401 Unauthorized Error

I followed the tutorial linked here (https://developer.okta.com/quickstart/#/widget/dotnet/aspnet4) and my front end is successfully singing-in using the Sign-In Widget and the Auth Code Flow with PKCE but I am getting a 401 unauthorized error whenever I try to make requests to the .NET Framework 4.5.2 Web API which I secured by following the ‘Server Setup’ section in the same tutorial.

I’m running into the issue both when testing the routes locally using postman and when I deploy the API and call the routes from within my web app. I have tested the tokens being generated by my front end with an API deployed using sample code from Okta and they authenticate fine when testing with that API. I have tested if this could be a CORS error but this does not seem to be the case.

Are you using a Developer org or a production org with this tutorial? If you are using a production org, are you able to create and use custom authorization servers?

I’m using the preview instance of a production org which I believe has the ability to create and use custom authorization servers

When logged into the admin console and you go to Security > API, do you see a tab for Authorization Servers? If so, you should be able to use and create custom servers.

It may be best for you to open a support case with developers@okta.com so someone can provide some further assistance.

The support agent on my Okta ticket actually was the one to suggest I open a dev forum post. Yes, I can create a custom authorization server, but have so far been using the default one.

@BreannaPorter , I am also stuck at the same issue.

@andreaskouras
Why do we need to create a custom authorization server? Why cant we use the default server? and if we create one what to do to create one ? This is complex and needs some good videos or documentation to explain… Wonder how did Okta gain so much momentum with such complex implementations.

Rajiv P

You can use the ‘Default’ server, but that is a ‘Custom authorization’ as far as Okta is concerned. You will not be able to locally validate access tokens minted by Okta, unless your application is using a custom server. Not all production tenants have the ability to use/create custom authorization servers.

When using default, this means that the ‘issuer’ for your application is https://{{oktaDomain}}/oauth2/default and all requests you make for tokens generated by that issuer will contain that as the base URL for your request. Aka, the authorize request goes to https://{{oktaDomain}}/oauth2/default/v1/authorize, a token call goes to https://{{oktaDomain}}/oauth2/default/v1/token, a userinfo call goes to https://{{oktaDomain}}/oauth2/default/v1/userinfo, etc