JWT Scope Skip to main content
https://support.okta.com/help/answers?id=9062a000000bbrvqas&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Flavel HeymanFlavel Heyman 

JWT Scope

I know I want to request more than one scope but am unsure on when/how to do it
  1. When do you request scope? Does it need to be in the initial CREATION of the JWT request or can scope be expanded when VALIDATION of the JWT occurs?
  2. If scope needs to be requested with CREATION of JWT, then:
    1. How to change scope in the Okta Angular Sign-In Widget?
    2. I tried using the Okta APtI endpoint (https://developer.okta.com/docs/api/resources/oidc#token), but when I requested multiple scopes I only ever received a response back with the "openid" scope, what gives?
  3. If scope needs to be requested with VALIDATION of JWT, then:
    1. How does one specify the scope in the Java Okta JWT Verification library (https://github.com/okta/okta-jwt-verifier-java), I don't see a setter for it.
Best Answer chosen by Flavel Heyman
Flavel HeymanFlavel Heyman

Alright so:

  1. Scope is set on JWT creation.
  2. Didn't figure out how to set it up in the /v1/token endpoint (https://developer.okta.com/docs/api/resources/oidc?_ga=1.45423908.1016954865.1519324636#token) yet
  3. Setting it up for the Angular App went something like this:
    1. OktaAuthModule.initAuth({
            issuer: environment.oktaUrl + '/oauth2/default',
            redirectUri: environment.appUrl + '/implicit/callback',
            clientId: environment.clientId,
            scope: 'openid profile email groups'
          })
    2. Found format through the Okta source code in okta.service.ts (https://github.com/okta/okta-oidc-js/blob/master/packages/okta-angular/src/okta/okta.service.ts) through method "scrubScopes"
    3. If you aren't using that it may be possible through widget creation (the above was overriding the value in widget creation)
    4. var oktaSignIn = new OktaSignIn({
              baseUrl: baseUrl,
              clientId: clientId,
      
              redirectUri : 'http://localhost:8080',
              authParams: {
                  issuer: 'https://dev-123456.oktapreview.com/oauth2/default',  // in case if you are using custom auth server
                  responseType:  'id_token',
                  responseMode: 'fragment',
                  // display : 'page',  // this is required if you would like full page redirect to redirectUri
                  scope: ['openid','profile','email','groups']
                  }
              });
  4. Doing all this didn't really lead to any new values being returned because my claims weren't setup.
  5. Finding what claims are available was difficult, this helped a lot (https://developer.okta.com/blog/2017/08/01/oidc-primer-part-3)
    1. Not limited to just "appuser" object, can also use "user"
      1. user.profile
      2. user.custom_attr
      3. groups: contains x

All Answers

Andrei HavaAndrei Hava (Okta, Inc.)
Hello, Flavel

The scope requests are made when the creation of the JWT token happens, i.e. when calling the /token endpoint.
You can see how to configure the Sign-In widget to request additional scopes here: https://github.com/okta/okta-signin-widget#openid-connect, under authParams.scope.

Let me know if this helps you. If not, please submit your issue to our Support department by sending an email to developers@okta.com.

Thank you,
Andrei Hava
Okta Developer Support
Dylann FezeuDylann Fezeu (Customer First Programs)
Hello,

Thanks for posting your inquiry in Okta Community Portal.

If you receive a great answer to your question(s), please help readers find it by marking it the best answer. Hover over the answer and click "Best Answer." 

Thank you,

Dylann Fezeu
Okta Help Center Team
Flavel HeymanFlavel Heyman

Alright so:

  1. Scope is set on JWT creation.
  2. Didn't figure out how to set it up in the /v1/token endpoint (https://developer.okta.com/docs/api/resources/oidc?_ga=1.45423908.1016954865.1519324636#token) yet
  3. Setting it up for the Angular App went something like this:
    1. OktaAuthModule.initAuth({
            issuer: environment.oktaUrl + '/oauth2/default',
            redirectUri: environment.appUrl + '/implicit/callback',
            clientId: environment.clientId,
            scope: 'openid profile email groups'
          })
    2. Found format through the Okta source code in okta.service.ts (https://github.com/okta/okta-oidc-js/blob/master/packages/okta-angular/src/okta/okta.service.ts) through method "scrubScopes"
    3. If you aren't using that it may be possible through widget creation (the above was overriding the value in widget creation)
    4. var oktaSignIn = new OktaSignIn({
              baseUrl: baseUrl,
              clientId: clientId,
      
              redirectUri : 'http://localhost:8080',
              authParams: {
                  issuer: 'https://dev-123456.oktapreview.com/oauth2/default',  // in case if you are using custom auth server
                  responseType:  'id_token',
                  responseMode: 'fragment',
                  // display : 'page',  // this is required if you would like full page redirect to redirectUri
                  scope: ['openid','profile','email','groups']
                  }
              });
  4. Doing all this didn't really lead to any new values being returned because my claims weren't setup.
  5. Finding what claims are available was difficult, this helped a lot (https://developer.okta.com/blog/2017/08/01/oidc-primer-part-3)
    1. Not limited to just "appuser" object, can also use "user"
      1. user.profile
      2. user.custom_attr
      3. groups: contains x
This was selected as the best answer