The Okta Terraform provider deprecates the groups_claim setting for the okta_app_oauth resource and silently skips it when using OAuth 2.0 credentials, requiring administrators to use an Application Programming Interface (API) token or migrate to a federated claim. During a standard Terraform run, the provider displays a generic deprecation warning but reports success, leaving the group claim absent from the application sign-on configuration. 

At normal output levels, the Okta Terraform provider displays the following warning:

Warning: Argument is deprecated The groups_claim field is deprecated and will be removed in a future version. Use Authorization Server Claims (okta_auth_server_claim) or app profile configuration instead.

This generic deprecation warning appears identically whether the Okta Terraform provider uses an API token to apply the claim or silently drops it via OAuth 2.0.

• Okta Terraform Provider
• OAuth 2.0 Authentication
• OpenID Connect (OIDC) Applications
• Application Programming Interface (API)
• Okta Classic Engine
• Okta Identity Engine (OIE)

Okta deprecated the groups_claim field in the Okta Terraform provider. When using OAuth 2.0 API authentication, the provider silently disables reading and setting this claim.

Running Terraform with TF_LOG=DEBUG reveals the exact behavior through the following warnings:

• [WARN] setting groups_claim disabled with OAuth 2.0 API authentication
• [WARN] reading groups_claim disabled with OAuth 2.0 API authentication

NOTE: The deprecation warning still appears in the Terraform output when using an API token, but the Okta Terraform provider successfully applies the setting.

How is the groups_claim deprecation warning resolved in the Terraform Okta Provider?

Resolve the missing groups claim by either migrating the configuration to use a federated claim or reverting to an API token for authentication.

How is the configuration migrated to a federated claim?

The deprecation message suggests using okta_auth_server_claim or app profile configuration. The okta_auth_server_claim resource requires a Custom Authorization Server, which requires an API Access Management subscription. Alternatively, use the okta_app_federated_claim resource.

Configure the federated claim using a custom group attribute name. For example:

resource "okta_app_federated_claim" "example_groups" {
  app_id     = okta_app_oauth.example.id
  name       = "custom_groups"
  expression = "user.getGroups({'group.type':{'OKTA_GROUP','APP_GROUP'}}).![profile.name]"
}

NOTE: Using "groups" for the claim name with this resource is not supported and will result in an error due to "groups" being reserved.

How is the legacy configuration applied using an API token?

Configure the Okta Terraform provider to use an API token instead of OAuth 2.0 credentials by following these steps:

1. Generate an API token in the Okta Admin Console.
2. Update the Terraform provider configuration to use the api_token argument instead of the OAuth 2.0 arguments.
3. Run terraform apply to write the groups_claim setting to the application.

NOTE: If the primary configuration requires OAuth 2.0 authentication, isolate the legacy configuration into a separate Terraform module. The Okta Terraform provider can then execute this specific module using an API token while the rest of the infrastructure uses OAuth 2.0.

Related References

• How to Use getGroups to Create a Groups Claim Using the Federated Claims Feature | Okta Support Center
• Okta Expression Language: Get Groups for Users | Okta Developer
• Configure custom claims for app integrations | Okta Docs