OpenID: Claimed Groups Are Missing

amacrobert · March 20, 2023, 7:38pm

I have an Okta App for openid authentication.

The application claims all groups, with groups Matches regex .*:

In the OpenID auth flow, after getting a an authorization code back from Okta, I exchange it for an access token. I am using scopes openid and groups, but the access token does not contain the user’s groups. When decoded, the access token looks like this:

The user I’m testing with does belong to groups in Okta. I have clicked “Refresh Application Data” per the documentation, to no avail.

warren · March 20, 2023, 11:18pm

When you use a flow that returns both an access token and an id token, minimal claims are returned in the token. You will need to use the /userinfo endpoint the retrieve the additional claims. You can find more details in the article below.

https://support.okta.com/help/s/article/Okta-Groups-or-Attribute-Missing-from-Id-Token

amacrobert · March 21, 2023, 2:59pm

That worked. Thank you!

system · March 22, 2023, 2:59pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.