I have SPA in Angular with a dotnet core backend. When the app is accessed by a user he gets redirected to Okta for login. Once the user is authenticated the app can retrieve data from the backend. But… the backend endpoints are not protected. My company only provides access to the Org Authorization Server so I can’t customize it. I need a way to send the access token to the backend API to protect the endpoints there. That access token needs to include also group claims. How can I do that?