OKTA OIDC login - not getting the claims I need/want

I’ve set up a okta OIDC app and configured vault according to https://github.com/ncabatoff/vault-1.1-webinar/blob/master/README-oidc.md. Login works if the user_claim is sub.

I try to set it to “preferred_username” which I’ve used with other OIDC applications and okta. With vault I only get this:

Error
claim “preferred_username” not found in token

I’ve also set up okta to pass a groups claim which is also not passed. I can see that the groups claim should be passed in the token previewer in okta…

Enabeling verbose_oidc_logging I see this in the log:

OIDC provider response: claims={“amr”:[“swk”,“pwd”,“mfa”],“at_hash”:"", “aud”:"",“auth_time”:1591272834,“exp”:1591277580,“iat”:1591273980, “idp”:"", “iss”:“https://schibsted.okta.com”, “jti”:"", “sub”:“00u1ctd6mp51PYINY0h8”, “ver”:1}

So clearly no preferred_username or groups claim. If I change the user_claim to sub and remove the groups claim requirement it all works. BUT I need to give different groups of people access to different KV stores so that won’t do.

Has anyone used Vault with OKTA OIDC and gotten groups to work?

In Okta w/ OIDC I had a note that the only way to have the groups returned is to set Include in token type to ID (not Access)…
That was in Okta’s UI in Scopes >> Add groups scope >> Claims >> Add Claim

I had used this as a starting point: https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/overview/

I had fooled with the token configuration in okta with no real win.

After reading various docs refering to “fat tokens” and the scopes I realized that in some other setup I had set the oidc scope to “openid profile” and also “groups”. When I did that I got not only the preferred_username but also the groups claim.

More concretely, the oidc default role/role that is used for vault login needs something like this:

$ vault read auth/oidc/role/policy_by_group
Key                        Value
---                        -----
allowed_redirect_uris      [http://<internal server>:8200/ui/vault/auth/oidc/oidc/callback http://<internal server>:8250/oidc/callback http://localhost:8250/oidc/callback]
bound_audiences            [<openid client id>]
bound_claims               <nil>
bound_claims_type          string
bound_subject              n/a
claim_mappings             <nil>
clock_skew_leeway          0
expiration_leeway          0
groups_claim               groups
not_before_leeway          0
oidc_scopes                [openid profile groups]
role_type                  oidc
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             []
token_ttl                  0s
token_type                 default
user_claim                 preferred_username
verbose_oidc_logging       true

The key being the oidc_scopes setting including “profile” to get the preferred_username and some other claims and “groups” to get the groups claim.

The verebose_oidc_logging true was most enlightening. On centos/rh the log can be followed by “journalctl -u vault -f”