Hi,
I have seen some articles telling okta groups claim in id_token will be truncated or will be nil when the groups are more than 100, but I have set up a user and assigned more than 300 groups and when I try to see the token preview under Security → API → Default auth server → claims, I see all 300 groups and nothing being truncated.
I see the truncation happening only when I filter the groups claim using an expression like Groups.startsWith(“OKTA”, “TEST”, 100) which is obvious.
Am I missing something here? I want to replicate the scenario of groups being truncated or being nil when it is more than 100 or 200.
Only the Groups functions (Groups.startsWith, Groups.endsWith, and Groups.contains) require passing a limit argument which is a maximum of 100 (mentioned here).
Other group functions (such as user.getGroups) do not have this limitation and are able to return all matching groups in the resulting claim.
but when I do Groups.startsWith(“OKTA”, “TEST”, 200), I see 200 groups in the token preview.
Also just wanted to confirm if I use a regex like .* will it return all the groups in the id_token and has no limit?
Hmm, passing a 200 limit shouldn’t work as far as I understand it! If you actually request a token, do you see the groups claim showing up, or does it only work in the Token Preview tool?
If you are using Authorization Code flow, you shouldn’t see any other limits on the number of groups returned in a groups claim, but let me know if you see otherwise
You should see a failure if a groups claim is evaluating to more than 100 users if using a different grant type (thats what I saw at least when testing this with implicit grant type)