Overview
When using the Open ID Connect (OIDC) attribute mapping options to pull additional profile attributes into the Auth0 stored user profile, arrays are mapped to comma-separated strings.
Applies To
- OIDC Enterprise Connection
- Okta Workforce Enterprise Connection
Cause
This is a current limitation of the attribute mapping when mapping_mode is set to use_map or basic_profile.
Solution
To keep the array structure, the bind_all mapping mode in the connection’s User Mapping settings is currently necessary.
-
This ensures the required claims are passed in the ID token sent to Auth0 so they can be mapped into the Auth0 copy of the user profile in the same format as in the ID token.
-
Okta Workforce connections cannot currently use
bind_allmapping, so for custom claims, an OIDC Enterprise connection will need to be used instead.
It should also be noted that a given Okta domain may have several different “authorization servers,” and these can be configured differently as to what claims they put into tokens:
Related References
- “Thin” ID tokens used by Okta for back-channel flows that can result in missing claims due to their omission by the upstream Okta Identity Provider (IdP): Okta Groups or Attribute Missing from ID Token
- Setting up an OIDC connection when Auth0 is the Service Provider: Connect to OpenID Connect Identity Provider
- Mapping for OIDC connections: Configure PKCE and Claim Mapping for OIDC Connections