I’ve searched high and low but have come up empty on this. I’m trying to secure my web api with id-tokens alone as the bearer token. The Okta quick starts for .net framework (4.7/4.8) web-api shows only support for access tokens as bearer tokens. Does the Okta SDK simply not support this scenario?
Thank you -
For example, the quickstart code is:
#pragma warning disable SA1300 // Element should begin with upper-case letter
#pragma warning restore SA1300 // Element should begin with upper-case letter
public class Startup
public void Configuration(IAppBuilder app)
OktaDomain = ConfigurationManager.AppSettings[“okta:OktaDomain”],
This is a nice way to validate an access token passed as a bearer token to secure the api. What is the recommended approach for validating id tokens instead of access tokens?
As mentioned above, it is important that the resource server (your server-side application) accept only the access token from a client. This is because access tokens are intended for authorizing access to a resource.
ID Tokens, on the other hand, are intended for authentication. They provide information about the resource owner, to allow you verify that they are who they say they are. Authentication is the concern of the clients. Because of this, when a client makes an authentication request, the ID Token that is returned contains the
client_idin the ID Token’s