Trying to set the "Groups claim filter" on an OIDC app, via the API

Questions OAuth/OIDC
1

I have a Python app that is calling the Okta API to create users, groups and I need to create an application integration.

I am able to successfully create via the API an OpenID Connect app with the code at the bottom of this post and it works fine. However, I need to be able to set or update the “Groups claim filter” on the app. I can do this via the dashboard (see image below).

groups_claim_filter
groups_claim_filter1158×268 14.2 KB

Looking at the Terraform provider, it also looks like you can pass this information in for creating an app resource.

https://registry.terraform.io/providers/okta/okta/latest/docs/resources/app_oauth*groups_claim

But I cannot figure out how to do this via the Okta API. I’ve read this, https://developer.okta.com/docs/reference/api/apps/*add-oauth-2-0-client-application

It seems I might need to send in a profile object during the app creation. https://developer.okta.com/docs/reference/api/apps/*create-an-app-with-a-profile-object

I’ve tried making the change via the UX and then calling the /api/v1/apps/{{appId}}. But the resulting data doesn’t show the group claims. So where is this stored?

Anyone any ideas? If Terraform is doing it, there must be a way.

okta_client = OktaClient(okta_config)

    body = {
        "name": "oidc_client",
        "label": label,
        "signOnMode": "OPENID_CONNECT",
        "credentials": {
            "oauthClient": {
                "token_endpoint_auth_method": "client_secret_basic"
                }
        },
        "settings": {    
            "oauthClient": {
                "redirect_uris": [
                    f"https://notreal.cloudflareaccess.com/cdn-cgi/access/callback"
                ],
                "response_types": [
                    "code"
                ],
                "grant_types": [
                    "authorization_code"
                ],
                "application_type": "web",
                "consent_method": "REQUIRED",
                "issuer_mode": "DYNAMIC",
                "idp_initiated_login": {
                    "mode": "DISABLED"
                }                
            }
        }
    }    

    app, resp, err = await okta_client.create_application(body)
2

Unfortunately there isn’t a public API endpoint to update the groups claim setting within the application. I could definitely see the benefit of having this setting included in the /apps API.

I would recommend creating a feature request on the Okta Ideas for this. I’ll include documentation below on using Okta Ideas below.

Okta Ideas Overview

1 Like
3

Thanks Poul. I will review the docs on how to create a feature request.

It seems odd, looking at the Terraform provider seems to imply this data can be set as part of an OIDC app.

https://registry.terraform.io/providers/okta/okta/4.4.0/docs/resources/app_oauth#groups_claim

Or does this also not work with Terraform?

4

You’re very welcome. This limitation would just apply to the public Okta API endpoint, the Terraform resource should work to update the group claims filter within the application settings.

5

Thanks Poul. But surely doesn’t the Terraform resource use the public APIs? If so, can you tell me how it is updating the group claims filter within the application settings? If Terraform can do it, then there must be a way for me to also do this via the Python SDK.

6

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.