Forgive me if this has been asked already but i cannot seem to find what i’m looking for.
I have created a React SPA that contains different pages; Home, Profile and Admin.
I’ve implemented a secure route to Profile and Admin, where everyone is able to access the profile page where it pulls the current user Info and displays it.
What i’m trying to do is block access to the admin page unless they’re assigned as admins in the directory. So once authenticated, if they click on the Admin page they’ll see some sort of access denied message if they’re not admins, and if they are then they’ll see a welcome admin message.
What do i need to do on OKTAS side to achieve this ? any documentation or help is greatly appreciated.
You shouldn’t need to do anything on the Okta side to achieve this. It sounds like you need a conditional of some kind in your application code. You could use the Users API, get the users role and then display an error /prevent access if the logged in user doesn’t have the admin role.
Another option available is to use group membership information for the user, stored within a token claim, to capture the user’s role/permissions in your application. So, say, if user is NOT a member of the App-Admin group, they should not be able to access the admin route of the app.