Invalid Issuer Error with OKTA token generated

We have a web app that we integrated with OKTA. Users can login with OKTA and Azure AD SSO. The access token is both generated for OKTA and Azure AD login with no issue and users are able to login using both as well.

The OKTA generated token is used as a bearer token to consume our API in the backend. This has been working since we deployed it to all environments including production but just yesterday we are now encountering an error "Bearer error=“invalid_token”, error_description=“The issuer ‘xxx-some-issuer’ is invalid”.

Here’s the configuration we have on the front-end

“okta”: {
“issuer”: “https://cvxportal-nonprod.oktapreview.com/oauth2/default”,
“clientId”: “someClientId”,
“url”: “someLink”,
}

Here’s the configuration from the app settings in the backend api

“Okta”: {
“Domain”: “https://cvxportal-nonprod.oktapreview.com”,
“AuthorizationServerId”: “default”,
“Audience”: “api://default”
},

Here’s how the multiple authentication scheme is handled in program.cs of the backend api

//Add Auth services
var authEnabled = builder.Configuration.GetValue(“AuthEnabled”);
if (authEnabled)
{
builder.Services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{

    options.Authority = $"{builder.Configuration.GetSection("AzureAD").GetValue<string>("Instance")}{builder.Configuration.GetSection("AzureAD").GetValue<string>("TenantId")}/v2.0";
    options.Audience = $"{builder.Configuration.GetSection("AzureAD").GetValue<string>("ApiAudience")}";
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = true,
        ValidIssuer = $"{builder.Configuration.GetSection("AzureAD").GetValue<string>("Issuer")}"
    };
})
.AddJwtBearer("Okta", options =>
{
    options.Authority = $"{builder.Configuration.GetSection("Okta").GetValue<string>("Domain")}/oauth2/{builder.Configuration.GetSection("Okta").GetValue<string>("AuthorizationServerId")}";
    options.Audience = $"{builder.Configuration.GetSection("Okta").GetValue<string>("Audience")}";
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = true,
        ValidIssuer = $"{builder.Configuration.GetSection("Okta").GetValue<string>("Domain")}/oauth2/{builder.Configuration.GetSection("Okta").GetValue<string>("AuthorizationServerId")}",
        ValidateAudience = true,
        ValidAudience = $"{builder.Configuration.GetSection("Okta").GetValue<string>("Audience")}",
        ValidateLifetime = true
    };
});

I tried setting the ValidateIssuer to false but this only gives me an “Invalid token Issue”. I also tried enabling only the OKTA authentication scheme but it still gives the same error.

The access token when decoded has the correct issuer and audience that matches the configuration in the front end and backend API.
Has something changed and I am missing something? Any help is appreciated.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.