This article discusses the limitations of the following Group functions that can be used in Okta Expression Language to configure groups claims: Groups.contains, Groups.endsWith, and Groups.startsWith.
- Group functions
- Dynamic Allowlists
- Okta Classic Engine
Group Functions can be used when configuring a groups claim (either in the ID or Access Tokens) to list the groups of which the user being issued a token is a member.
There are three Group functions that help in using the dynamic group allowlists: contains, startsWith, and endWith. For more details, please check the Group functions documentation. All three of these functions have the following parameters:
|
Parameter |
Description |
Nullable |
Example Values |
|---|---|---|---|
|
app |
Application type or App ID |
FALSE |
"OKTA", "0oa13c5hnZFqZsoS00g4", "active_directory" |
|
pattern |
Search term |
FALSE |
"Eastern-Region", "Eastern", "-Region" |
|
limit |
Maximum number of groups returned This parameter must evaluate to a value between 1 and 100. |
FALSE |
1, 50, 100 |
However, below will be discussed a few known limitations:
- If a group function is passed a
limitparameter value of more than 100:- Tokens will not be issued to the user.
- An error: The 'groups' user claim could not be evaluated. will be returned to the requesting application provided
redirect_uri. - A user_claim_evaluation_failure error will be logged in System Log.
- For Active Directory Groups, Group name matching is based only on cn.
