I try to set it to “preferred_username” which I’ve used with other OIDC applications and okta. With vault I only get this:
Error
claim “preferred_username” not found in token
I’ve also set up okta to pass a groups claim which is also not passed. I can see that the groups claim should be passed in the token previewer in okta…
Enabeling verbose_oidc_logging I see this in the log:
So clearly no preferred_username or groups claim. If I change the user_claim to sub and remove the groups claim requirement it all works. BUT I need to give different groups of people access to different KV stores so that won’t do.
Has anyone used Vault with OKTA OIDC and gotten groups to work?
In Okta w/ OIDC I had a note that the only way to have the groups returned is to set Include in token type to ID (not Access)…
That was in Okta’s UI in Scopes >> Add groups scope >> Claims >> Add Claim
I had fooled with the token configuration in okta with no real win.
After reading various docs refering to “fat tokens” and the scopes I realized that in some other setup I had set the oidc scope to “openid profile” and also “groups”. When I did that I got not only the preferred_username but also the groups claim.
Hi, Thanks for the response. Yes. It is working now.
But, i still have not figure out how to read the oidc debug log effectively. I got a lot of logs. but, cannot tell if the token return is missing any claim.
I’ve disabled debugging by now and the logs have expired. It was pretty plain that the group claim was included in the JSON in the log. It was like the snippet I posted originally just with a lot more content (since this was the minimal claim I originally got):