b71b7 (b71b7) asked a question.
We are in the process of testing our first application on Okta. We are using Tomcat with an openid authenticator that redirects back to out Okta endpoint and requests claims. It works if we request email, but we are unable to get the username.
I know normally a username has to be an email address, but what if it does not match the email address? Is there a way to get that data? We have tried:
"name",
"username",
"preferred_username" (this seems to be the most logical option from googling and Okta Developer kb)
"profile.preferred_username"
Nothing seems to work except usernameClaim="email"
This is the authenticator we are using: https://github.com/boylesoftware/tomcat-oidcauth
Any help on this is greatly appreciated. Thank you!
Solved... it turns out we were requesting "email" scope, and we needed to request "profile" scope. After this change, "preferred_username" claim works... 🙂
Anyone who sees this and is using this authenticator: https://github.com/boylesoftware/tomcat-oidcauth setting the following works for using User Name as the claim:
usernameClaim="preferred_username" additionalScopes="profile"