WPF app with WCF services

Can anyone please advise on the recommended authentication flow for my scenario?

WPF application running on windows

WCF services which require the users groups for method call authorisation. These call other WCF services and thus hit the ‘double hop’ problem.

The app calls the WCF services.

We have OKTA setup to pull in the Active directory information.

The user is already logged into windows, so we would like to avoid prompting the user to enter their details again.

My initial thought was to have an auth service protected by windows authentication generate a signed token with claims. Which the app would call for the token, use the claims for its own UI and then pass to the WCF services as needed. Validated via a shared public key. Is there some way of achieving something similar with OKTA?