Tokens Issued by a Custom Authorization Server with `profile` Scope Do Not Contain All Base Okta Profile Attributes
Last Updated:
Overview
When requesting a token from a Custom Authorization Server with the profile scope, not all base Okta User Profile claims are available in the ID Token or in the Userinfo response.
Applies To
- API Access Management
- OpenID Connect application
profilescope- ID Token payload OR Userinfo response
Cause
When using the Custom Authorization Server, only some of the attributes in a user's Okta profile will automatically be returned when the profile scope is requested. Claims that will be included (either in the ID Token, when doing Implicit flow, or in the Userinfo Response, when requesting both an ID Token and an Access Token in the same OIDC flow - see more info about this in Attribute/Claim Missing from ID Token) when this scope is requested include the following (see Scope-dependent claims (not always returned) for descriptions of these claims):
- name
- preferred_username
- nickname
- given_name
- middle_name
- family_name
- profile (URL to the user's profile page)
- zoneinfo
- locale
- updated_at
Solution
Any additional Okta User Profile attributes that the OpenID Connect application needs access to will have to be created as custom claims.
For instance, to include the Department attribute in a user's ID Token, configure a custom claim as demonstrated below. Since department is the variable name for this attribute, the required expression for this claim is user.department.
