Okta OIDC no groups in claims

andrew.wood.wb · January 19, 2021, 2:30pm

Product: PowerShell Universal
Version: 1.5.9

OIDC Claims not requesting groups.

I have configured an Open ID Connect App in Okta and federated it with Universal. I get redirected to sign in to Okta and then sent back all fine. However when I look at the Claims (So I can set up roles) the groups are not present in the claims coming from Okta. Could be be that they are not being requested? Have I missed something in the configuration? I think this section of the Okta docs is relevant. Add a Groups claim for the Org Authorization Server | Okta Developer

andrew.wood.wb · January 20, 2021, 3:17pm

So I tried to debug this but the Universal Server is somewhat opaque. I was able to capture the request going to Okta and I could see that the scope argument is not being sent which I am pretty sure is part of the problem. Could we get a scope argument added to the OIDC section of the appconfig and have it sent if set?

andrew.wood.wb · January 21, 2021, 9:44am

Think I figured a way around this out. By adding a groups Claim to the default Authorization server in Okta I now see the groups. Unfortunately since its the default then I can’t really limit which groups are returned as this would make the default server specific to one app which is not desirable so I get them all, this seems to cause a few issues with Powershell Universal though as there are so many claims, trying to dump them to a file, for example, hangs the page. The way to get around that is using scopes which takes me back to my above suggestion.

andrew.wood.wb · February 10, 2021, 11:38am

This was fixed for me in PowerShell Universal 1.5.11.