Custom Claims in Okta tokens¶
Overview¶
The ID token and access token obtained from the Chemaxon Okta OAuth Authorization Server MAY contain the following custom claims.
| Claim | Description |
|---|---|
cxn_groups |
List of group names where the user identified by token is a member |
terminus_env |
Chemaxon Cloud deployment environment identifier |
cxn_tenant_domain_name |
The subdomain of the Team in Chemaxon Cloud under which the Application is registered |
Presence¶
The presence of a claim depends on the grant-type flow being used to obtain the token:
And whether it is an ID token or an access token.
Authorization Code flow¶
If you are building a server-side (or web) application that is capable of securely storing secrets, then the Authorization Code flow is the recommended method for controlling access to it.
Okta returns **access and ID tokens**, and optionally a refresh token.
| Token type | Claims |
|---|---|
| Access | cxn_groups, terminus_env, cxn_tenant_domain_name |
| ID | cxn_groups, terminus_env, cxn_tenant_domain_name |
Client Credentials flow¶
Recommended for server-side ("confidential") client applications with no end user, which normally describes machine-to-machine communication.
| Token type | Claims |
|---|---|
| Access | terminus_env, cxn_tenant_domain_name |
Since in this flow there is no end user identity present: ID token is NOT returned; ONLY access token is returned; no group membership to determine.
Details¶
cxn_groups¶
The cxn_group claim contains one or multiple group names.
To understand what are the possible values and what they represent, please refer to the Managing Groups guide for Team Administrators.