We are unable to get custom attribute of user profile as claims in token.
Below is the screenshot of added custom attribute in default authorization server. We also tried with custom authorization server but still unable to get custom attribute as claim in token.
From which Authorization Server are you requesting tokens? As you mentioned adding this in your Default Authorization Server, can you make sure you are making request to the same default Authorization Server? For example, if you are completing Authorization Code flow, you would be making calls to /oauth2/default/v1/authorize and /oauth2/default/v1/token. Does that match your tests?
When you request tokens, which scopes are you requesting?
For your test user, do they have a value for tenant_id as set in their Okta User Profile or is it null?
When you use the Token Preview tool to test your claim, do you see it returned within the payload of an ID Token?
Yes, we are making request to the same default authorization server.
Scopes - email, profile, openid
I didnt understand this question.
Yes, we have tenant_id is returned in ID token. Now, we edited the claim and changed token type to access token and tenant_id is returned in access token as well.
Thank you for your help.
We have noticed in logs -
After investigation, we suspect that the oauth2ClaimSystem value is set to false, preventing proper evaluation and inclusion of custom claims in the access token.
Is our understanding correct?
I want to double check your answer for #3. Your claim expression says that it should populate the tenantid claim based on the value of a custom tenant_id attribute in the Okta User Profile. Can you share a screenshot of how and where you configured that custom attribute?
If Token Preview is working for you and the tenantid claim is showing up there, then I would still guess that when you actually request tokens, you are doing something different, either by requesting different scopes or from using a different authorization server. Maybe you can share an anonymized copy of the token payload for an impacted user (censoring any sensitive values) to help confirm that?