iz3is (iz3is) asked a question.
application client credential auth - access token with groups claim
Hi,
I am trying to get groups assigned to an OpenID Connect app included in the access token.
I have followed the okta how-to at https://developer.okta.com/docs/how-to/creating-token-with-groups-claim/*step-three-configure-a-custom-claim-for-your-groups-custom-authorization-server
As per the guide I have:
- created a OpenID Connect test app "MarkusTest11"
- created a new group "MarkusGroup"
- added the "MarkusTest11" app to the "MarkusGroup"
- created a new Custom Authentication Server
- added a whitelist "groupswhitelist" containing the group's "MarkusGroup" to the app profile (note: I tried to add by both name and id, only by id and only by name)
- added a claim "groupwhitelist" (any scope) to verify the "groupswhitelist" attribute has been added correctly to the app profile and is accessible. Expression: app.profile.groupswhitelist
- added a claim "groups" (any scope) to my custom OAuth2 authorization server with Expression filter: getFilteredGroups(app.profile.groupswhitelist, "group.name", 10)
When using the Okta Token Preview page of my Custom Authentication Server and using Client Credentials auth I see that the "groupwhitelist" claim is processed correctly and the "groupswhitelist" list attribute of the app profile is returned correctly.
However the "groups" claim is not set on the access token.
Any idea why this is not working? Is there anything I am missing?
Thank you,
Markus
Btw seems I am unable to post images here? If there was a way to post images, I'd be happy to supply screenshots of
Does anyone have an idea?
Seems to me this should be a pretty straight forward and common setup.