When I authenticate against Okta, will Okta produce a JWT with the roles-groups as part of the basic claims, and then return that JWT to the application? Or does the generation of the JWT happen on the application?
How would we then revoke a JWT’s refresh token?
Yes, the JWT should have a claim called “groups” that contains what you’re looking for. At least that’s how the okta-spring-security integration works. https://github.com/okta/okta-spring-security
Also, you can read about revoking tokens in our documentation.
For custom Authorization Servers using API Access Management: https://developer.okta.com/docs/api/resources/oauth2.html#revoke-a-token
For basic authentication to an OIDC app, without a custom Authorization Server:
https://developer.okta.com/docs/api/resources/oidc.html#revocation-request
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.