We are trying to add information from a user’s profile (the firstName) to be included in the access tokens issued by a custom authorization server (not the “default” one okta creates on every developer account).
To do this, we use the developer console under API > Authorization > claims and click the “Add Claim” button.
We specify “firstname” as the claim name, select “access token” to include it in the access tokens, and use the expression “appuser.firstName” as the value. We leave everything else as is, so the claim is used for any scope and is not disabled.
However, when trying to validate the expression used in the token, it is not included in the “token preview”.
Why wouldn’t the claim be included in that case? We have double-checked that the user we are using for preview purposes has a firstName set in his profile. Is the “appuser” part in the claim only valid for the default auth-server and needs to be something different when using a custom auth server?
I agree with @Govner that you should try using a different expression for your claim. user.firstName will pull the value for the user’s first name from their Okta (UD) Profile, and will likely achieve the same desired result.
appuser.firstName will pull in the value (if present) from the user’s application profile for the application the user is getting authorized into (so the one selected from the client list in token preview). If there is not a value present for this attribute (or if it doesn’t exist), it definitely won’t show up in the token. You may want to double check that this is the correct name for that attribute in your application.
For example, in a sample OIDC application, the firstName (from the Okta User Profile) is automatically mapped to the “given_name” attribute for the application user profile. I can therefore use “appuser.given_name” to pull in the user’s first name into the claim (same result as using user.firstName, due to the existing mapping).
thanks @andrea & @Govner for the suggestion and additional clarification of what is happening. Using user.firstName (to pull the name from the UD Profile) worked and is what we intended to achieve in the first place.