In this post, we will explain how to get user groups and how Datawiza handles user groups when using Okta as the identity provider.
Get User Groups in Okta
Add the Group Claim in Token
Okta supports customizing tokens returned from Okta with a Groups claim. For this solution, you need to get the token depending on the Oauth 2.0 flow you chose and decode the token.
You can add the Group claim for the Org Authorization Server or the Custom Authorization Server.
Get user groups by Okta core API
Besides decoding user info from ID Token, the Okta User API provides operations to manage users in your organization. For example, Get Current User fetches the current user linked to an API token or session cookie, and Get User’s Groups fetches the groups of which the user is a member. These two APIs can be used to retrieve different information, which can further be combined into a user profile. For this solution, you need to create an API Token to authenticate requests to Okta APIs.
How to Get User Groups when Using the Datawiza Cloud Management Console (DCMC)
Datawiza supports both of the above solutions to get user groups. By default, Datawiza will try to get user groups from ID Token. So you need to add the Group claim in Okta ID Token:
If you specify the scope when adding the group claim in ID Token, you need to add the same scope in the Okta configuration.
Meanwhile, you can enter the API Token while configuring Okta in DCMC -> IdPs -> Select IdP -> Edit -> Okta API Token. Datawiza will use the API Token to fetch user profiles and user groups from Okta APIs:
What’s more, you can use DCMC to configure access control based on the user groups:
References
- Customize tokens returned from Okta with a Groups claim
- Secure a Web APP using Okta
- Difference between Groups claim filter in App itself or a group claim under claims in the default auth server
Written by the Datawiza team — hope you enjoyed! Join us if you have any questions or need any help on our Discord server.
Top comments (0)