OpenId not returning Email

OpenId is not returning Email etc, I don’t understand why but no matter what I try (implicitly and explicitly) requesting the Email property is simply not returning anything. If i check the okta mapping it does properly fill.

            {
              options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
              options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
            })
            .AddCookie()
            .AddOpenIdConnect(options =>
            {
              options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
              options.Authority = Configuration["OktaAuth:OktaDomain"] + "/oauth2/default";
              options.RequireHttpsMetadata = true;
              options.ClientId = Configuration["OktaAuth:OktaClientId"];
              options.ClientSecret = Configuration["OktaAuth:OktaClientSecret"];
              options.ResponseType = OpenIdConnectResponseType.Code;
              options.GetClaimsFromUserInfoEndpoint = true;
              options.Scope.Add("openid");
              options.Scope.Add("profile");
              options.SaveTokens = true;
              options.TokenValidationParameters = new TokenValidationParameters
              {
                NameClaimType = "name",
                RoleClaimType = "groups",
                ValidateIssuer = true
              };
            });

What have I tried?

options.GetClaimsFromUserInfoEndpoint = true;
options.Scope.Add("email");
options.ClaimActions.MapUniqueJsonKey("email", "email");
1 Like

I believe you will need to add the “email” scope. Is this checking for the “email” claim in the id token or the access token?

If that’s still not working then you may want to check the app user profile mappings to make sure the email is populating for that user.

Also, if you use the token preview tool in Okta, are you able to see the email after including the “email” scope?

From my understanding i’m trying to fetch the data from the ‘identity_token’ *(I’m not 100% sure on this since I don’t fully understand the difference) given its the returned auth cookie to my mvc application by okta, and is the data accesed from the HttpContext.User.Claims.

In regards to adding the email scope I cannot seem to find a definitive way to confirm if it’s added.

I am using the default auth service which in it’s scope has the following line:

Name	Display Name	Description	User Consent	Block Services	Default Scope	Metadata Publish	 
email	View your email address.	This allows the app to view your email address.	No	No	No	Yes	

In my application no Okta API scopes are granted, nor is there any including the name “email” I’m considering maybe needing to grant okta.authorizationServers.read but if this were to be the correct Scope I’m not sure why it’s not enabled by the default as email should be default according to the openID spec.

E: When using the Token Preview with the following scopes : openid, email,profile the email property does show up.

@e14a39202dc4b4fea756 Were you able to get id token returned with API? The below link has an example to get id token returned.
https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/request-token-claim/

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.