OktaAuthService getUser does not include user name

With implicit flow, I can get the user name using the following:

const userClaims = await this.oktaAuthService.getUser();
this.userName = userClaims.name;

Now I’ve replaced implicit flow with Authorization code flow with pkce and the getUser function only returns the following:

{sub: "${sub}", email: "${email}", email_verified: true, roles: Array(1), groups: Array(1)}

How do I get the user name?

I understand how it works now from this reference document. I added id_token to responseType and profile to scopes in my login config like so:

signIn = new OktaSignIn( {
baseUrl: '${baseUrl}',
clientId: '${clientId}',
redirectUri: '${redirectUri}',
authParams: {
  issuer: '${issuer}',
  scopes: ['openid', 'profile'],
  responseType: ['id_token'],
  responseMode: 'fragment',
  pkce: true

I can get the user name now and everything is working fine. However, if there is anything you think I should remove or add to my login config for authorization code flow with pkce pls feel free to comment.

It sounds like you figured out that you needed to include the ‘profile’ scope in order to receive the preferred username (and many other user profile related claims).

You should not need to change the responseType to id_token (thereby using Implicit flow instead), as Authorization Code flow with PKCE will return both the ID token and the Access token, and getUser() will still be able to get the username.

You are right. There is no need for the responseType option. Thank you!

Are the profile attributes included as part of the ‘profile’ scope predetermined or can custom profile attributes be included in this scope? Thanks.

This doc outlines which claims are scope dependent and indicates which claims you can expect to be returned (if a value is present for the given user) for the profile scope:

  • name
  • preferred_username
  • nickname
  • given_name
  • middle_name
  • family_name
  • profile
  • zoneinfo
  • locale
  • updated_at

If there is another profile attribute you want returned with the ‘profile’ scope and you have the ability to use Custom Authorization Servers, you can add custom claims to a server and configure it to only be included with the ‘profile’ scope.

1 Like