Roles/Authorities

kesava · December 13, 2023, 5:36pm

Hi All, I am using spring boot application with okta as SSO, I created the Bearer token using the postman POST request with by providing following details like clientid,clientsecret, grant_type, code, scope, redirect_uri.
After that i used this Token(This login user is having 3 roles i.e.superadmin,orgadmin,applicationadmin) for my RestAPI’s in the request, then i got Authentication object, when i tried to get the details of these authorities , i am always getting SCOPE_openid, why it was happening? Is there any way to retrieve all the authorities of the login user or Do i need to use a different API to retrieve all the authorities info about the loggedin user. Could any one help on it.

sigama · December 13, 2023, 5:54pm

@kesava is ‘roles’ a profile scope? If so, please add profile to your list of scopes in your /authorize request.

kesava · December 13, 2023, 6:11pm

Hi @sigama , After adding i could see the below response for userinfo API
{
“sub”: “”,
“name”: “”,
“locale”: “”,
“preferred_username”: “”,
“given_name”: “”,
“family_name”: “”,
“zoneinfo”: “”,
“updated_at”: ,
“user_email”: “”
}
but missing roles/authorities. How could i get those roles

sigama · December 13, 2023, 7:49pm

@kesava can you confirm you have the role attribute also mapped to your OIDC app like this:

kesava · December 18, 2023, 7:49am

Hi @SigmaSquared , I can see the role is not a custom attribute. By default octa is providing different roles.
Yes But anyway i tried adding the mappings of userType. But i am getting null in it.
please find the below response:
URL: https://dev.okta.com/oauth2/default/v1/userinfo

{
“sub”: “00udok9abfP345XRT231”,
“name”: “”,
“locale”: “”,
“preferred_username”: “xxxx@gmail.com”,
“given_name”: “xxx”,
“family_name”: “x”,
“zoneinfo”: “America/Los_Angeles”,
“updated_at”: 1701871665,
“user_profile”: {
“profileUrl”: null,
“lastName”: “k”,
“zipCode”: null,
“preferredLanguage”: null,
“city”: null,
“displayName”: null,
“timezone”: null,
“login”: “xxx@gmail.com”,
“title”: null,
“locale”: null,
“extensibleProperties”: {
“profileUrl”: null,
“preferredLanguage”: null,
“manager”: null,
“displayName”: null,
“timezone”: null,
“nickName”: null,
“costCenter”: null,
“honorificPrefix”: null,
“managerId”: null,
“title”: null,
“locale”: null,
“employeeNumber”: null,
“division”: null,
“honorificSuffix”: null,
“organization”: null,
“middleName”: null,
“userType”: null,
“department”: null
},
“employeeNumber”: null,
“division”: null,
“honorificSuffix”: null,
“countryCode”: null,
“state”: null,
“department”: null,
“email”: “xxxx@gmail.com”,
“manager”: null,
“nickName”: null,
“costCenter”: null,
“secondEmail”: null,
“honorificPrefix”: null,
“fullName”: “xxxx”,
“managerId”: null,
“firstName”: “xxx”,
“primaryPhone”: null,
“postalAddress”: null,
“mobilePhone”: null,
“streetAddress”: null,
“organization”: null,
“middleName”: null,
“userType”: null
}
}

kesava · December 19, 2023, 10:03am

Hi @sigama , I couldn’t see any option with Role under the Left Side Options in the above mentioned screen. I don’t have source attribute in the options mentioned.

And also i am trying to get the roles with the below URL & it is throwing 400 Bad Request Error:
URL: https://dev-user.okta.com/oauth2/default/v1/users/{userid}/roles
could you check this

sigama · December 21, 2023, 1:37am

@kesava do you have your roles attribute added to your User Profile? This is under your admin dashboard > Directory > Profile Editor > User (default) Profile. Please confirm roles is listed as one of your User Profile attributes so that you can map it to your OIDC App accordingly.

kesava · December 21, 2023, 11:02am

Hi @sigama , I don’t have Roles attribute inside it, could you share any Document/steps to add a Role in the user & how to Map the roles . It would be helpful

sigama · December 21, 2023, 5:28pm

Sure @kesava. Before you start though, I have a question that came to mind. Where are you generating these profile attributes i.e. do you have AD synced to Okta?

kesava · December 22, 2023, 6:55am

Hi @sigama , I haven’t setup the AD sync to Okta.

Anyway i tried adding the attributes like below, but the attribute & value is not coming for roles:

Basically My question is, how can i include the below user roles(it was assigned to one user) in the Access Token:

And also i would like to include the below Group Roles into my Access token:

How can i achieve this?

sigama · December 22, 2023, 6:35pm

@kesava I’m thinking you can programmatically get the admin role you want using the API - GET {{url}}/api/v1/users/{{userId}}/roles see Okta Help Center (Lightning) and then you can update the user profile to populate that custom attribute (role) - Users | Okta Developer.

You would do the same for the group attribute and then set the group scope like this:
Okta Help Center (Lightning) .