Search code examples
openid-connectokta

Okta groups not returning after changing issuer from default

I was using the 'default' authorization server, earlier in Okta and it was returning 'groups' fine for me. The URL is as below. Also, note I was not requesting for 'groups' scope explicitly but it was still returning 'groups' fine, as I have added groups to be returned in 'Any' scope and and return 'Always'

https://dev-ApplicationID.okta.com/oauth2/default/v1/authorize?client_id=********&response_type=code id_token&scope=openid profile&state=OpenIdConnect.AuthenticationProperties=**************&response_mode=form_post&nonce=********&redirect_uri=https://localhost:44303/authorization-code/callback&post_logout_redirect_uri=https://localhost:44303/&x-client-SKU=ID_NET461&x-client-ver=5.3.0.0

I changed the issuer to removing the 'default' and authentication still happens fine but it stopped returning the 'groups'. I see only 1 authorization server configured and that is 'default' and it is configured correctly to return 'groups' in id_token. We changes nothing on the OKTA side except for issuer URL(just removing the default).

https://dev-ApplicationID.okta.com/oauth2/v1/authorize?client_id=********&response_type=code id_token&scope=openid profile&state=OpenIdConnect.AuthenticationProperties=**************&response_mode=form_post&nonce=********&redirect_uri=https://localhost:44303/authorization-code/callback&post_logout_redirect_uri=https://localhost:44303/&x-client-SKU=ID_NET461&x-client-ver=5.3.0.0

Can anyone explain this behavior? Does it go to a different authorization server? If yes, how do i configure it to return 'groups' by default.

Solution

  • As your "new" URL doesn't have default in it, per Okta's documentation, it's the URL used to do sign-in into Okta, compared to the one with "default", which is used to do SSO into other apps. Okta maybe does not require additional claims to be injected into the token, they create for themselves (not interested into having bloated tokens, when they can get all information about the user from their own DB).

    In other words, if you are using OIDC/OAuth for signing into your own app, use default as recommended in the guide - https://developer.okta.com/docs/reference/api/oidc/#composing-your-base-url