OpenID: Claimed Groups Are Missing

amacrobert · March 20, 2023, 7:38pm

I have an Okta App for openid authentication.

The application claims all groups, with groups Matches regex .*:

In the OpenID auth flow, after getting a an authorization code back from Okta, I exchange it for an access token. I am using scopes openid and groups, but the access token does not contain the user’s groups. When decoded, the access token looks like this:

The user I’m testing with does belong to groups in Okta. I have clicked “Refresh Application Data” per the documentation, to no avail.

warren · March 20, 2023, 11:18pm

When you use a flow that returns both an access token and an id token, minimal claims are returned in the token. You will need to use the /userinfo endpoint the retrieve the additional claims. You can find more details in the article below.

https://support.okta.com/help/s/article/Okta-Groups-or-Attribute-Missing-from-Id-Token

amacrobert · March 21, 2023, 2:59pm

That worked. Thank you!

system · March 22, 2023, 2:59pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Group claims missing when login from localhost OAuth/OIDC	10	5581	May 26, 2020
Claims in access token for OpenID Connect OAuth/OIDC	8	14292	December 18, 2019
No Groups Returned from /userinfo Questions	2	5591	November 29, 2021
Returning Groups in the OpenID connect userinfo API call OAuth/OIDC	14	25288	August 28, 2018
Return user groups in OIDC access token (Auth0) OAuth/OIDC	8	4107	January 17, 2023

OpenID: Claimed Groups Are Missing

Related topics