j56jp (j56jp) asked a question.
Hello,
Is it possible to retrieve a Groups claim from an access token issued from the Client Credentials OAuth flow? Using a flow like Resource Owner Password, I am able to get a user's groups in the access token. Even though I can assign groups to my OAuth Service application (supporting Client Credentials flow), I can't seem to retrieve the groups in an access token like I can using the process described here: https://okta.github.io/docs/how-to/creating-token-with-groups-claim (I used the UI to configure my applications).
It would be nice to have a groups claim in the access token regardless of the OAuth flow used to issue it. That way my resource server can handle authorization consistently regardless of the Application type the access token was issued for (OAuth Service, Single Page App, etc).
Thanks.
Hello Cameron,
This should be achievable by Decoding the JWT in the response to see that the groups are in the token.
You can check this here: https://okta.github.io/docs/how-to/creating-token-with-groups-claim#step-five-decode-the-jwt-to-verify-1
However, if you have additional questions on this matter, please feel free to open a ticket with Support and we will be more then happy to assist you further on.
Thank you,
Paul Stiniguta
Technical Support Engineer
Okta Global Customer Care
For any future readers,
I found a post that matches my scenario exactly: https://devforum.okta.com/t/how-to-get-application-groups-instead-of-user-groups-in-my-token/2240. I think I am better off looking for an alternative like @mgremont did.
Has OKTA provided a solution to this problem of adding group claims in access tokens for client credentials flow? For example, claims containing application groups instead of user groups.