Token claim expression and authentication attributes

Hello all,

I’m trying to get some authentication attributes as custom claims of access token, like the IP address from user device (the consumption device), the risk score and ThreatSuspected (from ThreatInsight).
But it seems that Okta does not expose those attributes to expressions. I’ve tried some identifiers like “session”, “auth”, “authentication” under custom claim expression, but all of them resolves to null.
Is there any attribute assigned to “user” object with the context of the authentication?

The use case is to enrich the access token with contextual data from authentication and evaluate the contextual data and api request context on the API gateway in order to authorize the api call.


I wonder, do you see this information if you set up a Token Inline Hook (heads up, only custom authorization servers can use these)? I know session information should be available in the payload sent to the hook endpoint, and your endpoint could then add them into the tokens as a claim.

1 Like

Thanks Andrea,

yeah that is one option, but the payload does not exposes the ThreatInsight variables. Is there any config that I’m missing?

Hmm… do you see this information if you look in system log for the request (you can find the id in generated the token? You could look into having your Token Hook endpoint hit our /logs endpoint, eq "{{requestId}}, to gather the information for the request.