Is it possible? Yes, Okta allows you to add custom claims to bothid_token and access_token through Authorization Server configuration.
Is it recommended? Generally, no.
id_token Purpose:
Primarily for authentication. It tells the client application (e.g., your Angular app) who the user is (their identity).
It includes standard claims like:
sub (subject ID)
iss (issuer)
aud (audience)
exp (expiry)
iat (issued at)
Often basic profile info requested via scopes (name, email, etc.).
access_token Purpose:
Primarily for authorization. It’s intended for the resource server (e.g., your .NET Web API) to determine what the user is allowed to do.
Permissions, roles, and group memberships are authorization concerns.
Best Practice:
Keep id_token lightweight and focused on identity.
Put authorization-related data like permissions into the access_token. This prevents bloating the id_token and keeps authorization details where the API needs them.
Your API should validate the access_token and use its claims to make access control decisions.