Returning Groups in the OpenID connect userinfo API call


#1

I’m trying to get a list of groups a user belongs to using OpenID connect. I can successfully authenticate my own login using scope “groups openid email”. When I call the userinfo API I do get back email, email_verified but I don;t get the list of groups back. I have set the groups using “Groups claim groups Starts with Data” and I assume that would return to me “Database and Database Administrators” groups but that doesn’t happen. What more do I need to do to get the list of groups back? ( API endpoint : https://sgn-sandbox.oktapreview.com/oauth2/v1/userinfo )

Also appreciate if someone can respond to my earlier question of integrating Okta with django-openid-auth

Thanks


#2

Never mind. I got it to work by setting Group Claims as Regex .*


#3

I set the Group Claims for my application as Regex * and I’m still not getting the groups from the userinfo api, instead I get:

{"sub":"00ubhxdmbt4s0QYA60h7","name":"First Last","locale":"en-US","email":"email@example.com","preferred_username":"email@example.com","given_name":"First","family_name":"Last","zoneinfo":"America/Los_Angeles","updated_at":1502410624,"email_verified":true}

I have also included groups as a scope.

Here is the regex thing: (maybe I did it wrong)

What am I doing wrong here?

You mentioned

I have set the groups using “Groups claim groups Starts with Data”

I don’t see that option in the interface currently. Maybe that’s the problem?


#4

Try setting “Groups claim filter” as Regex .* (dot star). That is how I got it work. You of course need to attach some groups also. I attached dtex and Everyone group and it does return it properly as :

‘groups’: [‘dtex’, ‘Everyone’]


#5

Thanks! I was setting it to * so it wasn’t working, .* did the trick!


#6

Where does this setting exist? I can’t find where to set this regex setting anywhere.

Thanks


#7

It exists on your Authorization Server, under the “Claims” tab.


#8

Hey mraible,

Ah. Okay. We haven’t set up an authorization server, but getting the groups to come back in the response stopped working for us today, so I’m looking for how to troubleshoot this. We used to get groups to come through, asking for it in the scope in our auth request. This probably isn’t the fix I’m looking for then.


#9

I’ve too got the same question of how to return groups. Using OpenID Connect but I’m not getting the groups back when calling the user info endpoint. I’ve created a group and assigned my testing user to it, as well as it being a member of ‘Everyone’.

I can see the scope is being requested but aren’t receiving the groups data.

Scope and claim settings:


#10

Ashley, it looks like you have it in the access token rather than the ID token. I have it setup in the ID token and it works for me with Spring Security OAuth.


#11

That was it. Thanks @mraible!