The ID token and access token obtained from the Chemaxon Okta OAuth Authorization Server MAY contain the following custom claims.
| Claim | Description |
|---|---|
cxn_groups |
List of group names where the user identified by token is a member |
terminus_env |
Chemaxon Cloud deployment environment identifier |
cxn_tenant_domain_name |
The subdomain of the Team in Chemaxon Cloud under which the Application is registered |
The presence of a claim depends on the grant-type flow being used to obtain the token:
And whether it is an ID token or an access token.
If you are building a server-side (or web) application that is capable of securely storing secrets, then the Authorization Code flow is the recommended method for controlling access to it.
Okta returns access and ID tokens, and optionally a refresh token.
openid profile email offline_access| Token type | Claims |
|---|---|
| Access | cxn_groups, terminus_env, cxn_tenant_domain_name |
| ID | cxn_groups, terminus_env, cxn_tenant_domain_name |
Recommended for server-side ("confidential") client applications with no end user, which normally describes machine-to-machine communication.
openid profile email offline_access terminus| Token type | Claims |
|---|---|
| Access | terminus_env, cxn_tenant_domain_name |
{warning} Since in this flow there is no end user identity present: ID token is NOT returned; ONLY access token is returned; no group membership to determine.
cxn_groupsThe cxn_group claim contains one or multiple group names.
To understand what are the possible values and what they represent, please refer to the Managing Groups guide for Team Administrators.