Hello!
I’ve been using instructions in the following urls to try to get group claims from the default customization server:
- Customize tokens returned from Okta with a Groups claim | Okta Developer
- https://www.youtube.com/watch?v=PASiA_2ChFU
Here are the steps I’ve followed:
-
Add Claim
- In the developer console, select Security → API
- Select the default link
- Click the “Claims” tab
- Click “Add Claim”
- name: groups, token-type: id_token/Always, Value Type: Groups, Filter: contains .*
- name: groups, token-type: access_token/Always, Value Type: Groups, Filter: contains .*
-
Use OpenID Connect debugger to get the authorization code:
https://dev-xxxxxx.okta.com/oauth2/default/v1/authorize
?client_id=xxxxxx&redirect_uri=xxxxxxxxxxxxxxxx
&scope=openid%20groups
&response_type=code
&response_mode=form_post
&state=n05l9ab31h9
&nonce=5q7amz32cwo -
Use the authorization code in the following post to get the ID Token:
https://dev-xxxxxx.okta.com/oauth2/default/v1/token
?grant_type=authorization_code
&redirect_uri=xxxxxx
&code=xxxxxxxxxxxxxxxxx -
Use a JWT parser to parse the id and access tokens
Sadly, neither contains the claims, although the access_id contains the scopes.
However, if use the org server, I can get the claims:
Here are the steps:
-
Add Claim
- In the developer console, select Applications - MyApp
- Click the “Sign on” tab
- Edit the “Open ID Connect Token”
- Edit “Group Claims Filter”
- Group name “groups”
- Matches Regex .*
-
Use the same steps as above, but removing “default” from the url.
In this case, the ID token contains the groups.
“groups”: [
“testAppGroup”,
“Everyone”,
“prodApp”,
“MY_GROUP”
]
According to the docs, the default custom server should contain the groups.
What am I doing wrong here?
Thanks!