I'm using an Okta app to authenticate via OpenID Connect.
The client allows to call into a web api endpoint, which should have
access control based on groups the authenticated user belongs to (like admin, client, ...).
The trouble is that cannot figure out how to get to the groups from the authentication token.
Currently, I send a request to http://octa.../oauth2/v1/userinfo and extract the groups from the
claims. Is that an acceptable way to do so? Is there a way to avoid that additional request?
Thank you and kind regards,