Application Authorization & Roles with Okta Authentication

I am looking to use Okta for authentication, then attach application defined role claims to my principals post-login. I know I can define groups/roles within my okta configuration, but I am looking for an alternate approach.
I have integrated this successfully within e.g. a MVC (or any other SSR type) app, but with a SPA → API architecture & SSO, there are additional challenges. This comes primarily in the effect of extra requests to the back end and/or database to query the roles associated with the user.

My current approach is as follows:
I am using C# Blazor WebAsm client, .NET 6.0 API backend

  • Authenticate with Okta, receive claims + API token
  • Query backend for role assignments and attach to front end principal (using AccountClaimsPrincipalFactory)
  • For each request to API, query for roles and attach to principal (using IClaimsTransformation)

Is it a possible (and more importantly, secure) approach to rather do as follows:

  • Authenticate with Okta, receive claims + API token
  • Query backend for role assignments once, create new token for all subsequent API requests

Does this involve just creating a new JWT from scratch on the front end and throwing the one from Okta away once we’ve authenticated?

Thank you,


When you state

Authenticate with Okta, receive claims + API token

is the API Token an OAuth access_token or Okta API Token used for management calls?
If it is an Okta API Token used for management calls this should not be returned to a client application and is considered a protected resource.

In general if you have an MVC application that calls protected API endpoints you want to obtain an id and access token from Okta.

  • The id_token would be used to establish a login for the MVC application.
  • The access_token would be used to make API calls against your protected API endpoints. Typically this access_token will contain custom scopes/claims that specify the access the token should have to the specific API. All of the granted scopes/claims in the access_token should be based off of policies in Okta.

Thank You,

Hey @erik ,
It is an access token.
Yes I understand that ideally all configuration would be through Okta policies, but I am looking for guidance on using application specified roles once the Okta authentication has been established.
Thank you