I’m aware of that, but the problem is that “given_name” and “familiy_name” are standard openid id token claims. Okta does not seem to expose these claims in the profile scope when it should.
When I check the profile mappings for my app, they are configured correctly.
user.firstName is mapped to given_name and user.lastName is mapped to family_name.
They just never show up in the id token.
Of course, I can create completely different claims that are filled with the same data, but that will not be following openid standards and It would make the configuration more fragile.
I’m using this in Airflow (fab oidc). From what I can tell, if the claim is not present in the token, it will try to get the info from /userinfo endpoint.
But apart from the app, I also tried this in the Okta admin portal.
I got the token there for the same user and authorization server and it was missing the above claims.
Any resolution to this? I’m seeing the same problem when connecting to Okta using the MiniOrange OpenID Connect plug-in in WordPress. The expected standard claims aren’t included and any custom claims I add don’t appear in what’s presented back to the plug-in.
I am most definitely requesting the profile scope (along with openid and email). I also know the profile scope is being requested because the “name” field is part of the response. I’d just like to see given_name and family_name always included, but for some reason Okta has those not included in the token. Is there a way to turn those standard claims to the alwaysIncludeInToken value is set to true?
phi1ipp, yeah I see those fields are included in the token preview when using Implicit flow; however the MiniOrange OpenID Connect Word Press plug-in I’m using doesn’t work when I try to set it up with implicit grant.
The OIDC RFC says (see below). Is there a chance to get any details of your plugin communication with Okta, to troubleshoot further?
The Claims requested by the profile, email, address, and phone scope values are returned from the UserInfo Endpoint, as described in Section 5.3.2, when a response_type value is used that results in an Access Token being issued. However, when no Access Token is issued (which is the case for the response_type value id_token), the resulting Claims are returned in the ID Token.
Thanks for the response. I have opened a support request with the plug-in vendor. Trying to determine what API calls they make to pull the information. Here’s a screen shot from the plug-in test confirmation where you can see the Name attribute come through but not given_name and family_name.