Unable to find the group information of the logged in user -JWT token OKTA

I am new to Okta so apologies if my questions are not clear.

So what I want to do is basically parse the JWT token generated by okta and extract the group information of the logged in user associated with it.

I am under the impression that this information should be there in the OidcUser object. I do see user name/email id / token validity etc information inside this object. Unfortunately I can’t see group id which I need for further processing.

    public String hello(@AuthenticationPrincipal OidcUser user){
        StringBuilder sb = new StringBuilder();
        for (Map.Entry<String, Object> entry : user.getClaims().entrySet()) {
            sb.append(entry.getKey() + ":" + entry.getValue().toString());
        return sb.toString();

Here is my okta plugin inside spring boot


I am wondering if my approach is proper and what more I need to do to extract User group from Okta JWT token.

Is the group claim just not present in the JWT? I assume you have followed something like the following to add a groups claim to your authorization server? - Add a Groups claim for a Custom Authorization Server | Okta Developer

Yeah. I did follow that. This is how my JWT claim token looks like

at_hash=XXXXXX, sub=XXXXXX zoneinfo=America/Los_Angeles, ver=1, email_verified=true, amr=[pwd], iss=https://dev-XXXXXXokta.com/oauth2/default, preferred_username=XXXXX@gmail.com, locale=en-US, given_name=XXXXXnonce=XXXXX, aud=XXXXXX,updated_at=2021-08-03T03:29:06Z, idp=XXXXXX, auth_time=2021-08-27T17:01:54Z, name=XXXXX, exp=2021-08-27T18:01:55Z, family_name=XXXXX, iat=2021-08-27T17:01:55Z, email=XXXX@gmail.com, jti=XXXXX

@tyty I can’t see that information even in payload. I just want to confirm if I am looking at the right place? Will really appreciate your help on this

You cannot use regex with the “Starts with” filter (only sub-string matching is supported by the “Starts With” option), it will only work if you select “Matches Regex” for the filter instead.

Note that group filters will ONLY apply to Okta groups and will not pull in groups coming in from other sources (AD, Google, etc) into your claim

1 Like

@andrea @tyty I did the change you suggested. Yet I can’t see Group information in the ID token. Is there something more I should check?Please advice.

If you want the groups to show up in the ID Token, you need to configure the claim “Include in token type” for ID Tokens to ALWAYS . Otherwise you will need to send your access token to the userinfo endpoint to see the user’s groups

That works. Thanks Folks :slight_smile:

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.