Unable to find the group information of the logged in user -JWT token OKTA

gomze · August 27, 2021, 4:30pm

I am new to Okta so apologies if my questions are not clear.

So what I want to do is basically parse the JWT token generated by okta and extract the group information of the logged in user associated with it.

I am under the impression that this information should be there in the OidcUser object. I do see user name/email id / token validity etc information inside this object. Unfortunately I can’t see group id which I need for further processing.

@RequestMapping("/")
    public String hello(@AuthenticationPrincipal OidcUser user){
        StringBuilder sb = new StringBuilder();
        for (Map.Entry<String, Object> entry : user.getClaims().entrySet()) {
            sb.append(entry.getKey() + ":" + entry.getValue().toString());
            sb.append("\n");
        }
        sb.append("|");
        sb.append(user.getClaims());
        return sb.toString();
    }

Here is my okta plugin inside spring boot

   okta.oauth2.issuer=https://dev-XXXXXXXX.okta.com/oauth2/default
   okta.oauth2.client-id=XXXXXXXXXX
   okta.oauth2.client-secret=XXXXXXXXXXXX

I am wondering if my approach is proper and what more I need to do to extract User group from Okta JWT token.

tyty · August 27, 2021, 4:54pm

Is the group claim just not present in the JWT? I assume you have followed something like the following to add a groups claim to your authorization server? - Add a Groups claim for a Custom Authorization Server | Okta Developer

gomze · August 27, 2021, 5:06pm

Yeah. I did follow that. This is how my JWT claim token looks like

at_hash=XXXXXX, sub=XXXXXX zoneinfo=America/Los_Angeles, ver=1, email_verified=true, amr=[pwd], iss=https://dev-XXXXXXokta.com/oauth2/default, preferred_username=XXXXX@gmail.com, locale=en-US, given_name=XXXXXnonce=XXXXX, aud=XXXXXX,updated_at=2021-08-03T03:29:06Z, idp=XXXXXX, auth_time=2021-08-27T17:01:54Z, name=XXXXX, exp=2021-08-27T18:01:55Z, family_name=XXXXX, iat=2021-08-27T17:01:55Z, email=XXXX@gmail.com, jti=XXXXX

gomze · August 27, 2021, 5:09pm

gomze · August 27, 2021, 5:34pm

gomze · August 27, 2021, 5:35pm

@tyty I can’t see that information even in payload. I just want to confirm if I am looking at the right place? Will really appreciate your help on this

andrea · August 27, 2021, 7:05pm

You cannot use regex with the “Starts with” filter (only sub-string matching is supported by the “Starts With” option), it will only work if you select “Matches Regex” for the filter instead.

Note that group filters will ONLY apply to Okta groups and will not pull in groups coming in from other sources (AD, Google, etc) into your claim

gomze · August 27, 2021, 7:22pm

gomze · August 27, 2021, 7:23pm

@andrea @tyty I did the change you suggested. Yet I can’t see Group information in the ID token. Is there something more I should check?Please advice.

andrea · August 27, 2021, 8:28pm

If you want the groups to show up in the ID Token, you need to configure the claim “Include in token type” for ID Tokens to ALWAYS . Otherwise you will need to send your access token to the userinfo endpoint to see the user’s groups

gomze · August 27, 2021, 8:58pm

That works. Thanks Folks

system · September 2, 2021, 4:13pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.