I would like to use okta as authorization server for an API that I am developing.
The idea is that I use claims to contain application permissions. However I don’t want to ‘leak’ the permissions in the accesstoken nor in the id token.
How can I implement that the accesstoken hardly contains any information and that via introspection (or any other secure way) I can get the full users’ details?