Unable to get claims from default custom authorization server


I’ve been using instructions in the following urls to try to get group claims from the default customization server:

  1. Customize tokens returned from Okta with a Groups claim | Okta Developer
  2. https://www.youtube.com/watch?v=PASiA_2ChFU

Here are the steps I’ve followed:

  1. Add Claim

    1. In the developer console, select Security → API
    2. Select the default link
    3. Click the “Claims” tab
    4. Click “Add Claim”
    5. name: groups, token-type: id_token/Always, Value Type: Groups, Filter: contains .*
    6. name: groups, token-type: access_token/Always, Value Type: Groups, Filter: contains .*
  2. Use OpenID Connect debugger to get the authorization code:


  3. Use the authorization code in the following post to get the ID Token:


  4. Use a JWT parser to parse the id and access tokens

Sadly, neither contains the claims, although the access_id contains the scopes.

However, if use the org server, I can get the claims:

Here are the steps:

  1. Add Claim

    1. In the developer console, select Applications - MyApp
    2. Click the “Sign on” tab
    3. Edit the “Open ID Connect Token”
    4. Edit “Group Claims Filter”
    5. Group name “groups”
    6. Matches Regex .*
  2. Use the same steps as above, but removing “default” from the url.

In this case, the ID token contains the groups.

“groups”: [

According to the docs, the default custom server should contain the groups.

What am I doing wrong here?


Did you try the token preview tool to see the decoded token? Also, is it possible to post a screenshot of the claim?

Hi Sherry,

I’m all set. The problem was on the regular expression. I didn’t have “matches regex”, I had “contains regex”.

1 Like