Can I use Okta to manage users' permissions within my apps?

I’ve built a proof of concept which allows users to authenticate to my web app via Okta (using the Authorization Code Flow).

Now, I’d like to take things a step further, and use Okta for authorization – not just authentication.

In other words: say that my web app’s dashboard has a “Blog Posts” section. I’d like to control whether BobUser has access to this section of the dashboard from within Okta.

  1. Is this possible?

  2. If so, what mechanism should I use to accomplish this? What’s the keyword I should be searching for? I haven’t been able to find anything. I know that I can assign attributes to users – would this be the best way? Is that a typical use of user attributes, or would that be stretching their intended purpose?

Hi @immersiontravis

The best solution would be to have a custom claim added for the OIDC application itself in which you specify to which parts of the website the user has access to (for example accesses=blog,forum,profile,admin_profile,admin_forum,admin_blog etc.)

This claim would be accessed through profile scope and found in ID token, provided you are requesting only ID token, or, on /userinfo endpoint, if you are requesting both ID tokens and access tokens.

Hi dragos –

Thanks for the reply. Can you please explain how I can add a custom claim to an Okta application?

I would expect to find this within the application in the Okta Developer Console. But I couldn’t find anything there. I’m probably misunderstanding, though.

Hi @immersiontravis

You can add the claim by going to Users >> Profile Editor >> OIDC application. Once this is done, check the user assignment under Applications >> OIDC application >> Assignments tab.