I have the ASP.NET MVC Okta hosted login demo app working:
My understanding is that the authorization server is returning both an ID token and an access token. I have 2 questions:
Where is it specified which authorization server is being used? Does creation of the Application in the Okta portal also create it’s own authorization server, or is it using one of the authorization servers I can see in the Okta portal (API > Authorization Servers)?
How can I access the access token programatically? It appears that this NuGet package handles a lot of the authorization code flow under the covers, but if I wanted to add to this sample app by calling an API that is protected with an OAuth access token, how could I send the access token that was sent to me in this demo app?