This article is for getting around a 100 group limitation with group claims that is applied for the Implicit flow. With the existing group expressions such as Groups.contains and Groups.startsWith, these can only return up to 100 groups, additionally, if these are combined, it still is limited to only populating 100 groups within a group claim.

• OIE or Classic
• Users that would like to populate more than 100 groups using a single custom claim.
• Applications that authenticate using the Implicit Flow.
• Org authorization servers for an ID token/userinfo group claim.
• Custom authorization servers for ID/userinfo or access token group claims.

The solution first requires creating a static allow list within the application profile and then updating the group claim to something such as:
 

getFilteredGroups(app.profile.group_allow_list, "group.name", 2147483647)

Within this example, it assumes that the static allow list created was called group_allow_list.  The group_allow_list will need to be manually managed and updated when there are any changes to the groups, such as adding group IDs for new groups that fall under that list.

The specific thing to call out is the third argument is the signed int max value (2147483647). This would be the absolute largest number that could be included in that group.

There are some constraints that the user may run into before reaching that value, though, such as:

• The max size an applications profile section can be where you need to hard code all the group ids
• The max size Okta will return for an id_token
• The max size Okta will return for /userinfo