Error Validating Token

Questions
1

In the MVC Sample the MVC application is working with Okta authentication. After getting the token when I try API call, it is failing with the following error:

An exception of type ‘System.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException’ occurred in System.IdentityModel.Tokens.Jwt.dll but was not handled in user code

Additional information: IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
)
',

2

I would check the type of issuer you are passing. If it looks like /oauth2 then you are using the root issuer for your Okta org. Instead you should use a custom authorization server. You may have a custom authorization server named “default”

3

The sample he is mentioning is referring to the wrong issuer.

I’ve logged:
https://github.com/oktadeveloper/okta-oauth-aspnet-codeflow/issues/12

@nate.barbettini @lee.brandt ^ - also, it might make sense to take a full look at the readme instructions because we have added a lot since the sample was originally built

4

Thanks for the feedback. Which instructions are you referring to? The only instruction I see is the readme.md file the github repository

5

As per the instructions in the project I used https://dev-******.oktapreview.com as the Issuer. After seeing your feed back I changed to https://dev-******.oktapreview.com/oauth2/default and still getting the same error. I also confirmed that my account has the default authorization server.

6

That’s odd. Can you post the contents of your Startup file?

7 
    public void Configuration(IAppBuilder app)
    {
        var config = new HttpConfiguration();
        config.EnableSystemDiagnosticsTracing();

        var clientID = WebConfigurationManager.AppSettings["okta:ClientId"];
        var tenantUrl = WebConfigurationManager.AppSettings["okta:TenantUrl"];

        var tvps = new TokenValidationParameters
        {
            ValidAudience = tenantUrl,
            ValidateAudience = true,
            ValidIssuer = tenantUrl,
            ValidateIssuer = true,
        };

        var additionalTokenValidationParamters = new Dictionary<string, string>()
        {
            // Validate Client ID claim
            ["cid"] = clientID
        };

        //var securityTokenProvider = new OpenIdConnectCachingSecurityTokenProvider(tenantUrl + "/.well-known/openid-configuration");
        //var jwtFormat = new CustomValidatingJwtFormat(tvps, additionalTokenValidationParamters, securityTokenProvider);

        app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
        {
            AccessTokenFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider(tenantUrl + "/.well-known/openid-configuration"))
        });
    }

The commented out lines are the original code from the sample. I tried out with the next two lines also from other microsoft samples.

8

Is tenantUrl your Okta org base URL?

If so, update the last line to:

tenantUrl + "/oauth2/default/.well-known/openid-configuration"

It looks like your code is still trying to bypass the default authorization server.