Custom Claims in Okta tokens
Overview
The ID token and access token obtained from the Chemaxon Okta OAuth Authorization Server MAY contain the following custom claims.
| Claim |
Description |
cxn_groups |
List of group names where the user identified by token is a member |
terminus_env |
Chemaxon Cloud deployment environment identifier |
cxn_tenant_domain_name |
The subdomain of the Team in Chemaxon Cloud under which the Application is registered |
Presence
The presence of a claim depends on the grant-type flow being used to obtain the token:
And whether it is an ID token or an access token.
Authorization Code flow
| If you are building a server-side (or web) application that is capable of securely storing secrets, then the Authorization Code flow is the recommended method for controlling access to it.
Okta returns **access and ID tokens**, and optionally a refresh token.
|
| Required scopes |
|---|
| openid profile email offline_access
|
| Token type |
Claims |
| Access |
cxn_groups, terminus_env, cxn_tenant_domain_name |
| ID |
cxn_groups, terminus_env, cxn_tenant_domain_name |
Client Credentials flow
| Recommended for server-side ("confidential") client applications with no end user, which normally describes machine-to-machine communication.
|
| Required scopes |
|---|
| openid profile email offline_access terminus
|
| Token type |
Claims |
| Access |
terminus_env, cxn_tenant_domain_name |
Since in this flow there is no end user identity present: ID token is NOT returned; ONLY access token is returned; no group membership to determine.
Details
cxn_groups
The cxn_group claim contains one or multiple group names.
To understand what are the possible values and what they represent, please refer to the Managing Groups guide for Team Administrators.