Okta and Groups

We have been working with Okta support to get ShinyProxy to work with OIDC. We managed to fairly easily get it to work for Authentication, but are having trouble getting Okta to send us a claim for groups. It seems to relate to how the Spring OIDC connector is configured. We configured “groups” as an additional scope, but since the Container Proxy is using

authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)

Okta return a “Thin Token” which does not return groups. It requires an additional call to their userinfo service to get this, which I believe might be this:

@Override
public void configureHttpSecurity(HttpSecurity http) throws Exception {
	ClientRegistrationRepository clientRegistrationRepo = createClientRepo();
	authorizedClientService = new InMemoryOAuth2AuthorizedClientService(clientRegistrationRepo);
	
	http
		.authorizeRequests().anyRequest().authenticated()
		.and()
		.oauth2Login()
			.loginPage("/login")
			.clientRegistrationRepository(clientRegistrationRepo)
			.authorizedClientService(authorizedClientService)
			.***userInfoEndpoint()***.userAuthoritiesMapper(createAuthoritiesMapper());
}

As far as I can tell there is no config option available in ShinyProxy to set this option. Correct? If so, would this be possible to add?

From Okta:

The reason you are not seeing the Groups claim in the ID token you are being returned is that, because you are using the Authorization Code flow, the ID token only includes the basic scopes and claims. When you are returned both an ID token and Access Token in the same /authorize call, the ID token will be a “thin” token; it is expected that your application will make a call to the /userinfo endpoint to access all the available scopes and claims requested during Authorization.

Here is some more information about ‘thin’ ID tokens: https://support.okta.com/help/s/article/Okta-Groups-or-Attribute-Missing-from-Id-Token

Are you able to send the JWT to the /userinfo endpoint, https://developer.okta.com/docs/reference/api/oidc/#userinfo, and see the groups there?

This required a patch to the container proxy to make it work. Please let me know if you would like me to do a pull request: it actually uses a supported OpenID method for this with a slight change to the Spring Security client constructor / config code.

-dan

1 Like

Hi @Dan_Nathan,

Thanks for the feedback.

We’d definitely be happy to review a pull request on the ContainerProxy Github repository!

Best,
Tobias