On This Page
You can create a dynamic or static allow list when you need to set group allow lists on a per-app basis using both the Org Authorization Server and a Custom Authorization Server. If you have a large number of Groups but only 20 Groups apply to your app, you don't want to run through all of your Groups every time a Groups claim is created. This process optionally uses Okta's flexible app profile, which accepts any JSON-compliant content, to create an allow list of Groups that can then easily be referenced.
Additionally, you can add a Groups claim to ID tokens for any combination of App Groups and User Groups to perform single sign-on (SSO) using the Okta Org Authorization Server. You can also add a Groups claim to ID tokens and access tokens to perform authentication and authorization using a Custom Authorization Server.
See Customize tokens returned from Okta when you want to define your own custom claims. For example, you might want to add a user's email address to an access token and use that to uniquely identify the user, or you may want to add information stored in a user profile to an ID token.
This guide assumes that you:
- Have an Okta Developer Edition organization. Create an org for free (opens new window).
- Have an OpenID Connect client application (opens new window) in Okta with at least one user assigned to it (opens new window).
- Have a group in Okta (opens new window) with at least one person assigned to it.
If you need help or have an issue, post a question on the Okta Developer Forum (opens new window).