JonB.88229 (Customer) asked a question.
I cannot get "groups" to show up as part of my JWT. When I create a test token on the Okta auth server, I can see the groups are there. So I know that they are there as part of the "profile" scope. Here is my service code:
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect("oidc", options =>
{
options.ClientId = Configuration["okta:ClientId"];
options.ClientSecret = Configuration["okta:ClientSecret"];
options.Authority = Configuration["okta:Issuer"];
options.CallbackPath = "/authorization-code/callback";
options.ResponseType = "code";
options.SaveTokens = true;
options.UseTokenLifetime = false;
options.GetClaimsFromUserInfoEndpoint = true;
options.Scope.Add("openid");
options.Scope.Add("profile");
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name"
};
});
I've seen all the samples, and I'm not the only one that has ran into this issue. I've seen posts on GitHub regarding this as well. What in the world am I missing?
I have the same issue. I have followed the instructions at https://developer.okta.com/docs/how-to/creating-token-with-groups-claim and have very similar code to that posted above, and from looking at the web traffic via Fiddler I can see that a groups collection is returned by the userinfo endpoint, it never appears in the group claims in the JWT. Anyone have any ideas?
After quite a lot of digging around I discovered that if you add the line options.ClaimActions.MapJsonKey(ClaimTypes.Role, "groups") then that creates a role claim type for each of the values contained in the "groups" array returned by the userinfo endpoint. This allows User.IsInRole to work.
The problem I had was that I needed to remove the "oidc" from .AddOpenIdConnect(
"oidc",options...For some reason, I never received a policy error until I restarted my machine, so I didn't know it was going on.
You don't need the json mapping code. If you set the Name field on the claim to "roles", .NET will automatically pick up the groups as roles and map them accordingly. The "Name" filed is the key. Okta will emit that as the property name in the token. However, if you're not able to change the Name on the claim, then you need to map.
Thanks for the reply. I've set the "groups" claim at the app level as we don't have an authorization server and it doesn't appear to put that in the JWT, hence the call to the userinfo endpoint and the manual mapping. I changed the name of the claim to "roles" just to be sure but again it doesn't go into the JWT. There doesn't seem to be any way other than the authorization server to get that information in there.
Hi Jonathan,
Thank you for posting your question on our support community page.
Based on your last response, it seems that you've managed to remove the "oidc" from .AddOpenIdConnect("oidc", options after rebooting your machine / triggering the policy.
Please find more information regarding how to add an IAM solution for your ASP.NET Core app:
https://developer.okta.com/code/dotnet/aspnetcore/
If you'll have any questions or require assistance, please open a case or contact Okta Support.
Kind regards,
Sergiu Costea
Technical Support Engineer
Okta Global Customer Care