denysoblohin-okta
commented
2 years ago req.userContext returns claims inside ID token.
If groups are changed after obtaining token, you need to use API call like /v1/userinfo
You can use okta-auth-js for this as it works in Node.js environment
Example:
const { OktaAuth } = require('@okta/okta-auth-js');
this.authClient = new OktaAuth({
url: 'https://<your org>.okta.com',
scopes: ['openid', 'email', 'groups', 'profile'],
issuer: 'https://<your org>.okta.com/oauth2/default',
clientId: <client_id>,
clientSecret: <client_secret>,
});
const userinfo = await this.authClient.token.getUserInfo(
{
accessToken: req.userContext.tokens.access_token,
userinfoUrl: 'https://<your org>.okta.com/oauth2/default/v1/userinfo'
}, {
idToken: req.userContext.tokens.id_token,
claims: req.userContext.userinfo
}
);
console.log(userinfo.groups);
Describe the bug?
I need to receive groups information for the authenticated user. Based on the docs I added the
groupsscope on the ExpressOIDC initialization, and by doing this I'm receiving a list of groups the authenticated users belongs to.The problem is, any change done in Okta, wether removing or adding a group to a user, has no impact on the list of groups I get on the user I get from the middleware, it's like it's stuck on whatever groups it had the moment it logged in.
What would be the right way to get an up to date list of groups an authenticated user belongs to? Is this something I can do at the application level, or it must be supported withing this lib?
What is expected to happen?
req.userContext.groupscontains an up to date list of user's groups when a new request comes inWhat is the actual behavior?
req.userContext.groupsis stuck at whatever groups the user had the moment it logged inReproduction Steps?
Just add the
groupsscope to the ExpressOIDC constructor on thescopeproperty.SDK Versions
@okta/oidc-middleware: 4.5.1Execution Environment
NodeJs v14. MacOS 12 for development,
node:14-alpinedocker image for deployed environments.Additional Information?
No response