Unable to add 'idp' claim to access token for user

I see the idp claim for a user is included on their id_token by default. However I am unable to figure out how to add the same idp claim to a user access_token. I have tried several custom claims (idp, idp.id, user.idp.id, idpuser.idp.id, etc.) but none of them work. Does anyone know what expression I can use to match a user’s IDP id?

Hello,

  • You could use a inline token hook where your service gets the idp value from the id_token sent and then adds it to the access_token as well.
  • In your IdP settings in Okta you could create a specific group for each IdP you have and assign users that authenticate with that IdP to that group. You could then create a custom claim in your authorization server where you check for group membership and if a member add the corresponding IdP id.
1 Like

Thanks @erik, I think I will go with one of these solutions. I was hoping there was something straightforward built into Okta, but I think this is probably an okay workaround. We are going to be looking at inline hooks anyways, so I will experiment with adding a command in there to grab the idp value from the id_token and add it to the access_token