Missing step in Okta walkthrough?

I spent a happy afternoon tapping my way through your How to Secure Your .NET Web API with Token Authentication tutorial. Unfortunately I then spent an unhappy couple of days trying to figure out why my auth server was sending out valid tokens to my app, but my API was bouncing them all as unauthorised/401. It looks to me like the walkthrough is missing the step:

Add app.UseAuthentication(); to the Configure method in the Startup.cs file of the API application, immediately before app.UseMvc();.

Without that I don’t think the API ever tries to send the tokens to the auth server, which is a problem. I’m too new with the platform and API authorization generally to confirm this properly - could someone possibly take a quick look and confirm that I haven’t just opened my API up to the world at large?