I’ve built a proof of concept which allows users to authenticate to my web app via Okta (using the Authorization Code Flow).
Now, I’d like to take things a step further, and use Okta for authorization – not just authentication.
In other words: say that my web app’s dashboard has a “Blog Posts” section. I’d like to control whether BobUser has access to this section of the dashboard from within Okta.
Is this possible?
If so, what mechanism should I use to accomplish this? What’s the keyword I should be searching for? I haven’t been able to find anything. I know that I can assign attributes to users – would this be the best way? Is that a typical use of user attributes, or would that be stretching their intended purpose?
The best solution would be to have a custom claim added for the OIDC application itself in which you specify to which parts of the website the user has access to (for example accesses=blog,forum,profile,admin_profile,admin_forum,admin_blog etc.)
This claim would be accessed through profile scope and found in ID token, provided you are requesting only ID token, or, on /userinfo endpoint, if you are requesting both ID tokens and access tokens.
Thanks for the reply. Can you please explain how I can add a custom claim to an Okta application?
I would expect to find this within the application in the Okta Developer Console. But I couldn’t find anything there. I’m probably misunderstanding, though.
You can add the claim by going to Users >> Profile Editor >> OIDC application. Once this is done, check the user assignment under Applications >> OIDC application >> Assignments tab.