Okta as an IDP - Id token does not include given_name, family_name

I am using Okta as an IDP and trying to receive given_name and family_name in id token. The request scope has set to ‘Profile’.

Okta app settings below;
App Settings

What am I missing here. Please help.

Thanks.
Lak

Are you using a particular language or framework? Your scope parameter looks funny. I’d expect to see four different parameters and it looks like you only have two (because the 2nd part is concatenation together with plus signs).

Which OAuth flow are you using? Is it authorization code flow (with or without PKCE auth) or implicit flow where both the ID token and Access tokens are returned?

If so, you likely are looking at a “thin” ID token and you will need to send the access token to the /userinfo endpoint to see these missing claims. More details here.

@Lak Hi,
as @mraible mentioned, please try to use the correct scope format and see if any changes.

I see you add offline_access to the scope, are you trying to get refresh token?

The response_type is “code” currently and you should get a code return if everything set up correctly. You may need to exchange the code for tokens then.

Thanks @mraible and @Lijia. I am using Azure B2C custom policies and the screenshot is taken from Mozilla SAML tracer. Not sure its the standard but from SAML tracer the scope is shown in this way.

scope : profile openid+email+offline_access

Please disregard ‘offline_access’ scope. Yes I was testing to see if I could get refresh token as well but its not my primary concern at the moment.

Below is how I call Okta IDP from Azure B2C Custom policies.

The ID token return name, and email but not given_name and family_name values.

Thanks @andreaskouras. I am using Okta as an IDP for SSO and use Azure B2C custom policies sociallogin flow to do it with openID authentication. So I guess I am only receiving ID token.

Hmm… It looks like you are using authorization code flow (response_type = code), which leads me to suspect my original hypothesis may be correct.

If there is no way to get the access token (so that you can make the call to userinfo), you could create custom claims for the Default authorization server you are using.

When creating custom claims, you can decide that they will always be included (so even if you do get a ‘thin’ ID token, the claim will be present), instead of only being included in the ID token when using an OAuth flow requesting only requesting the ID token (implicit flow, response_type = id_token, resulting in you receiving a ‘fat’ token).

Thanks for the reply @andreaskouras.

I created a custom claim as advised and updated B2C custom policies accordingly but I still dont see the custom claim in id token. I can however see given_name, family_name, and appuser_given_name in token preview with grant type ‘implicity(hybrid)’. I can still see the custom claim appuser_given_name value when grant type set to ‘authorization code’.

Thanks again for your help. Much appreciated.

@Lak With your attached screenshots, I doubt if you mapped the customized claims well in the profile or set up the claims syntax correctly. We probably needs more info from your side. In order to trouble shooting asap and save your time without back and forth comments. I suggest you open a support ticket through an email to support@okta.com with this issue. One of our Developer Support Engineers will take the case and narrow down the cause of the issue. This is a common issue for Okta dev support team and it should be an easy to resolve once we do a sanity check for your configuration.

Thanks @Lijia. I have raised a support request ‘00998390’.

1 Like