Product: PowerShell Universal
Version: 1.5.9

OIDC Claims not requesting groups.

I have configured an Open ID Connect App in Okta and federated it with Universal. I get redirected to sign in to Okta and then sent back all fine. However when I look at the Claims (So I can set up roles) the groups are not present in the claims coming from Okta. Could be be that they are not being requested? Have I missed something in the configuration? I think this section of the Okta docs is relevant. Add a Groups claim for the Org Authorization Server | Okta Developer

So I tried to debug this but the Universal Server is somewhat opaque. I was able to capture the request going to Okta and I could see that the scope argument is not being sent which I am pretty sure is part of the problem. Could we get a scope argument added to the OIDC section of the appconfig and have it sent if set?

Think I figured a way around this out. By adding a groups Claim to the default Authorization server in Okta I now see the groups. Unfortunately since its the default then I can’t really limit which groups are returned as this would make the default server specific to one app which is not desirable so I get them all, this seems to cause a few issues with Powershell Universal though as there are so many claims, trying to dump them to a file, for example, hangs the page. The way to get around that is using scopes which takes me back to my above suggestion.

This was fixed for me in PowerShell Universal 1.5.11.