UserInfo not returning groups

Questions OAuth/OIDC
1

Unable to retrieve group information on my userinfo call. I’ve read all the pertinent community messages in this forum and verified all recommendations, but to no avail.

I have a group created and one user assigned to it:

image
image1052×600 29.5 KB

I have one application and assigned it to the group:

image
image855×512 19.6 KB

image
image777×419 24.6 KB

I have configured the OpenID Connect ID Token for the app:

image
image726×498 23.5 KB

I’m using the Default Authorization Server with the following Claims:

image
image1036×314 18.6 KB

image
image705×575 25.3 KB

The Token Preview shows:

image
image994×808 66.4 KB

Interestingly, though, if I specify openid and profile on the scope, I do not get the groups:

image
image1015×796 63.2 KB

I retrieve the Access Token using the authorize URL:

https://dev-14409172.okta.com/oauth2/default/v1/authorize?
With parameters:

response_type=code
client_id=0oan3lzmskgMUmotO5d7
redirect_uri=http://127.0.0.0/
scope=openid+profile+groups
state=12345"

I then take the access code and get an access token using the tokeninfo enpoint and then specify the resulting token in the userinfo call:

image
image991×701 38.3 KB

And no groups are returned.

Please advise what I’m doing wrong.

Thanks in advance.

2

It looks like the groups claim you configured on your custom authorization server is set to be included int he Access Token ('Include in token type"). That would explain why you are not seeing it when you preview tokens with the openid scope, because the payload you are looking at is for the id_token, not the access token. If you switch the the tab labelled ‘token’, do you see your claim once more?

If you want the claim to appear at the userinfo endpoint, change the “Include in token type” option to ID Token.

PS, that right now you do not need to request that groups scope NOR the settings on the Application → Sign On tag. When using a custom AS (like Default) to get tokens, then you only need to configure the claim at the authorization server level, not at the application level. As for the groups scope, this is only required when using the Org Authorization Server (which is when those settings on the Applcation → Sign On tab come into play). The groups claim you created is currently set to be included for Any scope, so if you do want to use the groups scope you created so that its only included when requested, you would need to set the “Include in” option to the groups scope.

More info about groups claims can be found here; Customize tokens returned from Okta with a groups claim | Okta Developer

3

Ah…I had missed the Token Type tab. Yes it shows there!

image
image988×878 69 KB

And changing it to “Include in token type” fixed the userinfo end point to!

image
image980×764 40.2 KB

Thanks so much! I’ve only been banging my head for a couple of days on this!!!

1 Like
4

no problem! glad you were able to get it working.

5

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.