Okta Custom Claim as permissions

Is it possible to use permissions as custom claim in okta id_token? If not then how can I get permissions claim in my okta token?

I’m looking to get key as permissions in token claims and value should be list or permissions.

How can I get user admin roles and the permission in id token?

And group permissions or role using expression language?

Thanks

1. Permissions in id_token vs. access_token

• Is it possible? Yes, Okta allows you to add custom claims to both id_token and access_token through Authorization Server configuration.

• Is it recommended? Generally, no.

  • id_token Purpose:

    • Primarily for authentication. It tells the client application (e.g., your Angular app) who the user is (their identity).
    • It includes standard claims like:
      • sub (subject ID)
      • iss (issuer)
      • aud (audience)
      • exp (expiry)
      • iat (issued at)
      • Often basic profile info requested via scopes (name, email, etc.).

  • access_token Purpose:

    • Primarily for authorization. It’s intended for the resource server (e.g., your .NET Web API) to determine what the user is allowed to do.
    • Permissions, roles, and group memberships are authorization concerns.

  • Best Practice:

    • Keep id_token lightweight and focused on identity.
    • Put authorization-related data like permissions into the access_token. This prevents bloating the id_token and keeps authorization details where the API needs them.
    • Your API should validate the access_token and use its claims to make access control decisions.

Refer this - Customize tokens returned from Okta with custom claims | Okta Developer

Thanks for the response. I’m able to use “permissions” in access token but not in ID_token,

Getting error : “permissions” is reserved and cannot be used.

Screenshot 2025-04-23 154523787×725 34.8 KB

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.