Authentication Works in Python and Fails in .net

I have the code below in .Net which is a one for one conversion from the Python code provided in SDK. When I run the Python code it works fine. When I try the .Net version I get the following error. I have checked the URL and they are the same except the callback URL. I have created two application profiles with the unique CallbackUrl for each application also. Any assistance is greatly appreciated.

Your request resulted in an error. The ‘redirect_uri’ parameter must be a Login redirect URI in the client app settings:

protected void Button1_Click(object sender, EventArgs e)
    byte[] appStateBytes = new byte[64];
    byte[] codeVerifierBytes = new byte[64];
    byte[] hashedBytes = new byte[64];
    string codeChallenge = "";
    using (var rng = RandomNumberGenerator.Create())
    string appState = Convert.ToBase64String(appStateBytes).TrimEnd('=').Replace('+', '-').Replace('/', '_');
    string codeVerifier = Convert.ToBase64String(codeVerifierBytes).TrimEnd('=').Replace('+', '-').Replace('/', '_');
    Session["app_state"] = appState;
    Session["code_verifier"] = codeVerifier;

    using (SHA256 sha256 = SHA256.Create())
        hashedBytes = sha256.ComputeHash(Encoding.ASCII.GetBytes(codeVerifier));
        codeChallenge = Convert.ToBase64String(hashedBytes).TrimEnd('=').Replace('+', '-').Replace('/', '_');

    // Get request params
    var queryParams = new Dictionary<string, string>
        ["client_id"] = System.Configuration.ConfigurationManager.AppSettings["CLIENTID"],
        ["redirect_uri"] = System.Configuration.ConfigurationManager.AppSettings["CallbackUrl"],
        ["scope"] = "openid email profile",
        ["state"] = appState,
        ["code_challenge"] = codeChallenge,
        ["code_challenge_method"] = "S256",
        ["response_type"] = "code",
        ["response_mode"] = "query"

    StringBuilder queryBuilder = new StringBuilder();
    foreach (var param in queryParams)
        if (queryBuilder.Length > 0)
    string baseUrl = System.Configuration.ConfigurationManager.AppSettings["AuthorizeUrl"];
    string requestUri = baseUrl + "?" + queryBuilder.ToString();

Here is the Python clogin code which works

def login():
    # store app state and code verifier in session
    session['app_state'] = secrets.token_urlsafe(64)
    session['code_verifier'] = secrets.token_urlsafe(64)

    # calculate code challenge
    hashed = hashlib.sha256(session['code_verifier'].encode('ascii')).digest()
    encoded = base64.urlsafe_b64encode(hashed)
    code_challenge = encoded.decode('ascii').strip('=')

    # get request params
    query_params = {'client_id': os.environ['CLIENT_ID'],
                    'redirect_uri': "http://localhost:5000/authorization-code/callback",
                    'scope': "openid email profile",
                    'state': session['app_state'],
                    'code_challenge': code_challenge,
                    'code_challenge_method': 'S256',
                    'response_type': 'code',
                    'response_mode': 'query'}

    # build request_uri
    request_uri = "{base_url}?{query_params}".format(
        base_url=os.environ['ORG_URL'] + "oauth2/default/v1/authorize",

    return redirect(request_uri)

If you check your browser network tab/address bar, what’s the redirect_uri you see being sent to Okta during the /authorize request for your .NET application? Did you check if its added as a “Sign in redirect URI” in Okta?

Note that these URLs are case sensitive and need to exactly match the one provided in the /authorize request issued by your app.

Thank you for the feedback. Here is the configuration I have:

For the application on Okta site,
redirect URIs: https://localhost:44358/oauth2.aspx

in the url redirecting to authenticate I have “redirect_uri=https%3a%2f%2flocalhost%3a44358%2foauth2.aspx” and here is the whole link

Not sure what I am doing wrong.

Hmm, that does seem like a match, including the port number, case, https vs http, and the lack of a trailing slash.

Can you share a screenshot of the list of Sign in redirect URIs registered for this app, just to double check?

Here you go:

Whelp, that all looks correct.

Are you still running into this error? I took a peek at your logs from my side, and I’m not seeing any illegal redirect URI failures.