Getting Okta claims and attaching it as a custom claim to the Auth0 token

I recently created an app that has two methods of logging in: one is Auth0’s passwordless mechanism and the other is using our company’s Okta instance. I’m currently using this Login Flow to attach roles to the Auth0 id tokens which works for when we create users in the Auth0 admin console, but I don’t want to do this for our Okta users which already have role information in their user profile.

Ideally, I would use the code provided in the Auth0 docs as a flow and set the roles I find in the okta token in the auth0 idtoken:

exports.onExecutePostLogin = async (event, api) => {
  const namespace = '';
  if (event.authorization) {
    if (event.connection == 'okta') {
        */ use okta token to get roles attached to okta user /*
        api.idToken.setCustomClaim(`${namespace}/roles`, {{roles_from_okta}});
        api.accessToken.setCustomClaim(`${namespace}/roles`, {{roles_from_okta}});
    api.idToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
    api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);

Is the okta token exposed to this api? I wasn’t able to find this info in the docs.

Hey there @adoami welcome to the community!

I don’t believe the token itself is exposed here - If any role data is exposed to Actions, it would be in the event object, event.user.identites array. I am not positive what is exposed for Okta in particular, so it may take some testing on your end. Aside from that, the only other way I can imagine getting that data would be to use some sort http client to reach out to Okta directly from within your Action.

Keep us posted!

In order to perform a http request, we’d need the Okta access token. Is there a way to get the enterprise access token that is returned from the OIDC flow with Okta from within the action?

Hey there @adoami thanks for following up - As far as I’m aware there is no OOTB way to access the user’s access token from within an Action.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.