Missing group claims in access token

Question

Missing group claims in access token

Mihai 10

Hello,

Long story: I am trying to setup Azure as an OIDC IdP to Okta.

This was successful.

I am trying to map the group claims, to the Okta user profile, which I am having a hard time doing so.

I opened up a support case with Okta, and they are asking for the Access token Payload.

Using the following document: https://learn.microsoft.com/en-us/azure/databricks/dev-tools/app-aad-token, I was able to get an access token and used https://jwt.io to decode.

And as per: https://learn.microsoft.com/en-us/azure/active-directory/develop/access-token-claims-reference, i should see the groups claim in the access token, the user that signed in and generated that token has only 1 group assigned to him.

The token has the following load:

{
  "aud": "2ff814a6-3304-4ab8-85cb-cd0e6f879c1d",
  "iss": "https://sts.windows.net/d667a24e-91f8-4dfa-9999-ee6e5bbf2390/",
  "iat": 1691758952,
  "nbf": 1691758952,
  "exp": 1691763068,
  "acr": "1",
  "aio": "ATQAy/8UAAAA8Mn0Hcd/2tc6J6S8UlTxMcSbpwVRln86TcIIfNDehUcuXfNEJ/ghIVT9W381qjvH",
  "amr": [
    "pwd"
  ],
  "appid": "babcc718-f046-4ade-ba15-f421e94ae162",
  "appidacr": "1",
  "family_name": "DISPLAY",
  "given_name": "NAME",
  "ipaddr": "2a02:2f0e:dd0a:8a00:acc1:dedb:20db:2d81",
  "name": "DISPLAY NAME",
  "oid": "c3be473b-8e29-4175-a33d-be4783896f42",
  "puid": "10032002D44BB2C3",
  "rh": "0.AU8ATqJn1viR-k2Zme5uW78jkKYU-C8EM7hKhcvNDm-HnB1PAOM.",
  "scp": "user_impersonation",
  "sub": "xtwOHyMcQOwHucCXVBNFffoSn6SnIhou8y3QzpVjUDs",
  "tid": "d667a24e-91f8-4dfa-9999-ee6e5bbf2390",
  "unique_name": "ACCOUNTUPN",
  "upn": "ACCOUNTUP",
  "uti": "LRtxwcRJhUOqo1mGTvOZAA",
  "ver": "1.0"
}

Under Token Configuration, I added groups claim using Group ID for ID, Access and SAML token. But as you can see, there is no group claim in the access token.

In Azure AD, made sure that in the manifest I made sure to have this.

groupMembershipClaims": "All, ApplicationGroup"

Mihai 10 Reputation points

2023-08-14T16:45:08.35+00:00

Any idea anyone?

2 answers

Your answer

Mihai 10 Reputation points

2023-08-14T16:45:08.35+00:00

Any idea anyone?

Answer 1

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Moderator

Hello @Mihai , in order to obtain the groups claim included in your access token you need to enable them as optional claims. In your app manifest ensure the following content is present. Also, you need to request an access token for your app (which will become the resource), not just trough it (as a client).

{
    "optionalClaims": {
        "accessToken": [
            {
                "name": "groups",
                "source": null,
                "essential": false,
                "additionalProperties": []
            }
        ]
    }
}

Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

Mihai 10 Reputation points

2023-08-22T18:59:09.6866667+00:00

@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA that is present in the manifest of the app, but I still cannot see the claim in the access token.
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2023-08-22T20:48:10.2833333+00:00

Is this a external or guest user? Do you get a hasGroups claims?
Mihai 10 Reputation points

2023-08-23T09:05:28.53+00:00

@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA No the user is not an external or a guest. As we can see in here, he has a group assigned to him.

Thank you,
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2023-08-23T18:46:11.4433333+00:00

Ok please share your app manifest.

Mihai 10

@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA I added the app manifest below. Thank you so much for your input here.

{
	"id": "af0efdb0-e349-488b-91cf-456459f6bcdf",
	"acceptMappedClaims": null,
	"accessTokenAcceptedVersion": null,
	"addIns": [],
	"allowPublicClient": true,
	"appId": "babcc718-f046-4ade-ba15-f421e94ae162",
	"appRoles": [],
	"oauth2AllowUrlPathMatching": false,
	"createdDateTime": "2023-08-11T11:10:01Z",
	"description": null,
	"certification": null,
	"disabledByMicrosoftStatus": null,
	"groupMembershipClaims": "All, ApplicationGroup",
	"identifierUris": [
		"api://4564664-534d-441b-8270-4654446564/user_impersonation"
	],
	"informationalUrls": {
		"termsOfService": null,
		"support": null,
		"privacy": null,
		"marketing": null
	},
	"keyCredentials": [],
	"knownClientApplications": [],
	"logoUrl": null,
	"logoutUrl": null,
	"name": "Okta OIDC",
	"notes": null,
	"oauth2AllowIdTokenImplicitFlow": false,
	"oauth2AllowImplicitFlow": false,
	"oauth2Permissions": [],
	"oauth2RequirePostResponse": false,
	"optionalClaims": {
		"idToken": [
			{
				"name": "groups",
				"source": null,
				"essential": false,
				"additionalProperties": []
			},
			{
				"name": "family_name",
				"source": null,
				"essential": false,
				"additionalProperties": []
			},
			{
				"name": "given_name",
				"source": null,
				"essential": false,
				"additionalProperties": []
			}
		],
		"accessToken": [
			{
				"name": "groups",
				"source": null,
				"essential": false,
				"additionalProperties": []
			},
			{
				"name": "family_name",
				"source": null,
				"essential": false,
				"additionalProperties": []
			},
			{
				"name": "given_name",
				"source": null,
				"essential": false,
				"additionalProperties": []
			}
		],
		"saml2Token": [
			{
				"name": "groups",
				"source": null,
				"essential": false,
				"additionalProperties": []
			}
		]
	},
	"orgRestrictions": [],
	"parentalControlSettings": {
		"countriesBlockedForMinors": [],
		"legalAgeGroupRule": "Allow"
	},
	"passwordCredentials": [
		{
			"customKeyIdentifier": null,
			"endDate": "2024-02-07T12:10:36.321Z",
			"keyId": "a544388c-fa6a-4ef3-b8bf-352f9edc96ca",
			"startDate": "2023-08-11T11:10:36.321Z",
			"value": null,
			"createdOn": "2023-08-11T11:10:40.7901166Z",
			"hint": "tmH",
			"displayName": "Okta"
		}
	],
	"preAuthorizedApplications": [],
	"publisherDomain": "mihaiandreigazigmail.onmicrosoft.com",
	"replyUrlsWithType": [
		{
			"url": "https://dev-43423731.okta.com/oauth2/v1/authorize/callback",
			"type": "Web"
		}
	],
	"requiredResourceAccess": [
		{
			"resourceAppId": "2ff814a6-3304-4ab8-85cb-cd0e6f879c1d",
			"resourceAccess": [
				{
					"id": "739272be-e143-11e8-9f32-f2801f1b9fd1",
					"type": "Scope"
				}
			]
		},
		{
			"resourceAppId": "00000003-0000-0000-c000-000000000000",
			"resourceAccess": [
				{
					"id": "14dad69e-099b-42c9-810b-d002981feec1",
					"type": "Scope"
				},
				{
					"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
					"type": "Scope"
				}
			]
		}
	],
	"samlMetadataUrl": null,
	"signInUrl": null,
	"signInAudience": "AzureADMyOrg",
	"tags": [],
	"tokenEncryptionKeyId": null
}

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2023-08-24T23:41:02.5233333+00:00

Are you setting your app as the resource in the AuthN request scope param? Eg. ?scope=<app appid> or ?scope=<one of app identifierUris>/<app scope>
Mihai 10 Reputation points

2023-08-25T09:00:25.0166667+00:00

@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA

I don't know exactly what you mean by that, I am sorry.

To give a little bit more insight, I have the app setup in Azure, to act as an OIDC IDP For Okta, so users in Azure login to Okta using this OIDC app.

I am trying to map the groups of the Azure User to Okta profile, to do so, Okta support requested the access token load to see the groups claim.

Okta asks for 3 scopes:

email, openid, profile.
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2023-08-29T07:40:22.39+00:00

Otka needs to request the an access token using one of two scopes: <appid> or <app identifierUris>/<app scope>. Eg: 0fbff6d5-55ea-43e3-b036-fe0525658edd or api://0fbff6d5-55ea-43e3-b036-fe0525658edd/user_impersonation. email, openid and profile scopes are OpenID Connect scopes, meant to request ID tokens, not access tokens. Please share the OTKA documentation you're following for how to setup Azure AD as an IdP, and/or your current Otka env. setup.
Mihai 10 Reputation points

2023-08-29T08:46:23.5266667+00:00

@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA

Here is the doc that I used:

https://developer.okta.com/docs/guides/add-an-external-idp/azure/main/

Follwing those steps, I setup Azure as an OIDC IDP.
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2023-08-29T18:01:19.0433333+00:00

Ok please provide a sample OTKA Authorize URL. Eg. https://${yourOktaDomain}/oauth2/v1/authorize?idp=${idp_id}&client_id=${client_id}&response_type=id_token&response_mode=fragment&scope=openid%20email&redirect_uri=https%3A%2F%2FyourAppUrlHere.com%2F&state=WM6D&nonce=YsG76jo

Instructions on how to create one are detailed in Test the integration.
Mihai 10 Reputation points

2023-08-30T12:22:31.8566667+00:00
@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA So I tried building the link using the documentation mentioned above:

https://dev-43423731.okta.com/oauth2/v1/authorize?idp=0oaarvtw54CgWnP0E5d7&client_id=babcc718-f046-4ade-ba15-f421e94ae162&response_type=id_token&response_mode=fragment&scope=openid%20email&redirect_uri=https%3A%2F%2Fdev-43423731.okta.com&state=WM6D&nonce=YsG76jo

The problem is that it's throwing a 400 bad request, I suspect the issue might be with the client ID, as in the doc it says:

client_id: Use the client_id value that you obtained from the OpenID Connect client application in the previous section. This is not the client_id from the Identity Provider.

But the client_id in the Identity Provider, is the client ID I took from the OIDC Application in Azure, which is called Application id. Is there another ID I have to use?
Mihai 10 Reputation points

2023-08-30T12:29:36.7966667+00:00

@Alfredo Revilla - Upwork Top Talent | IAM SWE SWA

Using the doc above, I have the following URL:

https://dev-43423731.okta.com/oauth2/v1/authorize?idp=0oaarvtw54CgWnP0E5d7&client_id=babcc718-f046-4ade-ba15-f421e94ae162&response_type=id_token&response_mode=fragment&scope=openid%20email&redirect_uri=https%3A%2F%2Fdev-43423731.okta.com&state=WM6D&nonce=YsG76jo

But it throws 400 bad request. I think it's because of the client ID as in the doc, it says the following:
client_id: Use the client_id value that you obtained from the OpenID Connect client application in the previous section. This is not the client_id from the Identity Provider.

But that Client ID in the IDP, is the one from the OIDC App in Azure, but there is called Application ID.

I there any other client Id that I dont know about?
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2023-09-12T14:28:27.1666667+00:00

As I thought, your OTKA authorize call is missing the scope required for access token issuance. Try adding this scope to the current ones in OTKA: babcc718-f046-4ade-ba15-f421e94ae162. Or if you configure an App ID URI for your Azure AD app registration: api://babcc718-f046-4ade-ba15-f421e94ae162/.default. Also, set response_type to code.
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2023-09-12T14:30:28.61+00:00

Regarding the 400 bas request error, sure the cient id value is NOT the Azure AD client id (or app id) but the OTKA app client id.

Answer 2

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

Missing group claims in access token

2 answers

Your answer