gomze
August 30, 2021, 4:06pm
1
Hi Team
I am new to okta so apologies if my questions are not clear. So what I am trying to do is get the group id of the logged in user in go lang and use it for further processing
To start with I downloaded a default sample in Go lang
Then inside that default sample there is a profile method that calls UserInfo Service (No Code change done from my side- I am just using the existing sample)
func getProfileData(r *http.Request) map[string]string {
session, err := sessionStore.Get(r, "okta-hosted-login-session-store")
if err != nil || session.Values["access_token"] == nil || session.Values["access_token"] == "" {
return m
}
reqUrl := os.Getenv("ISSUER") + "/v1/userinfo"
req, _ := http.NewRequest("GET", reqUrl, bytes.NewReader([]byte("")))
h := req.Header
h.Add("Authorization", "Bearer "+session.Values["access_token"].(string))
h.Add("Accept", "application/json")
client := &http.Client{}
resp, _ := client.Do(req)
body, _ := ioutil.ReadAll(resp.Body)
defer resp.Body.Close()
json.Unmarshal(body, &m)
return m
}
Unfortunately,the User Service returns a blank value for my user group although my user is assigned to one
map[Groups: email:XXXXXX@gmail.com email_verified: family_name:XXXXX given_name:XXXX locale:en-US name:XXXXXX preferred_username: XXXXXXX@gmail.com sub:XXXXXXXupdated_at: zoneinfo:America/Los_Angeles]
My user is already assigned to the group. The screenshot here
There is no code change done from my side in the sample.Prima facie it looks like the UserInfo service is not returning the group Id. I am wondering what I have missed here?
gomze
August 30, 2021, 4:32pm
2
I have added Group to both access token and ID token
gomze
August 30, 2021, 7:36pm
3
Any help on this will really be appreciated
tyty
August 30, 2021, 7:55pm
4
Hi there! You might want to try adding the groups claim to the id token + userinfo like the following:
gomze
August 30, 2021, 8:09pm
5
Hi @tyty
I have already saved the ID token to always. Please see the screenshot above.
Nevertheless I did try your suggestion and that didn’t help. Is there anything else I should look into?
andrea
August 30, 2021, 8:14pm
6
And you’re positive your application is configured to use the correct issuer (set to the issuer url for the authorization server you added the claim to)?
1 Like
gomze
August 30, 2021, 8:22pm
7
I am sorry but I didn’t understand your question completely.Its a preconfigured sample which I downloaded.
Screen Shot 2021-08-29 at 1.13.01 AM|690x162
gomze
August 30, 2021, 8:23pm
8
@andrea The claim is added to the default authorization server.Further the group attribute is coming from UserInfo service but it is coming out to be blank
Not Sure what I missed here
andrea
August 30, 2021, 8:37pm
9
If you use the Token Preview tool in the Admin Console, do you see the groups claim show up in either token’s preview payload? If so, that would lead me to believe that the issue is on the application side, in particular its configuration.
gomze
August 30, 2021, 8:44pm
10
@andrea I do see the group info in token’s Preview
Can you give me some pointers on what issue you are talking about in the configuration.
As I said this is a default sample with zero code change from my side
tyty
August 30, 2021, 9:53pm
11
In the LoginHandler of main.go can you confirm you are passing the groups scope added similar to this:
q := r.URL.Query()
q.Add("client_id", os.Getenv("CLIENT_ID"))
q.Add("response_type", "code")
q.Add("response_mode", "query")
q.Add("scope", "openid profile email groups")
q.Add("redirect_uri", "http://localhost:8080/authorization-code/callback")
q.Add("state", state)
q.Add("nonce", nonce)
gomze
August 31, 2021, 3:09pm
12
@tyty @andrea I didn’t have group in the scope. I added it.
q := r.URL.Query()http://localhost:8080/authorization-code/callback ”)
redirectPath = os.Getenv(“ISSUER”) + “/v1/authorize?” + q.Encode()
http.Redirect(w, r, redirectPath, http.StatusFound)
After that I am getting this error
error=invalid_scope&error_description=One+or+more+scopes+are+not+configured+for+the+authorization+server+resource.
Any advice on what could have gone wrong?
andrea
August 31, 2021, 3:22pm
13
The group scope only exists for the Org Authorization server by default, you’re using a custom server, so you do not need to request it as long as your claim is configured to always appear (and is not set to be scope dependent).
gomze
August 31, 2021, 3:38pm
14
@andrea @tyty Is there anything else you guys advice that I can dig more into.
I can confirm this is the problem with UserInfo service.
map[Groups: email:xxxxxxxxxx@gmail.com email_verified: family_name:xxxx given_name:xxxx locale:en-US name:xxxx preferred_username:xxxxx@gmail.com sub:00u1ebtg7xN9Prc4G5d7 updated_at: zoneinfo:America/Los_Angeles]
If I decrypt ID/ access token I can see the value of the group.
{map[Groups:[Everyone] amr:[pwd] at_hash:kIy-Fz17yAsaV1tNqlG00g aud:0oa1ebtc62N0czKml5d7 auth_time:1.630424092e+09 email:xxxxxx@gmail.com exp:1.630427693e+09 iat:1.630424093e+09 idp:00o1ebtg2f9FEZTd15d7 iss:https://dev-xxxxxx.okta.com/oauth2/default jti:ID.sWDRqdCC-QVo-HTp6cPCf6BnDa8D9kKSMlG78nCHqV4 name:xxxxxxx nonce:aO_uuE6LkNctWM48z7yUA-y4WgM_d_sIfcpIjIV6gGY= preferred_username:xxxxx@gmail.com sub:00u1ebtg7xN9Prc4G5d7 ver:1]}
(P.S There is no code change from my side and we are looking at the default sample)
gomze
August 31, 2021, 7:31pm
15
@andrea @tyty Any help on this? I am stuck since the userInfo service is not returning all the info
gomze
September 1, 2021, 3:37pm
16
Any update folks. @andrea @tyty . Do you need any more information from me
andrea
September 1, 2021, 5:03pm
17
I’m not sure whats missing, because it should be working properly. Here are the steps I completed
Created Groups claims on my Default Authorization Server
Requested tokens from this authorization server (using authorization code flow in my case):https://org.okta.com/oauth2/default/v1/authorize?client_id=0oa2fy8ss5ciEBj1y357&response_type=code&redirect_uri=http://localhost:8000&scope=openid&state=state-1234&nonce=foo
Sent the Access token I received from my token call to the Default server’s /userinfo endpoint:
Make sure you’re definitely using the same authorization server for each request
