<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Attribute/Claim Missing from ID Token
Mar 21, 2025
API Access Management
Okta Classic Engine
Overview

This article explains why an ID token might have an attribute/claim missing from an ID token and how to get all user claims and Okta groups in such a case.


This article assumes that:

Applies To
  • Implicit flow
  • Authorization code flow 
  • Resource owner password flow (grant_type = password)
Cause

When returned along with the access token, the ID token is considered a Thin Token or Thin ID Token. The Thin ID Token only carries base claims and some scope-dependent claims. For example, if the `profile` scope is requested and a thin token is returned, the ID token payload will contain the `preferred_username` and `name` claims but will not include other `profile` scope-dependent claims such as `given_name` or `family_name`.


Examples of when the ID token and access token are returned together:

  • Implicit flow, where response_type=id_token+token.
  • Authorization code flow, where `openid` scope is passed in authorize request.
  • Resource owner password flow, where `openid` scope is passed in the token request.


NOTE: When the ID token is returned alone (without the access token, for example) in the implicit flow where response_type=id_token, the ID token returned is considered a Fat Token and should contain all profile attributes if the profile scope is passed and groups if the groups scope is passed. 


This behavior is based on the OpenID specifications about scope-dependent claims. See the following quote from section 5.4:

  • "The Claims requested by the profile, email, address, and phone scope values are returned from the UserInfo Endpoint, as described in Section 5.3.2 when a response_type value is used that results in an Access Token being issued. However, when no Access Token is issued (which is the case for the response_type value id_token), the resulting Claims are returned in the ID Token."
Solution

In these flows, an Access Token is returned along with an ID Token. This Access Token can be used to retrieve user claims (all profile attributes/claims, if the appropriate scopes are passed). 

The Access Token can be sent as a bearer token in the authorization header of the Userinfo request (that is POST ${baseUrl}/oauth2/v1/userinfo), where the base URL will be https://OktaDomain.okta.com or the custom domain.

 

Related References

 

Recommended content

Still looking for help?
Loading
Attribute/Claim Missing from ID Token