Returning Groups in the OpenID connect userinfo API call

narurkar · August 9, 2017, 6:26pm

I’m trying to get a list of groups a user belongs to using OpenID connect. I can successfully authenticate my own login using scope “groups openid email”. When I call the userinfo API I do get back email, email_verified but I don;t get the list of groups back. I have set the groups using “Groups claim groups Starts with Data” and I assume that would return to me “Database and Database Administrators” groups but that doesn’t happen. What more do I need to do to get the list of groups back? ( API endpoint : https://sgn-sandbox.oktapreview.com/oauth2/v1/userinfo )

Also appreciate if someone can respond to my earlier question of integrating Okta with django-openid-auth

Thanks

narurkar · August 9, 2017, 10:20pm

Never mind. I got it to work by setting Group Claims as Regex .*

voutasaurus · August 11, 2017, 12:57am

I set the Group Claims for my application as Regex * and I’m still not getting the groups from the userinfo api, instead I get:

{"sub":"00ubhxdmbt4s0QYA60h7","name":"First Last","locale":"en-US","email":"email@example.com","preferred_username":"email@example.com","given_name":"First","family_name":"Last","zoneinfo":"America/Los_Angeles","updated_at":1502410624,"email_verified":true}

I have also included groups as a scope.

Here is the regex thing: (maybe I did it wrong)

What am I doing wrong here?

You mentioned

I have set the groups using “Groups claim groups Starts with Data”

I don’t see that option in the interface currently. Maybe that’s the problem?

narurkar · August 11, 2017, 4:53pm

Try setting “Groups claim filter” as Regex .* (dot star). That is how I got it work. You of course need to attach some groups also. I attached dtex and Everyone group and it does return it properly as :

‘groups’: [‘dtex’, ‘Everyone’]

voutasaurus · August 11, 2017, 5:11pm

Thanks! I was setting it to * so it wasn’t working, .* did the trick!

jakehockey10 · September 7, 2017, 5:59pm

Where does this setting exist? I can’t find where to set this regex setting anywhere.

Thanks

mraible · September 7, 2017, 6:04pm

It exists on your Authorization Server, under the “Claims” tab.

jakehockey10 · September 7, 2017, 6:10pm

Hey mraible,

Ah. Okay. We haven’t set up an authorization server, but getting the groups to come back in the response stopped working for us today, so I’m looking for how to troubleshoot this. We used to get groups to come through, asking for it in the scope in our auth request. This probably isn’t the fix I’m looking for then.

ashleypoole · September 19, 2017, 2:03pm

I’ve too got the same question of how to return groups. Using OpenID Connect but I’m not getting the groups back when calling the user info endpoint. I’ve created a group and assigned my testing user to it, as well as it being a member of ‘Everyone’.

I can see the scope is being requested but aren’t receiving the groups data.

Scope and claim settings:

mraible · September 19, 2017, 2:38pm

Ashley, it looks like you have it in the access token rather than the ID token. I have it setup in the ID token and it works for me with Spring Security OAuth.

ashleypoole · September 19, 2017, 2:43pm

That was it. Thanks @mraible!

lpastor · August 17, 2018, 4:31pm

Hi
I have issue with this . I created claim as it is suggested above and in token preview I get it groups info

{
  "sub": "00ufwy7u3cV81lp2A0h7",
  "ver": 1,
  "iss": "https://dev-417079.oktapreview.com/oauth2/default",
  "aud": "0oafx619teiAXwHwV0h7",
  "iat": 1534515075,
  "exp": 1534518675,
  "jti": "ID.S1qATQ6yfMdUzax2r2VHdpXoQkllgjyJ05J3_ZrkRc4",
  "amr": [
    "pwd"
  ],
  "idp": "00ofwy5ethfKmbQhv0h7",
  "nonce": "nonce",
  "auth_time": 1000,
  "at_hash": "preview_at_hash",
  "groups": [
    "Everyone",
    "travelers"
  ]
}

but when I used application to retrive info In not gething groups 

response: {"sub":"00ufwy7u3cV81lp2A0h7","name":"World Traveler","locale":"en-US","preferred_username":"traveler1@gmail.com","given_name":"See","family_name":"World","zoneinfo":"America/Los_Angeles","updated_at":1534386515}

even in post man (i used https://dev-417079.oktapreview.com/oauth2/v1/token)  Im not getting groups info , anyone can help me ?

lpastor · August 27, 2018, 5:08pm

Any one ??? This is show blocker for me and it looking everybody else sussed

nate.barbettini · August 28, 2018, 5:14pm

Hi @lpastor - can you post as separate thread? It’s hard for people to notice replies to such an old conversation.

system · January 12, 2024, 11:03pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.