Hi There,
I’m getting a little confused with authentication flows in Okta.
I have two .Net Core 3.x applications; a front end Open ID Connect authenticated application and a second JWT authenticated API application.
I would like to be able to use a valid JWT token created when a user logs in OR an API Token created via the Okta API token management. I am leveraging the .Net Core [Authorize] to secure the endpoints.
I have two approaches for JWT validation:
.AddOktaWebApi(new OktaWebApiOptions()
{
OktaDomain = $“https://{Configuration.GetValue(“Okta:OktaDomain”)}”,
AuthorizationServerId = Configuration.GetValue(“Okta:AuthorizationServerId”),
Audience = Configuration.GetValue(“Okta:ClientId”),
});
or the longer non-Okta specific JWT version:
.AddJwtBearer(async options =>
{
var issuer =
$"https://{Configuration.GetValue<string>("Okta:OktaDomain")}/oauth2/{Configuration.GetValue<string>("Okta:AuthorizationServerId")}";
var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
$"{issuer}/.well-known/openid-configuration",
new OpenIdConnectConfigurationRetriever(),
new HttpDocumentRetriever());
var discoveryDocument =
await configurationManager.GetConfigurationAsync(default(CancellationToken));
var signingKeys = discoveryDocument.SigningKeys;
// Configure JWT Bearer Auth to expect our security key
options.TokenValidationParameters =
new TokenValidationParameters
{
RequireExpirationTime = true,
RequireSignedTokens = true,
ValidateIssuer = true,
ValidIssuer = issuer,
ValidateIssuerSigningKey = true,
IssuerSigningKeys = signingKeys,
ValidateLifetime = true,
ValidateAudience = true,
ValidAudience = Configuration.GetValue<string>("Okta:ClientId"),
ClockSkew = TimeSpan.FromMinutes(2),
};
});
Both of these methods will validate a valid JWT token, but I can’t puzzle out how I also treat an API token as valid. Any guidance with this would be appreciated, a lot of historic documentation is .Net Core 2.x specific and most of it is fairly useless for .Net Core 3.x.