Help needed to get started


This is simple stuff which I hope some .net dev’s can point me in the right direction and I hope I won’t get beaten up for asking :slight_smile:

We have a large single page application developed in .NET Framework (not core), currently it doesn’t have Oauth2 support. It’s not using mvc, react, angular or vue etc, it’s home grown with our own js and has one single aspx page which calls into http handlers (ashx) to get server content.

So firstly I’d like to ask how I can do debugging with the okta client:

I didn’t really even understand why a client was needed to setup a developer instance, so I’m guessing that it’s these so you can develop with a local okta server so your dev server can be behind a firewall ?

I’ve setup the okta powershell client app on a local VM here. Currently Visual Studio is installed on another machine (my dev machine), is it possible for me to start developing from another machine and access the okta as a web server on the test vm ? or does okta client have to be installed on my main dev machine ?

Secondly I’d like to understand the right architecture to choose. It sounds like we should be supporting PKCE authentication as opposed to implicit. If I go that route

(a) are they any examples around (not using mvc) ? and
(b) would that architecture also support other services like cognito, azure AD and google etc ?

Any other thoughts on this setup much appreciated

thank you in advance

Also I’d really like to have a generic solution in the product which doesn’t use Okta libraries, I note the samples they give you all seem to use Okta.AspNetCore (we’re not on core anyway). But I’d prefer to have a generic solution that could take authentication from many providers (as point (b) above)… thanks :slight_smile:

Hi @islwyn10 . If you are looking for a generic solution, I think the best place to start is understanding the PKCE flow at its core. This is a really great article that explains the flow - it uses a Vue sample app, but the core concepts still hold true for any implementation:

If you’re looking for a pure single page app implementation, then the dotnet piece of this should only exist to serve your client-side code and you should really place your focus into a Javascript implementation.

Another way to see what’s going on under the hood in pure Javascript with no libraries can be found in this github repository I made:

DISCLAIMER: The above repo is a personal project of mine and not an officially supported Okta project. It’s purpose is to teach how various flows work and is not meant to be used as a basis for custom code implementation, as little attention was paid to security in its creation.

This all being said, at Okta we always recommend the use of our libraries. If you aren’t familiar with our auth js library you can take a look at some of heavy lifting we handle on the Javascript side of things:

We do have some non-core AspNet samples, but these are not for single page applications, so I don’t think it’s going to be of much help in your use-case.


Great - thank you. I will take some time to work through this.

ok so I have got the vanilla examples from okta working at last

Now I just wanted to ask, how would my app know that the request definitely came from an okta server. I presume that one of the fields is a shared secret, and that gets stored on my app server. Then when the request contains that shared secret.

The fields I can see in the “profile” page of the samples that are candidates are:

  • aud
  • jti
  • idp
  • nonce
  • at_hash
  • id_token
  • access_token

Or of course we could check that it’s an okta ip address, which doesn’t sound like the way to go

So which one would be hard coded or stored on my app server to prove that the request was from okta ?

Also may I please ask, how would “nonce” be used with an SPA ?