I am currently evaluating Okta as our repository of client applications and I am finding it quite difficult to find an answer to this question: can we supply custom values per client on the JWT?
Here’s my usecase:
We are currently looking to build an API layer that wraps a third party vendor’s systems. We expect each client on Okta to have a dedicated username and password on the vendor’s systems, along with a set of values that would limit their access to the system (such as concurrent open connections, not requests, and so on).
We have already established a working POC using a custom-built Spring Boot OAuth2 server with a custom schema, and we are looking to achieve the same behaviour using Okta. The only part that I am missing is to include a set of claims within the JWT that is returned by Okta (including the client’s username and password on the vendor’s system). I get that perhaps we shouldn’t include such sensitive data on the JWT, however we are currently only trying to understand what is possible at this point.
Thanks you very much.