OktaAuthService getUser does not include user name

Hez · April 20, 2020, 6:17am

With implicit flow, I can get the user name using the following:

const userClaims = await this.oktaAuthService.getUser();
this.userName = userClaims.name;

Now I’ve replaced implicit flow with Authorization code flow with pkce and the getUser function only returns the following:

{sub: "${sub}", email: "${email}", email_verified: true, roles: Array(1), groups: Array(1)}

How do I get the user name?

Hez · April 20, 2020, 7:53am

I understand how it works now from this reference document. I added id_token to responseType and profile to scopes in my login config like so:

signIn = new OktaSignIn( {
baseUrl: '${baseUrl}',
clientId: '${clientId}',
redirectUri: '${redirectUri}',
authParams: {
  issuer: '${issuer}',
  scopes: ['openid', 'profile'],
  responseType: ['id_token'],
  responseMode: 'fragment',
  pkce: true
},

I can get the user name now and everything is working fine. However, if there is anything you think I should remove or add to my login config for authorization code flow with pkce pls feel free to comment.

andrea · April 20, 2020, 3:22pm

It sounds like you figured out that you needed to include the ‘profile’ scope in order to receive the preferred username (and many other user profile related claims).

You should not need to change the responseType to id_token (thereby using Implicit flow instead), as Authorization Code flow with PKCE will return both the ID token and the Access token, and getUser() will still be able to get the username.

Hez · April 21, 2020, 5:26am

You are right. There is no need for the responseType option. Thank you!

chu123 · April 21, 2020, 6:51pm

Are the profile attributes included as part of the ‘profile’ scope predetermined or can custom profile attributes be included in this scope? Thanks.

andrea · April 22, 2020, 3:46pm

This doc outlines which claims are scope dependent and indicates which claims you can expect to be returned (if a value is present for the given user) for the profile scope:

name
preferred_username
nickname
given_name
middle_name
family_name
profile
zoneinfo
locale
updated_at

If there is another profile attribute you want returned with the ‘profile’ scope and you have the ability to use Custom Authorization Servers, you can add custom claims to a server and configure it to only be included with the ‘profile’ scope.

system · January 24, 2024, 7:45pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.