Request the ‘phone’ scope in the authorize call. The ‘phone_number’ claim will be returned in the ID token (or the userinfo endpoint, if you are requesting an id_token and a token in the same authorize request, details for that behavior here)
Make a CORS request to /api/v1/users/me, which will return the authenticated user’s primaryPhone and other profile attributes. As long as the session cookie for Okta is set in the browser, this call will work without additional authentication (make sure cookies are sent in the request though!). Watch out for browsers that block 3rd party cookies!
Make a backend call to /api/v1/users/{{userId}}, which will return the same information but will require that an api token be included in the request.