<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Add Group Claims Using the getGroups Function in a Custom Authorization Server
Nov 27, 2025
Okta Identity Engine
API Access Management
Overview

This article explains how to add group claims to a custom authorization server using the getGroups function. It provides examples for filtering groups by name and type, as well as retrieving specific group attributes.

Applies To
  • Custom Authorization Server
  • Okta Expression Language
  • Okta Identity Engine (OIE)
Solution

Review the instructions in the Add a Groups claim for a Custom Authorization Server guide to configure the claim.

The following samples illustrate how to configure the group claim expression:

  • Retrieve specific group names 

    • The expression retrieves a list of group names with the type OKTA_GROUP that start with "Test".

      user.getGroups({'group.type': {'OKTA_GROUP'}}, {'group.profile.name': {'Test.*'}}).![name]









  • 

    Retrieve all group names 
    

    • 

      The expression retrieves a list of all group names, including the BUILT_IN Everyone group.
      

      user.getGroups({'group.type': {'OKTA_GROUP', 'APP_GROUP', 'BUILT_IN'}}).![name]
      

    

  • Retrieve specific LDAP groups

    • The expression matches specific group names using wildcards and pulls groups with the type APP_GROUP (for example, from an LDAP integration).

      user.getGroups({'group.type': {'APP_GROUP'}}, {'group.profile.name': {'group1*', 'group2*'}}).![name]
      

    























  • Retrieve group identifiers and names








  • 

    • The expression retrieves both the identifier and the name for groups starting with "test".

      user.getGroups({'group.profile.name': { 'test.*'}}).![{name, id}]
      

    



















Collection Projection Syntax


The user.getGroups function supports "collection projection" for configuring group claims. Collection projections enable the use of a subexpression (for example, .![name]) that transforms a collection (such as an array) into a new collection. The expression applies the subexpression to each element in the array and returns a new collection without modifying the original collection.


The following examples illustrate the output formats for different projections:


  • 

    Array of Strings (.![name])
    

    • 

      The .![name] suffix returns a list containing only the names of the groups.
      

      "grp": [
  "test_example_123",
  "test_example_456",
  "test_example_789"
]
      

      

      

      

      

      

      

      

    

  • 

    Array of Objects (.![{name, id}]) 
    

    • 

      The .![{name, id}] suffix returns a list of objects containing multiple attributes for each group, such as the name and identifier.
      

      

      

      "grp": [
   [
      "00gbxxxxxxxxxxMlr1d7",
      "test_example_123"
   ],
   [
      "00gbxxxxxxxxx7UXC1d7",
      "test_example_456"
   ],
   [
      "00g5xxxxxxxxxxxTi1d7",
      "test_example_789"
   ]
]
      

      

      

      

      

      

    



Recommended content
Still looking for help?
Loading
Add Group Claims Using the getGroups Function in a Custom Authorization Server