Access token validation is not working in .net core 2.2

I am building one POC, tech stack is Angular as front-end + dot net core as a back-end and i am using Okta as a authentication and authorization provider.

I am able to authenticate user using Okta NPM package in angular front end app.

Now I receive two tokens one is Access Token and another is Id Token.

Now I want to secure my .net core API with Access Token, so for each request i am sending the access token to the server.

I have added the below code in my startup file, and have added the Okta.AspNetCore; NuGet package.

           services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme =     OktaDefaults.ApiAuthenticationScheme;
                options.DefaultChallengeScheme = OktaDefaults.ApiAuthenticationScheme;
                options.DefaultSignInScheme = OktaDefaults.ApiAuthenticationScheme;
            })
                .AddOktaWebApi(new OktaWebApiOptions()
                {
                    OktaDomain = "https://dev-819187.okta.com",
                    Audience = "api://default",
                });

which is not working.

Then i added this code

  services.AddAuthentication(options =>
            {
                options.DefaultAuthenticateScheme = OktaDefaults.ApiAuthenticationScheme;
                options.DefaultChallengeScheme = OktaDefaults.ApiAuthenticationScheme;
                options.DefaultSignInScheme = OktaDefaults.ApiAuthenticationScheme;
            })
                .AddOktaWebApi(new OktaWebApiOptions()
                {
                    OktaDomain = "https://dev-819187.okta.com",
                    Audience = "{App clientId}",
                    AuthorizationServerId = null,
                });

with which i am able to validate the Id Token but the same code is not working when i send Access Token to .net core.

Then I checked these url’s:

  1. https://dev-819187.okta.com/.well-known/openid-configuration
  2. https://dev-819187.okta.com/oauth2/default/.well-known/oauth-authorization-server

which are returning the two different jwks_uri i.e:

  1. https://dev-819187.okta.com/oauth2/v1/keys —> openid
  2. https://dev-819187.okta.com/oauth2/default/v1/keys —> oauth

and checked the kid in both the urls.

The kid returned by the openId keys (3) is matches with the kid in my Id Token when i decoded it with online urls such as https://www.jwt.io.

but when i decoded the Access Token the kid in access token doesn’t matches with the kid provided by Oauth keys (4)nor in Open Id Keys (3) url.

This is strange, I have wasted lot of time in investigating this but no joy.

and the sad part is when i try to validate the tokens manually using postman and /introspect url it returns success for both the tokens.:face_with_monocle::fearful:

Note: I have only one authorization server that is default one.

Any help appreciated. If you require any more details please ask.

:unamused: