When I authenticate against Okta, will Okta produce a JWT with the roles-groups as part of the basic claims, and then return that JWT to the application? Or does the generation of the JWT happen on the application?
Yes, the JWT should have a claim called “groups” that contains what you’re looking for. At least that’s how the okta-spring-security integration works. https://github.com/okta/okta-spring-security