Does Okta SDK support It-token-only to secure .net framework web-api?

Hello -
I’ve searched high and low but have come up empty on this. I’m trying to secure my web api with id-tokens alone as the bearer token. The Okta quick starts for .net framework (4.7/4.8) web-api shows only support for access tokens as bearer tokens. Does the Okta SDK simply not support this scenario?
Thank you -
Brian.

For example, the quickstart code is:

using System.Configuration;
using Microsoft.Owin;
using Okta.AspNet;
using Owin;

[assembly: OwinStartup(typeof(okta_aspnet_webapi_example.Startup))]
#pragma warning disable SA1300 // Element should begin with upper-case letter
namespace okta_aspnet_webapi_example
#pragma warning restore SA1300 // Element should begin with upper-case letter
{
public class Startup
{
public void Configuration(IAppBuilder app)
{
app.UseOktaWebApi(new OktaWebApiOptions()
{
OktaDomain = ConfigurationManager.AppSettings[“okta:OktaDomain”],
});
}
}
}

This is a nice way to validate an access token passed as a bearer token to secure the api. What is the recommended approach for validating id tokens instead of access tokens?

Thank you,

Brian.

Hi @brian.sellden,

Per https://developer.okta.com/docs/guides/validate-access-tokens/overview/#access-tokens-vs-id-tokens:

As mentioned above, it is important that the resource server (your server-side application) accept only the access token from a client. This is because access tokens are intended for authorizing access to a resource.

ID Tokens, on the other hand, are intended for authentication. They provide information about the resource owner, to allow you verify that they are who they say they are. Authentication is the concern of the clients. Because of this, when a client makes an authentication request, the ID Token that is returned contains the client_id in the ID Token’s aud claim.