This lab demonstrates the design and implementation of a secure role-based access control (RBAC) model using Okta as an OpenID Connect (OIDC) Identity Provider.

The objective was to enforce application-layer authorization decisions based on dynamic group membership injected into JWT tokens at authentication time. The solution leverages:

• OIDC Authorization Code Flow
• Custom token claims
• Regex-based group filtering
• Fine-grained authorization policies
• Token inspection and validation

The result is a secure, scalable model where identity-driven access decisions are cryptographically embedded in tokens, enabling downstream systems to enforce access without querying the identity provider on every request.

📘 Lab Overview

This lab demonstrates how to implement Role-Based Access Control (RBAC) using:

• Okta OpenID Connect (OIDC)
• Authorization Code flow
• Custom claims
• Regex-based group filtering
• Access policy rules
• JWT validation

The objective was to dynamically inject RBAC group membership into an ID token and simulate how a web application would enforce authorization decisions based on that claim.

Rather than relying on static role mapping inside the application, authorization logic is driven by claims issued directly from the Okta Authorization Server.

🏗 Architecture Overview

Flow Used: OIDC Authorization Code Grant