OpenId not returning Email

e14a39202dc4b4fea756 · September 30, 2021, 12:46pm

OpenId is not returning Email etc, I don’t understand why but no matter what I try (implicitly and explicitly) requesting the Email property is simply not returning anything. If i check the okta mapping it does properly fill.

            {
              options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
              options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
            })
            .AddCookie()
            .AddOpenIdConnect(options =>
            {
              options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
              options.Authority = Configuration["OktaAuth:OktaDomain"] + "/oauth2/default";
              options.RequireHttpsMetadata = true;
              options.ClientId = Configuration["OktaAuth:OktaClientId"];
              options.ClientSecret = Configuration["OktaAuth:OktaClientSecret"];
              options.ResponseType = OpenIdConnectResponseType.Code;
              options.GetClaimsFromUserInfoEndpoint = true;
              options.Scope.Add("openid");
              options.Scope.Add("profile");
              options.SaveTokens = true;
              options.TokenValidationParameters = new TokenValidationParameters
              {
                NameClaimType = "name",
                RoleClaimType = "groups",
                ValidateIssuer = true
              };
            });

What have I tried?

options.GetClaimsFromUserInfoEndpoint = true;
options.Scope.Add("email");
options.ClaimActions.MapUniqueJsonKey("email", "email");

okra-okta · September 30, 2021, 5:14pm

I believe you will need to add the “email” scope. Is this checking for the “email” claim in the id token or the access token?

If that’s still not working then you may want to check the app user profile mappings to make sure the email is populating for that user.

Also, if you use the token preview tool in Okta, are you able to see the email after including the “email” scope?

e14a39202dc4b4fea756 · September 30, 2021, 5:26pm

From my understanding i’m trying to fetch the data from the ‘identity_token’ *(I’m not 100% sure on this since I don’t fully understand the difference) given its the returned auth cookie to my mvc application by okta, and is the data accesed from the HttpContext.User.Claims.

In regards to adding the email scope I cannot seem to find a definitive way to confirm if it’s added.

I am using the default auth service which in it’s scope has the following line:

Name	Display Name	Description	User Consent	Block Services	Default Scope	Metadata Publish	 
email	View your email address.	This allows the app to view your email address.	No	No	No	Yes

In my application no Okta API scopes are granted, nor is there any including the name “email” I’m considering maybe needing to grant okta.authorizationServers.read but if this were to be the correct Scope I’m not sure why it’s not enabled by the default as email should be default according to the openID spec.

E: When using the Token Preview with the following scopes : openid, email,profile the email property does show up.

Lijia · October 4, 2021, 7:29pm

@e14a39202dc4b4fea756 Were you able to get id token returned with API? The below link has an example to get id token returned.
https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/request-token-claim/

system · October 8, 2021, 9:08am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Email claim inside id_token Questions	4	5464	September 15, 2021
Id token isn't returned in case of app replication OAuth/OIDC	2	1604	February 15, 2024
Using okta hosted login widget Questions	6	3087	February 8, 2024
Errors in redirect with id_token for OpenID implicit flow Questions	5	5027	January 17, 2024
Cannot get openid-configuration Questions	3	5160	October 18, 2021

OpenId not returning Email

Related topics