Securing APIs with policies

I have an application with Angular front end and .Net core on the back end.
I have created a custom Authorization server. I am able to authenticate and get back an access token.
and I am using JwtBearerDefaults.AuthenticationScheme to validate token on the back end.
How do I go a bout securing my backend APIs with policies.
for example I have an endpoint that requires adming policy with read/write access
then I have another end point with Read only policy.
in the backend I am marking my controllers with
[Authorize(Policy = “ReviewerPolicy”)]
[Authorize(Policy = “AdminPolicy”)]

How can I go about doing this using OKTA as my authorization server?

I’d follow the guidance here:

And define the roles as an Okta Group, where the group is a role. To use your example, your application would have an “Admins” group and “Reviewers” group. The appropriate users would be assigned to those groups. In your configuration you would define:

services.AddAuthorization(options =>
         policy => policy.RequireRole("Admins"));
         policy => policy.RequireRole("Reviewers"));

This would configure the policies you’re using to require that role in the access token.

You could also combine the group membership with a scope definition then send the group claim only if the specific role is requested:

Hi @jelbatnigi

You can check out the example here which was done based on