How to add groups to access_token? Skip to main content
https://support.okta.com/help/answers?id=9062a000000xzqxqaw&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Sven SchmidtSven Schmidt 

How to add groups to access_token?

Hi,

I'm using an Okta app to authenticate via OpenID Connect.

The client allows to call into a web api endpoint, which should have
access control based on groups the authenticated user belongs to (like admin, client, ...).
The trouble is that cannot figure out how to get to the groups from the authentication token.
Currently, I send a request to http://octa.../oauth2/v1/userinfo and extract the groups from the
claims. Is that an acceptable way to do so? Is there a way to avoid that additional request?

Thank you and kind regards,
Sven

Jerrell GaryJerrell Gary (Okta, Inc.)
1) If you are trying to use an AD group, which is not supported currently, only Okta group will show up in scope of group claim

2)You will need OIDC APP->SignOn Tab->Groups claim groups Regex .*
User-added image

3) If you use implicit flow, require access_token alone it will also contains groups.
attached the screenshot of request body and header, showing you to user primary auth restAPI to generate sessionToken POST {{url}}/api/v1/authn with request body[username/password]
which will generate you one time use session Token to access the end point of OIDC. If the session expires or the user logs out of Okta after using the token, they will not be able to reuse the same session token to get a new session cookie.


User-added imageUser-added image

4)After you get the sessionToken, use below URL in your script which generate you an access_token.
https://upupcocoa.oktapreview.com/oauth2/v1/authorize?client_id=rnQTZRPonN6dMXkQ5bVF
&response_type=token&response_mode=fragment&state=Af0ifjslDkj&nonce=n-0S6_WzA2Mj&scope=openid&prompt=none&redirect_uri=http://localhost:8888/okta-simplesamlphp-example&state=staticState&nonce=n-0S6_WzA2Mj&sessionToken=20111_5DTKZhQHaY4fcfhLx2hwAfe-TzDQg93H69wjGH7qFKZCV1wDp

5)Pass access token as bear token to endpoint {{url}}/oauth2/v1/userinfo, here is how request body and request header looks like, now you see the group in scope of claim.
      
User-added imageUser-added image
 
John GronbergJohn Gronberg (Okta, Inc.)
Sven, If you are interested in accessing non-Okta groups (like Active Directory groups), we do support those as part of our API Access Management product. Details on doing this are included in our 2017.20 Release Notes: https://developer.okta.com/docs/platform-release-notes/platform-release-notes2017-20.html , using the 'getFilteredGroups' expression as part of a custom claim. This functionality is not available in our basic OpenID Connect solution.