Error Validating Token

In the MVC Sample the MVC application is working with Okta authentication. After getting the token when I try API call, it is failing with the following error:

An exception of type ‘System.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException’ occurred in System.IdentityModel.Tokens.Jwt.dll but was not handled in user code

Additional information: IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: ‘SecurityKeyIdentifier
IsReadOnly = False,
Count = 1,
Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause

I would check the type of issuer you are passing. If it looks like /oauth2 then you are using the root issuer for your Okta org. Instead you should use a custom authorization server. You may have a custom authorization server named “default”

The sample he is mentioning is referring to the wrong issuer.

I’ve logged:

@nate.barbettini @lee.brandt ^ - also, it might make sense to take a full look at the readme instructions because we have added a lot since the sample was originally built

Thanks for the feedback. Which instructions are you referring to? The only instruction I see is the file the github repository

As per the instructions in the project I used https://dev-****** as the Issuer. After seeing your feed back I changed to https://dev-****** and still getting the same error. I also confirmed that my account has the default authorization server.

That’s odd. Can you post the contents of your Startup file?

    public void Configuration(IAppBuilder app)
        var config = new HttpConfiguration();

        var clientID = WebConfigurationManager.AppSettings["okta:ClientId"];
        var tenantUrl = WebConfigurationManager.AppSettings["okta:TenantUrl"];

        var tvps = new TokenValidationParameters
            ValidAudience = tenantUrl,
            ValidateAudience = true,
            ValidIssuer = tenantUrl,
            ValidateIssuer = true,

        var additionalTokenValidationParamters = new Dictionary<string, string>()
            // Validate Client ID claim
            ["cid"] = clientID

        //var securityTokenProvider = new OpenIdConnectCachingSecurityTokenProvider(tenantUrl + "/.well-known/openid-configuration");
        //var jwtFormat = new CustomValidatingJwtFormat(tvps, additionalTokenValidationParamters, securityTokenProvider);

        app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
            AccessTokenFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider(tenantUrl + "/.well-known/openid-configuration"))

The commented out lines are the original code from the sample. I tried out with the next two lines also from other microsoft samples.

Is tenantUrl your Okta org base URL?

If so, update the last line to:

tenantUrl + "/oauth2/default/.well-known/openid-configuration"

It looks like your code is still trying to bypass the default authorization server.