Skip to content

Commit 6d964b7

Browse files
[cueweb] Request Okta groups scope for group memberships (#2475)
## Related Issues - #2476 ## Summarize your change. [cueweb] Request Okta groups scope for group memberships - Add `groups` to the OIDC scopes so the Okta ID token carries group claims consumed by extractGroups; required when using a custom Okta Authorization Server.
1 parent aea9a96 commit 6d964b7

1 file changed

Lines changed: 10 additions & 3 deletions

File tree

cueweb/lib/auth.ts

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -145,9 +145,16 @@ const providers = providerConfigs.map(({ type, provider, envKeys }) => {
145145

146146
if (type === "Okta") {
147147
return OktaProvider({
148-
clientId: settings.clientId,
149-
clientSecret: settings.clientSecret,
150-
issuer: settings.issuer
148+
clientId: settings.clientId,
149+
clientSecret: settings.clientSecret,
150+
issuer: settings.issuer,
151+
// Request the `groups` claim alongside the standard OIDC scopes so
152+
// the ID token carries the user's group memberships (consumed by
153+
// extractGroups in lib/authz.ts). Note: with Okta's Org
154+
// Authorization Server, groups are emitted by the app's ID-token
155+
// "Groups claim" filter and this scope is a no-op; it becomes
156+
// required only when using a custom Okta Authorization Server.
157+
authorization: { params: { scope: "openid email profile groups" } },
151158
});
152159
} else if (type === "Google") {
153160
return GoogleProvider({

0 commit comments

Comments
 (0)