StefanB.28950 (Customer) asked a question.
OIDC /userinfo endpoint not containing groups
We are trying to retrieve group memberships of the authenticated user via OIDC/authorization code flow. Reading through lots of issues regarding this topic, I want to clarify right from the start:
- We do NOT want the "groups" claim inside ID or access token. We are NOT able to configure custom authorization servers or claims due to our limited subscription.
- We are also NOT able to configure the "groups claim filter" inside the app, as we are creating lots of applications via API, here we see no possibility to specify the groups claim filter. Clicking manually through all the applications is not applicable for us.
Steps for reproduction:
- Retrieve a OIDC authorization code with scopes "openid email profile groups"
- Exchange the code for an access token
- Retrieve user infos with the access token in the GET request on the /userinfo endpoint
The response won't include the groups claim, although the docs clearly state that the endpoint will deliver all userinfo.
For me, this clearly looks like a bug. Any suggestions?
Hi @StefanB.28950 (Customer) , Thank you for reaching out to the Okta Community!
This question is more appropriate for our dedicated Okta Developer Forum.
My advice would be to reach out devforum.okta.com to take advantage of their expertise.
While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products and features (non-developer work).
That being said, I was looking for potentially useful documentation and located this:
https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/#add-a-groups-claim-for-the-org-authorization-server
Please try setting up the claims as mentioned there to see if it helps and if not, check with my Developer colleagues on the other site.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--------------------------------
Headed to Oktane? Here's what you can expect, plus all the Okta tips you may have missed this month