OpenID: Claimed Groups Are Missing

amacrobert · March 20, 2023, 7:38pm

I have an Okta App for openid authentication.

The application claims all groups, with groups Matches regex .*:

In the OpenID auth flow, after getting a an authorization code back from Okta, I exchange it for an access token. I am using scopes openid and groups, but the access token does not contain the user’s groups. When decoded, the access token looks like this:

The user I’m testing with does belong to groups in Okta. I have clicked “Refresh Application Data” per the documentation, to no avail.

warren · March 20, 2023, 11:18pm

When you use a flow that returns both an access token and an id token, minimal claims are returned in the token. You will need to use the /userinfo endpoint the retrieve the additional claims. You can find more details in the article below.

https://support.okta.com/help/s/article/Okta-Groups-or-Attribute-Missing-from-Id-Token

amacrobert · March 21, 2023, 2:59pm

That worked. Thank you!

system · March 22, 2023, 2:59pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Returning Groups in the OpenID connect userinfo API call OAuth/OIDC	14	25997	August 28, 2018
Claims in access token for OpenID Connect OAuth/OIDC	8	14433	December 18, 2019
Adding Group To idToken Questions	5	3394	September 17, 2021
Returning Groups in the OpenID connect userinfo API call, AGAIN OAuth/OIDC	6	12866	January 17, 2024
No Groups Returned from /userinfo Questions	2	5781	November 29, 2021

OpenID: Claimed Groups Are Missing

Related topics