Hi @lindakwoo,
I have integrated the OKTA Authorization Server, completed role mapping, and assigned users to the appropriate groups. However, sometimes a user's group assignment is removed without any changes being made. I checked the audit logs and noticed that the user appears with an empty group. I am unsure whether this is an issue with decoder of the id_token or a problem on OKTA’s side. Do you have any suggestions?
**Retool Version: 3.148.4 **
OKTA OIDC.
@baktash.salehi,
I can try to help you with this. Are you saying that this is happening randomly to different users or is it one user in particular? Also, are ALL their group assignments being removed, or just specific groups? Can you please provide a screenshot of your SSO config and your permissions groups? I would also like to see screenshots of your OKTA groups.
Thanks very much!
@lindakwoo This issue did occur with some random users. We have limited Okta Authorization Server with specific groups, and each user is assigned to a single group with the default 'All users' group in Retool. Following are screenshots.
Thank you for your response.
@baktash.salehi,
When this happens, what happens when the user logs out and then logs back in again? Also, when this happens, can you confirm on Okta that the user is a member of the correct Okta group?
For a user that is removed from their groups, can you please go into OKTA and check their groups in the id_token preview and let me know what you find? See these docs for help in setting it up.
@lindakwoo Thank you. For that specific user, the group assignment was present, but the Retool application had been removed in Okta. We're not sure who removed it, and after checking the Okta logs, we didn’t find anything conclusive. If it happens again, we will review all the logs in Okta thoroughly and let you know for any help. Thank you for your help.
Regards,
Baktash Salehi
@baktash.salehi,
Thanks for following up. If this happens again, do let us know!
