'groups' not available in openid connect claims Skip to main content
https://support.okta.com/help/answers?id=9062a000000bmouqai&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Steve McLellanSteve McLellan 

'groups' not available in openid connect claims

Hi,

I'm not seeing the 'groups' claim in id_tokens from an Okta OIDC login. My 'scope' parameter to /oauth2/v1/authorize is
scope=openid%20groups%20offline_access
In the JWT I don't see a claim for 'groups'.
 
API Org AdminAPI Org Admin
Hello,

Try to add profile to your scope: openid profile groups
Steve McLellanSteve McLellan
Hi,

Even with all scopes imaginable - scope=openid%20groups%20offline_access%20profile%20email - I'm still not seeing groups. 

I've changed the filter to regexp .* but still see no groups. I'll have another look later today.

Thanks!

Steve
Joseph SchreursJoseph Schreurs
I have the same issue as well.  We have also tried using the Authorization Server and setting up groups as an approved claim.
Peggy XuePeggy Xue (Okta, Inc.)
1)If you use authorization code flow, return both access_token and id_token, id_token claim will not contains groups, only bearer + access_token using user endpoint will contains groups
2)if you use implicit flow, request id_token alone it will contains the group, require access_token alone it will also contains groups.
3)Use your org or authorization server should both work in the same way.
4)you need OIDC APP->SignOn Tab->Groups claim groups Regex .*
Ewan ChiltonEwan Chilton
Hi Peggy, can you expand on this?

is it possible to get groups back in the accesstoken using the OpenIDConnect protocol?

I can get variously scoped claims back with the OAuth2 Resource Owner Flow. but not with OpenId Connect
Jeff AndersonJeff Anderson
Following these instructions, I can get "Okta" groups, but I cannot get any Active Directory groups that the user belongs to.  I have AD syncing set up with the agent.  I have users in AD groups and can see both in the Okta interface. But the calls to get the access token or id token return "Everyone" as their only group.  How can I get Active Directory groups for a user in the access token or id token.  Or is there some other way to get groups for a user when they login?