:1.630427693e+09 iat:1.630424093e+09 idp:00o1ebtg2f9FEZTd15d7 iss: jti:ID.sWDRqdCC-QVo-HTp6cPCf6BnDa8D9kKSMlG78nCHqV4 name:xxxxxxx nonce:aO_uuE6LkNctWM48z7yUA-y4WgM_d_sIfcpIjIV6gGY= sub:00u1ebtg7xN9Prc4G5d7 ver:1]}

(P.S There is no code change from my side and we are looking at the default sample)

@andrea @tyty Any help on this? I am stuck since the userInfo service is not returning all the info

Any update folks. @andrea @tyty . Do you need any more information from me

I’m not sure whats missing, because it should be working properly. Here are the steps I completed

  1. Created Groups claims on my Default Authorization Server
  2. Requested tokens from this authorization server (using authorization code flow in my case):
    a. Authorize call:
    b. Token call:
  3. Sent the Access token I received from my token call to the Default server’s /userinfo endpoint:

Make sure you’re definitely using the same authorization server for each request