Adding IdP Claim Value to the Access Token Using Inline Token Hook
May 2, 2025
API Access Management
Overview
This article outlines how to add the IdP value to the access token using Inline Token Hook.
Applies To
- Identity Provider (IdP)
- Access token
- Id token
- Inline token hook
Cause
The IdP value exists in the ID token, but not in the access token.
Solution
The Identity Provider (IdP) claim value is the ID of the Identity Provider, as mentioned in this Base claims documentation. This value exists in the ID token, but not in the access token. To add it to the access token, an inline token hook could be used in which the service gets the IdP claim value from the id_token sent and then adds it to the access token.
The following are general steps outlined so that this can be done programmatically:
- Set up an external endpoint to which Okta can make requests.
- Configure this endpoint to parse the request body to look for the
idpclaim that will be returned in the ID token.- See example request body below (borrowed from Create a token inline hook documentation):
{ "source": "https://{OktaDomainName}/oauth2/default/v1/authorize", "eventId": "3OWo4oo-QQ-rBWfRyTmQYw", "eventTime": "2019-01-15T23:20:47.000Z", "eventTypeVersion": "1.0", "cloudEventVersion": "0.1", "contentType": "application/json", "eventType": "com.okta.oauth2.tokens.transform", "data": { "context": { "request": { "id": "reqv66CbCaCStGEFc8AdfS0ng", "method": "GET", "url": { "value": "https://{OktaDomainName}/oauth2/default/v1/authorize?scope=openid+profile+email&response_type=token+id_token&redirect_uri=https%3A%2F%2Fhttpbin.org%2Fget&state=state&nonce=asf&client_id=customClientIdNative" }, "ipAddress": "127.0.0.1" }, "protocol": { "type": "OAUTH2.0", "request": { "scope": "openid profile email", "state": "state", "redirect_uri": "http://localhost:8080/authorization-code/callback", "response_mode": "fragment", "response_type": "token id_token", "client_id": "customClientIdNative" }, "issuer": { "uri": "https://{OktaDomainName}/oauth2/default" }, "client": { "id": "customClientIdNative", "name": "Native client", "type": "PUBLIC" } }, "session": { "id": "102Qoe7t5PcRnSxr8j3I8I6pA", "userId": "00uq8tMo3zV0OfJON0g3", "login": "user@example.com", "createdAt": "2019-01-15T23:17:09.000Z", "expiresAt": "2019-01-16T01:20:46.000Z", "status": "ACTIVE", "lastPasswordVerification": "2019-01-15T23:17:09.000Z", "amr": [ "PASSWORD" ], "idp": { "id": "00oq6kcVwvrDY2YsS0g3", "type": "OKTA" }, "mfaActive": false }, "user": { "id": "00uq8tMo3zV0OfJON0g3", "passwordChanged": "2018-09-11T23:19:12.000Z", "profile": { "login": "user@example.com", "firstName": "Add-Min", "lastName": "O'Cloudy Tud", "locale": "en", "timeZone": "America/Los_Angeles" }, "_links": { "groups": { "href": "https://{OktaDomainName}/00uq8tMo3zV0OfJON0g3/groups" }, "factors": { "href": "https://{OktaDomainName}/api/v1/users/00uq8tMo3zV0OfJON0g3/factors" } } }, "policy": { "id": "00pq8lGaLlI8APuqY0g3", "rule": { "id": "0prq8mLKuKAmavOvq0g3" } } }, "identity": { "claims": { "sub": "00uq8tMo3zV0OfJON0g3", "name": "Add-Min O'Cloudy Tud", "email": "user", "ver": 1, "iss": "https://{OktaDomainName}/oauth2/default", "aud": "customClientIdNative", "jti": "ID.YxF2whJfB3Eu4ktG_7aClqtCgjDq6ab_hgpiV7-ZZn0", "amr": [ "pwd" ], "idp": "00oq6kcVwvrDY2YsS0g3", "nonce": "asf", "preferred_username": "user@example.com", "auth_time": 1547594229 }, "token": { "lifetime": { "expiration": 3600 } } }, "access": { "claims": { "ver": 1, "jti": "AT.W-rrB-z-kkZQmHW0e6VS3Or...QfEN_YvoWJa46A7HAA", "iss": "https://{OktaDomainName}/oauth2/default", "aud": "api://default", "cid": "customClientIdNative", "uid": "00uq8tMo3zV0OfJON0g3", "sub": "user@example.com", "firstName": "Add-Min", "preferred_username": "user@example.com" }, "token": { "lifetime": { "expiration": 3600 } }, "scopes": { "openid": { "id": "scpq7bW1cp6dcvrz80g3", "action": "GRANT" }, "profile": { "id": "scpq7cWJ81CIP5Qkr0g3", "action": "GRANT" }, "email": { "id": "scpq7dxsoz6LQlRj00g3", "action": "GRANT" } } }, "refresh_token": { "jti": "oarob4a0tckCkGcyo1d6" } } }
- See example request body below (borrowed from Create a token inline hook documentation):
- In the logic for this endpoint, have it return a response body, instructing Okta to add a claim to the access token, with its value set to the one found in the
data.identity.claims.idpattribute returned in the request body.- See example response body below (also borrowed from Create a token inline hook documentation):
{ "commands": [ { "type": "com.okta.access.patch", "value": [ { "op": "add", "path": "/claims/idp", "value": "00oq6kcVwvrDY2YsS0g3" } ] } ] }
- See example response body below (also borrowed from Create a token inline hook documentation):
NOTE: The data.identity.claims.idp attribute is within the JSON body that contains this value.
- Configure the Token Inline Hook, as mentioned in Create a token inline hook, to point to the points that were just created.
