Currently, our TestCo Okta is able to pass ‘testrole’ with one of a few different values, e.g. ‘admin’ or ‘user.’ If a user has multiple ‘testrole’ attributes (based on group membership) then Okta has a precedence order that determines which one ‘testrole’ value it will return.
We need to be able to handle passing a list of roles from IdP to Cognito to our API. For example, a string of ‘admin, user, readonly, section-admin’. So adding a claim inside the ‘authorized servers’ --> default won’t work for us.