Use a static group whitelist with the Org Authorization Server

On This Page

For an Okta Org Authorization Server, you can only create an ID token with a Groups claim, not an access token. For the steps to configure a Groups claim for use with an access token, see the Use a static group whitelist with a Custom Authorization Server section.

The Admin Console (Classic UI) is required for this guide.

The upper-left corner of the page should say Classic UI. If it says Developer Console, click the drop-down box to change it to Classic UI.

  1. In the Admin Console, from the Applications menu, select Applications, and then select the OpenID Connect client application that you want to configure.
  2. Navigate to the Sign On tab and click Edit in the OpenID Connect ID Token section.
  3. In the Groups claim type section, select Expression.
  4. In Group claims expression, leave the default name groups (or add it if the box is empty) and then add this expression in the second box: getFilteredGroups(app.profile.groupwhitelist, "", 40)
  5. Click Save.

Request an ID token that contains the Groups claim

To obtain a token with the configured Groups claim, send a request for an ID token that includes the Groups claim as a scope to the authorization endpoint. For the specific steps on building the request URL, receiving the response, and decoding the JWT, see Request a token that contains the claim.

Note: The scopes that you need to include as query parameters are openid and groups.

The resulting URL looks something like this:

curl -X GET \

The decoded JWT looks something like this:

  "sub": "00uixa271s6x7qt8I0h7",
  "ver": 1,
  "iss": "${yourOktaDomain}",
  "aud": "0oaoesxtxmPf08QHk0h7",
  "iat": 1574117011,
  "exp": 1574120611,
  "jti": "ID.LPQaDhnBhZ9wy-B5BvamTBs7E2C8EzXuLA5P8Uyx-IE",
  "amr": [
  "idp": "00oixa26ycdNcX0VT0h7",
  "nonce": "yourNonceValue",
  "auth_time": 1574117006,
  "groups": [

The ID token contains the group IT, so the audience (aud) has access to the group information about the user.

Note: For flows other than implicit, post to the token endpoint https://${yourOktaDomain}/oauth2/v1/token with the user or client that you want. Make sure that the user is assigned to the app and to one of the Groups from your whitelist.

If the results aren't as expected, start your troubleshooting by inspecting the System Log to see what went wrong.