On This Page
You can add a Groups claim to ID tokens for any combination of App Groups and User Groups to perform single sign-on (SSO) using the Okta Org Authorization Server. You can also add a Groups claim to ID tokens and access tokens to perform authentication and authorization using a Custom Authorization Server.
This guide walks you through creating a Groups claim for an OpenID Connect client application. This approach is recommended if you are using only Okta-mastered Groups. For an Okta Org Authorization Server, you can only create an ID token with a Groups claim, not an access token.
Additionally, you can create a dynamic or static allow list when you need to set group allow lists on a per-application basis using both the Org Authorization Server and a Custom Authorization Server. See Add a Groups claim with a dynamic allow list and Add a Groups claim with a static allow list.
This guide assumes that you:
- Have an Okta Developer Edition organization. Create an org for free (opens new window).
- Have an OpenID Connect client application (opens new window) in Okta with at least one user assigned to it (opens new window).
- Have a Group in Okta (opens new window) with at least one person assigned to it.
If you need help or have an issue, post a question in our Developer Forum (opens new window).