User endpoint in ManagementAPI not returning idp tokens

I have users that use the OKTA Enterprise Connection to login to certain applications. I need to populate the user token with the OKTA Groups that user is assigned to. When they change I expect to they would change in Auth0. So I am following the excepted solution provided here Get/map claims from Okta - Enterprise Connection .

The solution requires in a login action getting the users idp access token from the management api and calling the okta user info endpoint. The issue is that when I call get user in management api no access token is provided in the response. My JWT token contains the scopes read:users, read:user_idp_tokens.

According to the documentation that should be all that is need to get the users idp access token. Why is it that when I call /api/v2/users/{user id} no idp access token is returned?

Hi @brandon.knox,

I was able to set up an Okta connection and tested it to get the IdP access tokens. After a request to the get user endpoint with the appropriate token and scopes, I see the Okta access token in the identities array.

Here’s an example of that I see:

{
  "created_at": "2023-10-04T19:22:34.059Z",
  "email": "xxx",
  "email_verified": true,
  "family_name": "x",
  "given_name": "xxx",
  "identities": [
    {
      "user_id": "trial-xxx|xxx",
      "access_token": "xxx",
      "provider": "okta",
      "connection": "trial-xxx",
      "isSocial": false
    }
  ],
  "name": "xxx",
  "nickname": "xxx",
  "picture": "xxx",
  "updated_at": "2023-10-04T19:23:58.881Z",
  "user_id": "xxx",
  "last_ip": "xxx",
  "last_login": "xxx",
  "logins_count": 1
}

Thank you for the reply. I noticed that I had switched the user mapping to the OKTA template and that seemed to be removing it. When I created a new connection and used the default mapping it came across.

Perfect, thanks for the update!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.