When I try to Preview the Token in the default Authorization Server, Token Preview tab I don’t see any groups returned. I have added a groups scope to the default Authorization Server but that doesn’t seem to help. I’ve also tried using Nate’s OIDC debugger and that gives me the same results, no groups are returned in either the id or access token.
The only way I can get this to work is by adding a groups Claim on the default Authorization Server but honestly that seems like overkill when I maybe only have one or two apps in our Enterprise that need the groups in a token.
@adrian.schofield The token preview tool only works for custom authorization servers. You should be adding the claim on the Claims tab instead as shown here:
In the screenshot where you have setup your groups claim, you will notice that the issuer value is just your Okta org url. This means the groups claim is tied to your Okta org as the authorization server. If you look at the issuer for the “default” custom authorization server, you will see that it is your org url with /oauth2/default added to it. You can read about the differences between the two types of authorization servers here: https://support.okta.com/help/s/article/Difference-Between-Okta-as-An-Authorization-Server-vs-Custom-Authorization-Server?language=en_US
OK so I added a groups Claim on the default Authorization Server and now I can see the groups in the Token. However the Groups Claim Filter still doesn’t seem to work.
On the Authorization Server I set the groups claim to Match Regex with .*
On the Application Groups Claim filter I set the groups claim to a Filter - Starts With A
Now I can see that the Token contains the groups but they are not filtered I just see all the groups that I am a member of. It’s as if the Group Claims filter isn’t working.
Since you are using the “default” custom authorization server, you should ignore the “groups claim” filter in the application settings. As mentioned previously, that setting only affects tokens minted by the Okta org authorization server. You can add multiple claims in the authorization server settings.
If you are concerned about this claim to be visible to everybody, you can create an additional scope and add this claim into it, so that other clients would receive standard JWT, while your application may request this additional scope.
In summary then the Group Claims Filter only adjusts the content of tokens minted by the Okta org authorization server. This is NOT the same as the default Authorization Server and so if you have custom Authorization Servers enabled in your tenant the only way to tune the token contents is in the Claims tab of the relevant Authorization Server.
