OpenID Connect
Check the "scopes" configuration of your authorization server, and verify there is a scope called
groups. If not, add a scope named groups. 
OKTA add groups scope example. In Security -> API -> Authorization servers -> Choose Server -> Scopes
%20(1)%20(2).png?alt=media)
Example creating new "Web" application in OKTA
Field | Value |
|---|---|
Allowed grant types | Authorization Code |
Login redirect URIs | TBD - provided by Appetize.io |
Initiate login URI | TBD - provided by Appetize.io |
%20(1)%20(1)%20(1).png?alt=media)
Example app settings in OKTA
We will need to configure your SSO provider to send over the user's groups assignments after a successful login.
The following example shows how to pass through groups with prefix appetize_* as a groups claim within OKTA. This can be done by adding the groups claim to your authorization server at API -> Authorization Servers. For some OKTA clients, this can also be done under the "Sign On" section in your app's configuration, where you can add groups the same way.
%20(2)%20(1)%20(1).png?alt=media)
Example including appetize_* group assignments claim in OKTA
1. We will need the "Client ID" and "Client secret" for the app you just created.
%20(1).png?alt=media)
Credentials to provide to Appetize.io
2. We will also need your Metadata URI, often called "Discovery URL". For example: https://dev-548472.oktapreview.com/oauth2/default/.well-known/oauth-authorization-server
In OKTA, this is available in Security -> API -> Authorization servers -> Choose Server.
If the metadata endpoint is not available, you may also specify the required fields below:
- authorization_endpoint
- token_endpoint
- userinfo_endpoint
- jwks_uri
- issuer
- introspection_endpoint
Last modified 5d ago