Okta and JWT, refresh tokens and invalidation

When I authenticate against Okta, will Okta produce a JWT with the roles-groups as part of the basic claims, and then return that JWT to the application? Or does the generation of the JWT happen on the application?

How would we then revoke a JWT’s refresh token?

Yes, the JWT should have a claim called “groups” that contains what you’re looking for. At least that’s how the okta-spring-security integration works. https://github.com/okta/okta-spring-security

Also, you can read about revoking tokens in our documentation.

For custom Authorization Servers using API Access Management: https://developer.okta.com/docs/api/resources/oauth2.html#revoke-a-token

For basic authentication to an OIDC app, without a custom Authorization Server: