I’m glad to see you are using the default authorization server.
Check a couple things for me:
Are you setting the issuer in your widget / auth js?
If you are, is the issuer the same as your default authorization server?
Double check that the [my okta url] is correct
If you want to do some troubleshooting, you can drop the access token JWT into jsonwebtoken.io and get the kid field from the jwt header. After you get the kid, you can check your authorization server’s keys by going to https://[my okta org].com/oauth2/default/v1/keys
This will give you the list of public keys by ID.
Hope this information helps you troubleshoot. Let me know if you still have problems!
https://[myorg].okta.com/oauth2/default/v1/keys returns an error for me, {“errorCode”:“E0000006”,“errorSummary”:“You do not have permission to perform the requested action”,“errorLink”:“E0000006”,“errorId”:“oaeCYHjg3K4Tlut8L2a4hcFZw”,“errorCauses”:}, and I am getting the same error as described above, any suggestions?
It is an IT Product org created by the client we are integrating for. We opened a case and figured out fairly quickly that they did not have API Management Access purchased, hence the suite of issues we encountered.
It would be really helpful if it would be clear in the documentation that these scenarios work only for developer accounts or enterprise accounts with API Management Access purchased. Also, the “Unlimited OAuth 2.0 authorization servers” verbiage in the API Management Access is misleading, it creates the impression that a limited level exists, while it does not.
We did not get it to work. We figured out what we did not have the “API Management Access” purchased on the IT product org account we were using, so that authentication token could not be used because an authorization server is not available unless you have an IT product org account with “API Management Access” or a developer account.
You can create an authorization server for an IT product org if you have purchased “API Management Access” as well, otherwise you cannot. The documentation is somewhat misleading.
I’ve contacted developer support and I was advised “not to validate the token” from our .net code.
And need to call the /v1/userinfo end point to get user info.
I did below steps and got it working in .net core 2.0. Unfortunately our existing application is using core 1.0 and no SET method for SecurityTokenValidator.
New Validator Class
public class CustomSecurityValidator : ISecurityTokenValidator
override the ValidateToken method to not validate the token
Startup.cs
2. options.SecurityTokenValidator = new CustomSecurityValidator();
3. OnTokenValidated event, call /v1/userinfo end point manually and add the user info to ctx.Principal
Hope the above useful to someone.
It will be good if OKTA .net core middleware can handle this scenario.