claims
Creates, updates, deletes, gets or lists a claims resource.
Overview
| Name | claims |
| Type | Resource |
| Id | okta.authorizationservers.claims |
Fields
The following fields are returned by SELECT queries:
- list_oauth2_claims
- get_oauth2_claim
| Name | Datatype | Description |
|---|---|---|
id | string | ID of the Claim |
name | string | Name of the Claim |
_links | object | Specifies link relations (see Web Linking) available using the JSON Hypertext Application Language specification. This object is used for dynamic discovery of related resources and lifecycle operations. |
alwaysIncludeInToken | boolean | Specifies whether to include Claims in the token. The value is always TRUE for access token Claims. If the value is set to FALSE for an ID token claim, the Claim isn't included in the ID token when the token is requested with the access token or with the authorization_code. The client instead uses the access token to get Claims from the /userinfo endpoint. |
claimType | string | Specifies whether the Claim is for an access token (RESOURCE) or an ID token (IDENTITY) |
conditions | object | Specifies the scopes for the Claim |
group_filter_type | string | Specifies the type of group filter if valueType is GROUPS If valueType is GROUPS, then the groups returned are filtered according to the value of group_filter_type. If you have complex filters for Groups, you can create a Groups allowlist to put them all in a Claim. |
status | string | |
system | boolean | When true, indicates that Okta created the Claim |
value | string | Specifies the value of the Claim. This value must be a string literal if valueType is GROUPS, and the string literal is matched with the selected group_filter_type. The value must be an Okta EL expression if valueType is EXPRESSION. |
valueType | string | Specifies whether the Claim is an Okta Expression Language (EL) expression (EXPRESSION), a set of groups (GROUPS), or a system claim (SYSTEM) |
| Name | Datatype | Description |
|---|---|---|
id | string | ID of the Claim |
name | string | Name of the Claim |
_links | object | Specifies link relations (see Web Linking) available using the JSON Hypertext Application Language specification. This object is used for dynamic discovery of related resources and lifecycle operations. |
alwaysIncludeInToken | boolean | Specifies whether to include Claims in the token. The value is always TRUE for access token Claims. If the value is set to FALSE for an ID token claim, the Claim isn't included in the ID token when the token is requested with the access token or with the authorization_code. The client instead uses the access token to get Claims from the /userinfo endpoint. |
claimType | string | Specifies whether the Claim is for an access token (RESOURCE) or an ID token (IDENTITY) |
conditions | object | Specifies the scopes for the Claim |
group_filter_type | string | Specifies the type of group filter if valueType is GROUPS If valueType is GROUPS, then the groups returned are filtered according to the value of group_filter_type. If you have complex filters for Groups, you can create a Groups allowlist to put them all in a Claim. |
status | string | |
system | boolean | When true, indicates that Okta created the Claim |
value | string | Specifies the value of the Claim. This value must be a string literal if valueType is GROUPS, and the string literal is matched with the selected group_filter_type. The value must be an Okta EL expression if valueType is EXPRESSION. |
valueType | string | Specifies whether the Claim is an Okta Expression Language (EL) expression (EXPRESSION), a set of groups (GROUPS), or a system claim (SYSTEM) |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
list_oauth2_claims | select | subdomain | Lists all custom token Claims defined for a specified custom authorization server | |
get_oauth2_claim | select | subdomain | Retrieves a custom token Claim by the specified claimId | |
create_oauth2_claim | insert | subdomain | Creates a custom token Claim for a custom authorization server | |
replace_oauth2_claim | replace | subdomain | Replaces a custom token Claim specified by the claimId | |
delete_oauth2_claim | delete | subdomain | Deletes a custom token Claim specified by the claimId |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
subdomain | string | The domain of your organization. This can be a provided subdomain of an official okta domain (okta.com, oktapreview.com, etc) or one of your configured custom domains. (default: my-org) |
SELECT examples
- list_oauth2_claims
- get_oauth2_claim
Lists all custom token Claims defined for a specified custom authorization server
SELECT
id,
name,
_links,
alwaysIncludeInToken,
claimType,
conditions,
group_filter_type,
status,
system,
value,
valueType
FROM okta.authorizationservers.claims
WHERE subdomain = '{{ subdomain }}' -- required;
Retrieves a custom token Claim by the specified claimId
SELECT
id,
name,
_links,
alwaysIncludeInToken,
claimType,
conditions,
group_filter_type,
status,
system,
value,
valueType
FROM okta.authorizationservers.claims
WHERE subdomain = '{{ subdomain }}' -- required;
INSERT examples
- create_oauth2_claim
- Manifest
Creates a custom token Claim for a custom authorization server
INSERT INTO okta.authorizationservers.claims (
data__alwaysIncludeInToken,
data__claimType,
data__conditions,
data__group_filter_type,
data__name,
data__status,
data__system,
data__value,
data__valueType,
subdomain
)
SELECT
{{ alwaysIncludeInToken }},
'{{ claimType }}',
'{{ conditions }}',
'{{ group_filter_type }}',
'{{ name }}',
'{{ status }}',
{{ system }},
'{{ value }}',
'{{ valueType }}',
'{{ subdomain }}'
RETURNING
id,
name,
_links,
alwaysIncludeInToken,
claimType,
conditions,
group_filter_type,
status,
system,
value,
valueType
;
# Description fields are for documentation purposes
- name: claims
props:
- name: subdomain
value: string
description: Required parameter for the claims resource.
- name: alwaysIncludeInToken
value: boolean
description: >
Specifies whether to include Claims in the token. The value is always `TRUE` for access token Claims. If the value is set to `FALSE` for an ID token claim, the Claim isn't included in the ID token when the token is requested with the access token or with the `authorization_code`. The client instead uses the access token to get Claims from the `/userinfo` endpoint.
- name: claimType
value: string
description: >
Specifies whether the Claim is for an access token (`RESOURCE`) or an ID token (`IDENTITY`)
valid_values: ['IDENTITY', 'RESOURCE']
- name: conditions
value: object
description: >
Specifies the scopes for the Claim
- name: group_filter_type
value: string
description: >
Specifies the type of group filter if `valueType` is `GROUPS`
If `valueType` is `GROUPS`, then the groups returned are filtered according to the value of `group_filter_type`.
If you have complex filters for Groups, you can [create a Groups allowlist](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/) to put them all in a Claim.
valid_values: ['CONTAINS', 'EQUALS', 'REGEX', 'STARTS_WITH']
- name: name
value: string
description: >
Name of the Claim
- name: status
value: string
valid_values: ['ACTIVE', 'INACTIVE']
- name: system
value: boolean
description: >
When `true`, indicates that Okta created the Claim
- name: value
value: string
description: >
Specifies the value of the Claim. This value must be a string literal if `valueType` is `GROUPS`, and the string literal is matched with the selected `group_filter_type`. The value must be an Okta EL expression if `valueType` is `EXPRESSION`.
- name: valueType
value: string
description: >
Specifies whether the Claim is an Okta Expression Language (EL) expression (`EXPRESSION`), a set of groups (`GROUPS`), or a system claim (`SYSTEM`)
valid_values: ['EXPRESSION', 'GROUPS', 'SYSTEM']
REPLACE examples
- replace_oauth2_claim
Replaces a custom token Claim specified by the claimId
REPLACE okta.authorizationservers.claims
SET
data__alwaysIncludeInToken = {{ alwaysIncludeInToken }},
data__claimType = '{{ claimType }}',
data__conditions = '{{ conditions }}',
data__group_filter_type = '{{ group_filter_type }}',
data__name = '{{ name }}',
data__status = '{{ status }}',
data__system = {{ system }},
data__value = '{{ value }}',
data__valueType = '{{ valueType }}'
WHERE
subdomain = '{{ subdomain }}' --required
RETURNING
id,
name,
_links,
alwaysIncludeInToken,
claimType,
conditions,
group_filter_type,
status,
system,
value,
valueType;
DELETE examples
- delete_oauth2_claim
Deletes a custom token Claim specified by the claimId
DELETE FROM okta.authorizationservers.claims
WHERE subdomain = '{{ subdomain }}' --required;