I’m developing a front end SPA using React, Node, and Okta as our SSO. The users are intended to be only employees of the company of which everyone already has an Okta login for. I’ve followed the okta-react OIDC setup and tutorial and the SSO is working fine for authentication, however, I’m a little stumped as to where to go next regarding authorization / roles and making sure certain users are able only to see content that they should be assigned to see.
We plan to use Okta groups as roles or to determine access to the different content provided. I know it’s possible to extract groups from the access token provided by Okta after implicit/callback post-signon, but I’m not sure how to progress from this point. How should I handle only rendering content that the user is assigned to see? Is it safe to assume a user could not tamper the access token to append different groups and gain different access? Front end application security is not my team’s forte, so I just want to make sure we set this up correctly.