Vault and OKTA OIDC config

I’m trying configure Vault with OKTA OIDC app.
I configured everything according to documentation:

with one exception.
I don’t have additional Authorization Server like in docs. I use Org Authorization Server and I can’t config additional claims.
I configured roles (default, admin), auth oidc, external group and I can login to Vault with Okta credentials, but one thing is strange. When I login to Vault i logs I see following entry:

{"@level":"debug","@message":"refreshing external group memberships","@module":"identity","@timestamp":"2022-12-19T11:22:20.605001Z","entity_id":"43568678-db44-7dc9-b20b-6d74c6f2b516","group_aliases":[{"mount_accessor":"auth_oidc_.....","name":"Everyone"}]}

I know that I have more groups, and one of them I want use for admin role, but it’s looks like Vault gets only first group from list or something in Okta ?
Do you have any idea for this ?
My role config:

allowed_redirect_uris      []
bound_audiences            [0...65fx]
bound_claims               <nil>
bound_claims_type          string
bound_subject              n/a
claim_mappings             <nil>
clock_skew_leeway          0
expiration_leeway          0
groups_claim               groups
max_age                    0
not_before_leeway          0
oidc_scopes                [openid email profile groups]
role_type                  oidc
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             [default]
token_ttl                  0s
token_type                 default
user_claim                 email
user_claim_json_pointer    false
verbose_oidc_logging       false


The Vault OIDC integration does not auto create groups in Vault. You have to add the groups to Vault first, before Vault will then update their memberships based on the JWTs as people log in.

I know I prepared external group with name that is in Okta.
For example:
# vault write identity/group name="vault-admin" type="external" policies="acl_vault_admin" metadata=responsibility="vault-admin" #vault write identity/group-alias name="vault-admin" mount_accessor="$OIDC_ACCESSOR" canonical_id="$GROUP_ID"

I know that I have this group in Okta, but Vault not recognise them.

Additional, when I configured vault with additional Authorization Server like in documentation, work as expected. This looks like issue witk ORG Authorization Server.

It sounds like you should just use the additional auth server then.

Yeah, but this is additional cost :(.

What, really?! Okta’s pricing must have become more evil since I used them last!

If you have developer account it’s ok, but in organization if you use for API access you must pay.

There is OKTA document:

And there is a solution:

Since in this case the access token is returned along with id token, the access token can be used to get all user claims (all profile attributes and groups, if profile and groups scopes are passed).
The Access token can be sent as a bearer token in the authorization header of userinfo request i.e. POST ${baseUrl}/oauth2/v1/userinfo, where base URL will be https://{yoursubdomain} or https://{yoursubdomain}

But I don’t understand how to use with Vault OIDC config.

Vault has this behaviour automatically.

It does however, rely on you turning on support for the groups claim within the settings for the individual application within Okta: Customize tokens returned from Okta with a Groups claim | Okta Developer

There is also another big caveat you need to be aware of - if you’re using the org authorization server for everything, an evil administrator of any one of your apps, can capture and replay a token to any of your other apps, to impersonate that user.

I’m searching a little, and I think this is issue with Okta. I configured Vault with my dev okta ORG AS, similar config that I get from our production Okta account (I’m not a super admin) and working as expected, I see in debug Vault logs additional groups, but when I login from production Okta apps, there is only one group “Everyone” because it is default and anyone is this group. I wrote to OKta, we will see.

Resolved. I found that we have AD groups and instead claims regex in filter I used Expression for get AD group and now I see all groups.

Coming back to correct this mistake of mine - the tokens do have the Okta client ID as aud, so long as everything is correctly verifying this, what I thought was a concern, isn’t.