This article describes how to add group claims based on a specific application using a conditional expression or create a dynamic or static allowlist as an alternative.
- Group Claims
- OpenID Connect application
- Conditional Expression
app.clientId == "0oa3uxxxxxxxxxx5d7" can be used, and a conditional expression to receive the groups based on the application.
For example:
(app.clientId == "0oa3uxxxxxxxxxx5d7") ? "Condition 1" : "Condition 2"
The above example uses a ternary operator as a shorthand for writing an if-else statement. If the condition (app.clientId == "0oa3uxxxxxxxxxx5d7") evaluates to true, then Condition 1 is executed. If the condition evaluates to false, then Condition 2 will be executed.
These expressions can become complex and challenging to manage when adding more conditions.
Alternatively, create a dynamic or static allowlist for setting group allowlists on a per-app basis using both the organization authorization server and a custom authorization server. For instance, if there are many groups but only 20 are relevant to this app, please search through all groups each time a groups claim is created. This process optionally uses Okta's flexible app profile, which accepts any JSON-compliant content, to create an allowlist of groups that can be referenced easily.
