I am in the process of implementing a SPA app with a custom back-end. The SPA is written using ReactJS and the backend is written using .netcore 3.1 (WebApi project).
I am using token based authentication and I am passing the access token, obtained by the SPA, when calling the API endpoints. I am able to verify the token on the API side, using the Okta middleware, but then I also need to fetch some claims. It seems claims can be added to the access token, to the identification token and also obtained calling the userinfo endpoint and my understanding is that the Okta middleware will automatically load these claims but it seems this happens only if the claims are in the access token.
The standard OIDC middleware allow to specify the GetClaimsFromUserInfoEndpoint option to automatically make an additional call to the userinfo endpoint but, this seems to be available only for MVC and not for webapi in the Okta middleware.
I would like to avoid putting claims in the access token so how can I get them by just adding them to the identification token and to the userinfo endpoint?
If this is not possible, how can I call the userinfo endpoint from my controllers to retrieve the claims?