Custom Claims in Okta tokens

    Overview

    The ID token and access token obtained from the Chemaxon Okta OAuth Authorization Server MAY contain the following custom claims.

    Claim Description
    cxn_groups List of group names where the user identified by token is a member
    terminus_env Chemaxon Cloud deployment environment identifier
    cxn_tenant_domain_name The subdomain of the Team in Chemaxon Cloud under which the Application is registered

    Presence

    The presence of a claim depends on the grant-type flow being used to obtain the token:

    And whether it is an ID token or an access token.

    Authorization Code flow

    If you are building a server-side (or web) application that is capable of securely storing secrets, then the Authorization Code flow is the recommended method for controlling access to it.

    Okta returns access and ID tokens, and optionally a refresh token.

    openid profile email offline_access
    Token type Claims
    Access cxn_groups, terminus_env, cxn_tenant_domain_name
    ID cxn_groups, terminus_env, cxn_tenant_domain_name

    Client Credentials flow

    Recommended for server-side ("confidential") client applications with no end user, which normally describes machine-to-machine communication.

    openid profile email offline_access terminus
    Token type Claims
    Access terminus_env, cxn_tenant_domain_name

    {warning} Since in this flow there is no end user identity present: ID token is NOT returned; ONLY access token is returned; no group membership to determine.

    Details

    cxn_groups

    The cxn_group claim contains one or multiple group names.

    To understand what are the possible values and what they represent, please refer to the Managing Groups guide for Team Administrators.