We use Auth0 as our identity provider and have a partner who uses Okta. We are attempting to setup Auth0’s Okta Workforce connection SSO provider configuration.
We have everything setup correct – meaning that we are able to redirect to their Okta login and redirect back to our application with the user authenticated.
Issue
The issue is we do not get the groups during the transaction with Auth0. I have read through several Auth0 forum posts about this. This one being the most notable which says that Okta does not send groups from the Workforce connection.
Symptoms
We are not seeing any group information in users’ profiles/tokens.
Cause
The Okta Workforce connection only supports the basic profile and ignores other claims.
I also read a post from Okta’s forum about the same issue. However, this reply makes it seem like Okta should be respecting the scope=group
parameter.
That expression should, at the very least, return the “Everyone” group…
What We Have Configured
We have this configuration in our Auth0 connection with Okta:
I had our partner capture a .har file of the entire login flow so I could verify that we are in fact sending the groups
scope.
https://{parterns-domain}.okta.com/oauth2/v1/authorize?scope=%20openid%20email%20profile%20groups&client_id=some-hash&response_type=code&redirect_uri=https%3A%2F%our-tenant.auth0.com%2Flogin%2Fcallback&response_mode=query&code_challenge=some-hash&code_challenge_method=S256&state=some-hash
However, when I check the user in my Auth0 dashboard after they have authenticated, I only see these fields mapping from the Okta login (these correlate to the attributes.*
in the json in the image above):
{
"email": "first.last@company.io",
"federated_locale": "US",
"federated_zoneinfo": "America/Los_Angeles",
"name": "firstname.lastname",
...other auth0 fields
}
Note how we are getting the federated_locale
and federated_zoneinfo
but not the federated_groups
.
From the auto-populated Okta metadata json file, it looks like groups
should be a supported scope
:
{
"issuer": "https://{parnters-tentant}.okta.com",
"jwks_uri": "https://{parnters-tentant}.okta.com/oauth2/v1/keys",
"token_endpoint": "https://{parnters-tentant}.okta.com/oauth2/v1/token",
"claims_supported": [
"iss",
"ver",
"sub",
"aud",
"iat",
"exp",
"jti",
"auth_time",
"amr",
"idp",
"nonce",
"name",
"nickname",
"preferred_username",
"given_name",
"middle_name",
"family_name",
"email",
"email_verified",
"profile",
"zoneinfo",
"locale",
"address",
"phone_number",
"picture",
"website",
"gender",
"birthdate",
"updated_at",
"at_hash",
"c_hash"
],
"scopes_supported": [
"openid",
"email",
"profile",
"address",
"phone",
"offline_access",
"groups"
],
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"password",
...
],
...
}
My Questions
- Is there anything in my configuration that appears to be off? And/or is there anything I should be doing differently?
- Does Okta Workforce connection not send groups even if they are explicitly requested in the
scope
parameter?