I’ve set up an integration between Auth0 and Okta. For some reason, I’m not receiving the user’s groups, even though I’ve set the proper claim. Even when I try GET /oauth2/v1/userinfo I only get personal data without the groups.
Can you make sure you pass the groups scope in the request ?
If the user is part of AD groups and if you are looking to get AD groups in the groups claim, you might want to use an expression with Group functions such as Groups.contains, Groups.startsWith or Groups.endsWith. Group functions reference doc.
I’m not really sure that groups is being passed in the scope. I configured an Okta Workforce in Auth0, and it doesn’t seem like I can modify the scopes. When I try passing a customized authorization endpoint (with scopes as a query param) the whole authentication breaks.
Can you assist me with the Group functions? not sure what function I’m supposed to use in order to return the user’s group. (also the link you attached sends me to a different page)
That expression should, at the very least, return the “Everyone” group, but you may run afoul of groups claim limitations (see this article). If you could be encountering the limit mention there, you should test with an even simpler groups claim that will match against the smallest number of groups possible (for example, ONLY try to match the “Everyone” group to ensure the claim is working).
You can check if the groups scope is even being requested in the /authorize request by reviewing your System Logs on the Okta side and check the full request URI listed for an authorize request to the app in question.
I had the same problem. My solution was to not use the Okta Workforce connection but use a plain OIDC connection. The setup is almost as easy (you can re-use the same application you already made in Okta) and it allows you to configure scopes. I don’t know why they didn’t include this functionality in Okta Workforce.
Once I did that, I had ‘groups’ show up in the user raw JSON
For those who fail to get the user’s groups with the Okta Workforce integration, as @emagav mentioned, just configure a manual OIDC instead - this way you can pass your own scopes.