Limit results based on group membership - ExpressJS

What is the correct way to restrict results from our backend based on Okta group membership?

Say we have the groups “Doctor”, “Nurse” etc.
and depending on membership, we should control how our DB queries are built. e.g. filtering on various criterions.

  1. How do I get access to the user groups on the backend (NodeJS + Express)
    I see that the backend reports scope profile openid email and not groups
    Where do I set that up? on the client side signin widget? somewhere in the Okta management UI?
    In the backend config?

  2. is that the correct way to go? should we check group memberships at all for this, or is it possible to set up some other form of access/authorization restrictions which would be more idiomatic?

You can add groups claims to either the ID Token or Access Token. If you are passing the token outside of your express application, definitely use the Access Token.

This is a good way to have a stateless way to know how to query your DB correctly.

This functionality is available through:
API -> Authorization Servers -> default

You can either have it added as a claim to a token by default or added to a scope.

Let me know any other questions!

[edit] it works :slight_smile: thanks

1 Like