Okta Custom Claim as permissions

Questions OAuth/OIDC
1

Is it possible to use permissions as custom claim in okta id_token? If not then how can I get permissions claim in my okta token?

I’m looking to get key as permissions in token claims and value should be list or permissions.

How can I get user admin roles and the permission in id token?

And group permissions or role using expression language?

Thanks

2

1. Permissions in id_token vs. access_token

  • Is it possible? Yes, Okta allows you to add custom claims to both id_token and access_token through Authorization Server configuration.

  • Is it recommended? Generally, no.

    • id_token Purpose:

      • Primarily for authentication. It tells the client application (e.g., your Angular app) who the user is (their identity).
      • It includes standard claims like:
        • sub (subject ID)
        • iss (issuer)
        • aud (audience)
        • exp (expiry)
        • iat (issued at)
        • Often basic profile info requested via scopes (name, email, etc.).

    • access_token Purpose:

      • Primarily for authorization. It’s intended for the resource server (e.g., your .NET Web API) to determine what the user is allowed to do.
      • Permissions, roles, and group memberships are authorization concerns.

    • Best Practice:

      • Keep id_token lightweight and focused on identity.
      • Put authorization-related data like permissions into the access_token. This prevents bloating the id_token and keeps authorization details where the API needs them.
      • Your API should validate the access_token and use its claims to make access control decisions.

Refer this - Customize tokens returned from Okta with custom claims | Okta Developer

3

Thanks for the response. I’m able to use “permissions” in access token but not in ID_token,

Getting error : “permissions” is reserved and cannot be used.

Screenshot 2025-04-23 154523
Screenshot 2025-04-23 154523787×725 34.8 KB