<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008C3jVxSAJOkta Classic EngineIntegrationsAnswered2024-04-30T09:18:25.000Z2018-03-19T19:56:49.000Z2018-08-12T04:14:09.000Z

j5v7c (j5v7c) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
JWT Scope
I know I want to request more than one scope but am unsure on when/how to do it 
  1. When do you request scope? Does it need to be in the initial CREATION of the JWT request or can scope be expanded when VALIDATION of the JWT occurs?
  2. If scope needs to be requested with CREATION of JWT, then: 
    1. How to change scope in the Okta Angular Sign-In Widget?
    2. I tried using the Okta APtI endpoint (https://developer.okta.com/docs/api/resources/oidc#token), but when I requested multiple scopes I only ever received a response back with the "openid" scope, what gives?
     
  3. If scope needs to be requested with VALIDATION of JWT, then: 
    1. How does one specify the scope in the Java Okta JWT Verification library (https://github.com/okta/okta-jwt-verifier-java), I don't see a setter for it.
     
  • 3 answers
  • 2.76K views

  • j5v7c (j5v7c)

    Alright so:

     
    1. Scope is set on JWT creation.
    2. Didn't figure out how to set it up in the /v1/token endpoint (https://developer.okta.com/docs/api/resources/oidc?_ga=1.45423908.1016954865.1519324636#token) yet
    3. Setting it up for the Angular App went something like this: 
      1.  
        1.  OktaAuthModule.initAuth({       issuer: environment.oktaUrl + '/oauth2/default',       redirectUri: environment.appUrl + '/implicit/callback',       clientId: environment.clientId,       scope: 'openid profile email groups'     })
         
      2. Found format through the Okta source code in okta.service.ts (https://github.com/okta/okta-oidc-js/blob/master/packages/okta-angular/src/okta/okta.service.ts) through method "scrubScopes"
      3. If you aren't using that it may be possible through widget creation (the above was overriding the value in widget creation)
      4.  
        1.  var oktaSignIn = new OktaSignIn({  baseUrl: baseUrl,  clientId: clientId,  redirectUri : 'http://localhost:8080',  authParams: {  issuer: 'https://dev-123456.oktapreview.com/oauth2/default', // in case if you are using custom auth server  responseType: 'id_token',  responseMode: 'fragment',  // display : 'page', // this is required if you would like full page redirect to redirectUri  scope: ['openid','profile','email','groups']  }  });
         
       
    4. Doing all this didn't really lead to any new values being returned because my claims weren't setup.
    5. Finding what claims are available was difficult, this helped a lot (https://developer.okta.com/blog/2017/08/01/oidc-primer-part-3
      1. Not limited to just "appuser" object, can also use "user" 
        1. user.profile
        2. user.custom_attr
        3. groups: contains x
         
       
    Expand Post
    Selected as Best

  • andrei.hava (Okta, Inc.)

    Hello, Flavel

     

    The scope requests are made when the creation of the JWT token happens, i.e. when calling the /token endpoint.

    You can see how to configure the Sign-In widget to request additional scopes here: https://github.com/okta/okta-signin-widget#openid-connect, under authParams.scope.

     

    Let me know if this helps you. If not, please submit your issue to our Support department by sending an email to developers@okta.com.

     

    Thank you,

    Andrei Hava

    Okta Developer Support
    Expand Post

  • j5v7c (j5v7c)

    Hello,

     

    Thanks for posting your inquiry in Okta Community Portal.

     

    If you receive a great answer to your question(s), please help readers find it by marking it the best answer. Hover over the answer and click "Best Answer." 

     

    Thank you,

     

    Dylann Fezeu

    Okta Help Center Team
    Expand Post

  • j5v7c (j5v7c)

    Alright so:

     
    1. Scope is set on JWT creation.
    2. Didn't figure out how to set it up in the /v1/token endpoint (https://developer.okta.com/docs/api/resources/oidc?_ga=1.45423908.1016954865.1519324636#token) yet
    3. Setting it up for the Angular App went something like this: 
      1.  
        1.  OktaAuthModule.initAuth({       issuer: environment.oktaUrl + '/oauth2/default',       redirectUri: environment.appUrl + '/implicit/callback',       clientId: environment.clientId,       scope: 'openid profile email groups'     })
         
      2. Found format through the Okta source code in okta.service.ts (https://github.com/okta/okta-oidc-js/blob/master/packages/okta-angular/src/okta/okta.service.ts) through method "scrubScopes"
      3. If you aren't using that it may be possible through widget creation (the above was overriding the value in widget creation)
      4.  
        1.  var oktaSignIn = new OktaSignIn({  baseUrl: baseUrl,  clientId: clientId,  redirectUri : 'http://localhost:8080',  authParams: {  issuer: 'https://dev-123456.oktapreview.com/oauth2/default', // in case if you are using custom auth server  responseType: 'id_token',  responseMode: 'fragment',  // display : 'page', // this is required if you would like full page redirect to redirectUri  scope: ['openid','profile','email','groups']  }  });
         
       
    4. Doing all this didn't really lead to any new values being returned because my claims weren't setup.
    5. Finding what claims are available was difficult, this helped a lot (https://developer.okta.com/blog/2017/08/01/oidc-primer-part-3
      1. Not limited to just "appuser" object, can also use "user" 
        1. user.profile
        2. user.custom_attr
        3. groups: contains x
         
       
    Expand Post
    Selected as Best
This question is closed.
Loading
JWT Scope