RicardoM.75313 (Customer) asked a question.
Ok, I am going to go ahead and aswer my own question here, in case someone else runs into the same scenario.
If you add a custom field to an application user profile, it will be automatically added to the id_token if the "profile" scope is requested. It is is that simple.However, I have not found a way to define a custom scope that would return only a subser of the custom fields defined. But that is not a show stopper for me.
Hi,
I am generating access token using ${baseUrl}/v1/token, can i include some custom data(not specific to okta) in access token for authorization purpose or is there any other api which would be helpful?
Hi Amit,
Through API Access Management, you can define custom claims that contain details regarding the user's profile or group membership or simple static strings. This can be done by following the steps available at https://developer.okta.com/authentication-guide/implementing-authentication/set-up-authz-server#create-claims-optional
Dragos Gaftoneanu
Developer Support Engineer
Thanks Dragos,
Actually my requirement is different, I am already generating an access token for example this eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
and i want to add my payload like {key1: value1, key2: value2}(not related to okta) into this access token via some update api. Can i do this?
Hi Amit,
This can be achieved through API Access Management. Please open a support ticket by sending us an email to developers@okta.com and we will gladly assist you in implementing your requirement.
Dragos Gaftoneanu
Developer Support Engineer
Hi Dragos,
In our case we don't want to use API access management as we have custom roles defined in our data store. In this case, is it possible to add these roles to access token?
Thanks,
Rajan R.G
Hi Rajan,
Yes, you can add the attributes under Admin >> Directory >> Profile Editor >> OpenID app >> Profile. Once the attributes are added and you created a mapping for them from Okta user profile and/or modified the user's app assignment to have values for this attributes, please do a request to /oauth2/v1/authorize, specifying "openid" and "profile" as scopes.
If you are requesting both ID token and access token (eg. response_type=id_token%20token or response_type=code), then the ID token is automatically minified and you can see this attributes by doing a second request to /userinfo endpoint, as mentioned here.
Thank You,
Dragos Gaftoneanu
Developer Support Engineer
Okta Global Customer Care
Hi Dragos,
Thanks for your quick response. As I mentioned, we would like to use our own data store for fine grained access control. In this case, can i add the roles from our database to the existing access token? Eg: we are planning to use lambda authorizer like https://github.com/tom-smith-okta/node-lambda-oauth2-jwt-authorizer/tree/tsmith/update. Once the access token is valid, we wanted to extend this custom authorizer to get the roles from our datastore and add to the existing token. Is this feasible?
Thanks,
Rajan R.G
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
Hi Amit,
Through API Access Management, you can define custom claims that contain details regarding the user's profile or group membership or simple static strings. This can be done by following the steps available at https://developer.okta.com/authentication-guide/implementing-authentication/set-up-authz-server#create-claims-optional
Dragos Gaftoneanu
Developer Support Engineer