Getting Okta claims and attaching it as a custom claim to the Auth0 token

adoami · April 27, 2023, 10:18pm

I recently created an app that has two methods of logging in: one is Auth0’s passwordless mechanism and the other is using our company’s Okta instance. I’m currently using this Login Flow to attach roles to the Auth0 id tokens which works for when we create users in the Auth0 admin console, but I don’t want to do this for our Okta users which already have role information in their user profile.

Ideally, I would use the code provided in the Auth0 docs as a flow and set the roles I find in the okta token in the auth0 idtoken:

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'https://my-app.example.com';
  if (event.authorization) {
    if (event.connection == 'okta') {
        */ use okta token to get roles attached to okta user /*
        api.idToken.setCustomClaim(`${namespace}/roles`, {{roles_from_okta}});
        api.accessToken.setCustomClaim(`${namespace}/roles`, {{roles_from_okta}});
    }
    api.idToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
    api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
  }
}

Is the okta token exposed to this api? I wasn’t able to find this info in the docs.

tyf · April 27, 2023, 10:59pm

Hey there @adoami welcome to the community!

I don’t believe the token itself is exposed here - If any role data is exposed to Actions, it would be in the event object, event.user.identites array. I am not positive what is exposed for Okta in particular, so it may take some testing on your end. Aside from that, the only other way I can imagine getting that data would be to use some sort http client to reach out to Okta directly from within your Action.

Keep us posted!

adoami · April 28, 2023, 7:21pm

In order to perform a http request, we’d need the Okta access token. Is there a way to get the enterprise access token that is returned from the OIDC flow with Okta from within the action?

tyf · April 28, 2023, 11:33pm

Hey there @adoami thanks for following up - As far as I’m aware there is no OOTB way to access the user’s access token from within an Action.

system · May 12, 2023, 11:33pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to set app roles/permissions directly in enterprise IDP Help extensibility , actions-extensibility	3	1561	April 26, 2023
Add Roles/Claims to the access token via Login Flow Help login-experience , new-universal-login-experience	2	273	April 15, 2024
Claim Mapping for OIDC Connections Help connections , oidc-enterprise-connection	2	1505	August 17, 2023
Angular Access Token Custom Claims Help jwt , auth0 , login , custom-claims	4	2484	October 13, 2022
Unable to Retrieve Custom "Roles" Claim from Access Token at /userinfo Endpoint Help extensibility , actions-extensibility	12	2289	July 28, 2023

Getting Okta claims and attaching it as a custom claim to the Auth0 token

Related Topics