Bearer Auth Token works on localhost but not deployed to server

Questions OAuth/OIDC
1

I am using an Okta custom Auth server to authenticate users on my Blazor WASM app. This is working great for authorizing the user and generating the token:

builder.Services.AddOidcAuthentication(configure: options =>
{
    options.ProviderOptions.Authority = builder.Configuration.GetValue<string>(key: "Okta:Authority");
    options.ProviderOptions.ClientId = builder.Configuration.GetValue<string>(key: "Okta:ClientId");
    options.ProviderOptions.ResponseType = "code";
    options.UserOptions.RoleClaim = "groups";

}).AddAccountClaimsPrincipalFactory<RoleClaimsPrincipalFactory>();


builder.Services.AddApiAuthorization();

await builder.Build().RunAsync();


  "Okta": {
    "Authority": "https://dev-60905148.okta.com/oauth2/ausimolz36TgN4GlM5d7",
    "ClientId": "0oaiq6u4sdgJfgf8I5d7"
  }

Then I am passing the access token to my .NET 8.0 API as a Bearer token. I am using a docker container for my API, and when I run it validates the token correctly. However, as soon as I deploy to a server, the token validation fails for the API and gives me an error that the “signature key was not found”. Below are my jwtbearer configs for my API:

builder.Services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
    options.Authority = "https://dev-60905148.okta.com/oauth2/ausimolz36TgN4GlM5d7";
    options.Audience = "http://{redactedserverdomain}:5001";
    options.RequireHttpsMetadata = false;
    options.TokenValidationParameters = new TokenValidationParameters
    {
        NameClaimType = "name",
        RoleClaimType = "groups",
        ValidateAudience = true,
        ValidateIssuer = true,
        ValidateLifetime = true,
        ValidateIssuerSigningKey = true,
        ValidIssuer = "https://dev-60905148.okta.com/oauth2/ausimolz36TgN4GlM5d7",
        ValidAudience = "http://{redactedserverdomain}:5001",

    };

  
});

var app = builder.Build();


// Configure the HTTP request pipeline.

    app.UseSwagger();
    app.UseSwaggerUI();


app.UseDeveloperExceptionPage();
//app.UseHttpsRedirection();
app.UseCors(MyAllowSpecificOrigins);
app.UseAuthentication();
app.UseAuthorization();

app.MapControllers();

app.Run();

I get the following error (but if I use the same token to hit the containerized application running on localhost:5501 it works):

 content-length: 0 
 date: Fri,16 Aug 2024 18:19:11 GMT 
 server: Kestrel 
 www-authenticate: Bearer error="invalid_token",error_description="The signature key was not found"

I should also note that I can hit the /v1/keys api and the /.well-known-configuration api using curl from my server, so I don’t believe it’s a firewall block.

Thanks

2

Thank you for writing to Okta Dev Forum. My name is Akash from Okta.

With regards to the issue, could you please try dropping the access token JWT into jwt.io and get the kid field from the jwt header.

After you get the kid, check your authorization server’s keys by going to https://[my okta org].com/oauth2/<auth server ID>/v1/keys and verify whether the key exist and let me know.

3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.