Retain custom claim from incoming JWT in okta access token

I am passing an information as custom claim part of the JWT when calling token endpoint of okta. I would like this key value to be returned as part of the access token/JWT returned to me by okta.
I have looked at custom claim documentation but that only shows how to pass appUser or user specific predefined properties from user profile inside access/identity token.
For e.g I pass “foo” → “bar” in the JWT I pass to token call and I want it to be included in the access token that gets returned from okta.
If custom claim is not meant for this use case, how else can I achieve this?

Given your specific requirement, the token inline hook approach seems to be the most flexible solution. It allows you to intercept the token creation process and add custom claims based on runtime information.To implement this:

  1. Set up a token inline hook in your Okta organization.
  2. Create an external service (you could use Okta Workflows or a custom API endpoint).
  3. In your token request, include your custom data (e.g., “foo”: “bar”) in a way that can be accessed by your external service.
  4. Have your external service add this data as a custom claim in its response to Okta.
  5. Okta will then include this custom claim in the issued token.

This approach gives you the flexibility to include custom data in your tokens while leveraging Okta’s security and token management capabilities.

Example Flow:

  1. Send Token Request to /token
    |
    v
  2. Okta Initiates Token Creation
    |
    v
  3. Token Inline Hook Triggered
    |
    v
  4. Okta Sends Request to External Service or Okta Workflow
    |
    v
  5. External Service Processes Request and adds custom claim
    |
    v
  6. External Service Sends Response to Okta
    |
    v
  7. Okta Modifies and Returns Token(with custom claim) to Client

Hi, many thanks for the reply. I created the inline hook and it passed the custom claim. However I would like to trigger the inline hook only with a certain idp(I made separate idp where the custom claim is needed). Is there a way in default policy to use the inline hook if the idp is the idp I created?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.