Obtain groups from Org Authorization Server

jclaxton1 · December 17, 2025, 7:51pm

Hi,

I’m trying to integrate my SPA with Okta. My app will use the user’s groups for internal authorization. I’m trying to use the org authorization server to keep the configuration as simple as possible for my clients. My app uses the auth code flow, and PKCE. I understand that this flow will return ‘thin’ tokens, and I need to call the /userinfo endpoint. However, when I do that, I still don’t get the groups back.

The scopes in my initial login request are “openid email profile offline_access groups”. I’ve confirmed these scopes are reflected in the access token.

My groups filter is ‘matches regex * ’ and I have a group assigned to my app.

Result from /userinfo:

Is there any other configuration required to get groups from the org auth server?

Thank you,

John

andrea · December 17, 2025, 9:16pm

Can you provide a screenshot showing how and where you configured your groups claim?

jclaxton1 · December 17, 2025, 9:28pm

Sure, it’s here:

andrea · December 17, 2025, 10:55pm

Can you try changing your filter to .* instead of *?

jclaxton1 · December 18, 2025, 8:44pm

Ha, of course that was it! Lost multiple hours to one missing dot .

Thanks for your help!

system · December 19, 2025, 8:45pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
No Groups Returned from /userinfo Questions	2	5795	November 29, 2021
Return user groups in OIDC access token (Auth0) OAuth/OIDC	8	4868	January 17, 2023
Returning Groups in the OpenID connect userinfo API call OAuth/OIDC	14	26059	August 28, 2018
Is there an API to get the current user own groups? API	18	3485	February 13, 2024
UserInfo not returning groups OAuth/OIDC	4	834	February 7, 2025

Obtain groups from Org Authorization Server

Related topics