2mmn0 (2mmn0) asked a question.
I am trying to get the AD Groups as claims, but don't want to change that globally as the authorization server is shared between business units which each have their own AD server. For a particular application I'd like to get the AD groups. I have found this page: https://support.okta.com/help/s/article/Can-we-retrieve-both-Active-Directory-and-Okta-groups-in-OpenID-Connect-claims?language=en_US which seems to indicate it's possible, however I only get the claims if I add them to the API authorisation server. I guess that means I'm using a custom authorisation server, however I'm not aware how; I'm using the client id and secret from the application.
Is there any way I can get at the AD groups without changing anything in the API Authorisation server?
Hi @2mmn0 (2mmn0) , Thank you for reaching out to the Okta Community!
I ran this by my developer colleagues and they mentioned that if you are using a custom Authorization Server to mint tokens, then you would have to create a custom claim on the authorization server in question.
If you are able to use the Org Authorization Server instead, you do configure its groups claim at the application level instead of at the server level.
But your use case might necessitate the use of a custom Authorization Server.
I'm not sure how much this information helps, but this is a bit outside of my area of expertise.
My advice would be to reach out via devforum.okta.com to take advantage of their expertise.
While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products and features (non-developer work).
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--
Ask Us Anything thru 7/14: Okta WIC leadership want to hear from you