Je SumY.15084 (Customer) asked a question.
Hi everyone.
I have Auth0 integrated with Okta. As part of the authentication flow, Auth0 calls my custom authorization server in Okta via the /oauth2/<authserver-id>/v1/userinfo endpoint.
I'm working on a use case where the group that a user belongs to can contain some additional metadata about its members. This means all users who are part of the group will be treated in a special way by my web application that is integrated with Auth0.
The challenge I am facing now is how can I pass the group's custom attributes defined in Okta to Auth0. The /userinfo endpoint can only be extended to contain Group Names via a custom claim. For example, I have extended the claims in my custom authorization server with a claim called "groups" which contains all groups that a user is a member of EXCEPT for the default "Everyone".
As you can see, the Okta Expression Language is limited - I can only get group names with the function Groups.startsWith.
What's the best way to achieve what I am looking for? I can think of a long roundabout way to do this where:
- After a user has logged on, retrieve the user's "groups" claim from the id token minted by Okta - which should be an array.
- For each element in the array, call the Okta Groups API /api/v1/groups to retrieve the custom attributes of the group.
- Repeat *2 until all groups are processed.
The only problem with the approach above is the "groups" claim contains the group names, but the /api/v1/groups endpoint expects a groupID. So I'm kinda stuck in a rut.
Help?
Well, ok, I could modify the step above to become
But is that the only way to achieve what I need? I have to write custom code to call Okta APIs?