<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00009a33F2CAIOkta Classic EngineAuthenticationAnswered2025-09-13T09:01:51.000Z2023-09-06T17:24:45.000Z2023-09-07T13:37:20.000Z

User16548073300991554295 (Customer) asked a question.

September 6, 2023 at 5:24 PM
Some tokens are including multiple preferred_username claims in array format

From what I've read in the spec, the preferred_username claim is a string value, yet I have some examples where the preferred_username claim is multi-valued as an array. We had production issues due to treating it as a string value when it came in as an array. I would ascribe it to the library we're using, but jwt.io shows it as an array in the decoded payload. Can someone help me understand:

  1. How would one even interpret more one value of something called "preferred". Is it ranked?
  2. How does this happen (our client believes they haven't done anything different with these users)
  3. Claims like sub, iss, and aud are always going to be single string, so clearly there is a difference between single- and multi-value claims. Is this spelled out anywhere for Okta tokens?

Obviously, we have a fix for it by doing more stringent checking, but it seems like it shouldn't be an issue.

Thanks!

 

Reference:

5.1 (https://openid.net/specs/openid-connect-core-1_0.html*StandardClaims) "This value MAY be any valid JSON string including special characters such as @, /, or whitespace"

  • 3 answers
  • 470 views

  • a0n5s (a0n5s)

    preferred_username can be any value. it pass from okta and your system can work with it as your system want. what scenario needs multi-value?

  • User16548073300991554295 (Customer)

    Thanks for responding. I should have phrased it better. In this case, I don't want more than one value for preferred_username and don't even understand how it's happening since only some users have it. The actual values differ only in case (abc@host.com vs ABC@host.com). I'm an app developer so don't know anything about how Okta generates that token or what their admin sees. Their admin swears there's only one value. So I'd like to be able to tell them what they might have done to create two values so it can be fixed. Maybe even a screenshot from an Okta configuration screen that would help me understand what they are seeing would be good.

    Expand Post
This question is closed.
Loading
Some tokens are including multiple preferred_username claims in array format