Authenticating using API Token vs JWT Token

Hi There,

I’m getting a little confused with authentication flows in Okta.

I have two .Net Core 3.x applications; a front end Open ID Connect authenticated application and a second JWT authenticated API application.

I would like to be able to use a valid JWT token created when a user logs in OR an API Token created via the Okta API token management. I am leveraging the .Net Core [Authorize] to secure the endpoints.

I have two approaches for JWT validation:

.AddOktaWebApi(new OktaWebApiOptions()
{
OktaDomain = $“https://{Configuration.GetValue(“Okta:OktaDomain”)}”,
AuthorizationServerId = Configuration.GetValue(“Okta:AuthorizationServerId”),
Audience = Configuration.GetValue(“Okta:ClientId”),
});

or the longer non-Okta specific JWT version:

		.AddJwtBearer(async options =>
            {
                var issuer =
                    $"https://{Configuration.GetValue<string>("Okta:OktaDomain")}/oauth2/{Configuration.GetValue<string>("Okta:AuthorizationServerId")}";

                var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
                    $"{issuer}/.well-known/openid-configuration",
                    new OpenIdConnectConfigurationRetriever(),
                    new HttpDocumentRetriever());

                var discoveryDocument =
                    await configurationManager.GetConfigurationAsync(default(CancellationToken));
                var signingKeys = discoveryDocument.SigningKeys;

                // Configure JWT Bearer Auth to expect our security key
                options.TokenValidationParameters =
                    new TokenValidationParameters
                    {
                        RequireExpirationTime = true,
                        RequireSignedTokens = true,
                        ValidateIssuer = true,
                        ValidIssuer = issuer,
                        ValidateIssuerSigningKey = true,
                        IssuerSigningKeys = signingKeys,
                        ValidateLifetime = true,
                        ValidateAudience = true,
                        ValidAudience = Configuration.GetValue<string>("Okta:ClientId"),
                        ClockSkew = TimeSpan.FromMinutes(2),
                    };
            });

Both of these methods will validate a valid JWT token, but I can’t puzzle out how I also treat an API token as valid. Any guidance with this would be appreciated, a lot of historic documentation is .Net Core 2.x specific and most of it is fairly useless for .Net Core 3.x.

1 Like