ASP.NET Core Web API returns 401 Unauthorized

Questions API
1

I have a back-end ASP.NET core 2 web api services to which I want to restrict access. I tried to follow the example scenario described here https://developer.okta.com/quickstart/#/angular/dotnet/aspnetcore , when I have implicit flow and my Angular SPA application receives id token and access token. I have my Authentication configured exactly as described in the example in the tutorial

// Add Okta Authentication
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = OktaDefaults.ApiAuthenticationScheme;
options.DefaultChallengeScheme = OktaDefaults.ApiAuthenticationScheme;
options.DefaultSignInScheme = OktaDefaults.ApiAuthenticationScheme;
})
.AddOktaWebApi(new OktaWebApiOptions()
{
OktaDomain = Configuration[“Okta:OktaDomain”],
});

However, if I try to call the endpoint with an access_token I get a 401 Unauthorized. I’ve tried calling the endpoint both from my Angular SPA and directly Postman but it is always the same. I can, of course, call all other endpoints withut authorization with no problems.

2

Hey @Peter1 I have the same problem, were you able to solve it?

3

No I never solved it but moved to Auth0 (https://auth0.com/) instead as their system is easier to set up and they have very good tutorials. Their community and supportes where also quicker at ansvering/helping whenever I had a problem, which is importatent as you don’t want to wait six month for an answer on a forum when you are working on your next super project :smile:

1 Like
4

Good morning. Any updates/answers on this issue? I’m facing the same issue with asp.net 4.7.2.

5

What authorization server are you using to mint tokens? Can you see if the information in this doc corresponds to what you are doing/seeing: Signature Validation Failed on Access Token | Okta Help Center

6

The issue I am having does indeed correspond with the doc. So I have to create a custom authorization server in order to fulfil my requirement.

7

Yup, that’s correct. Developer orgs should have the Default Custom Authorization Server available as well as the ability to create additional custom servers, but your mileage may vary with a production org.