.NET Core App & Web API - Sharing Tokens

We have the following architecture:

  • .NET core 3.1 web application using razor pages, jQuery, etc as the UI (not an angular application)
  • .NET core 3.1 web api application serving as our api layer

I have implemented the Okta widget and middleware in the web application. Users can login, and after that happens I’m able to get a ClaimsPrincipal, access all of their scopes, and get to any custom profile data I’ve stored via open id. All that is working perfectly.

What I need to do now is implement the security checks on the API side. I’ve spent hours and hours looking at examples and have found many, but I’m either missing something or my architecture is unique and those examples don’t apply for me.

I assumed that what I would do is:

  • On the web app, after authentication, use

    HttpContext.GetTokenAsync(“id_token”)

To get the token, and then pass that along in my API calls via the standard “Bearer: [token]” syntax. Then I found this: https://developer.okta.com/blog/2018/02/01/secure-aspnetcore-webapi-token-auth

What I’m struggling with mightily is the following:

  1. How do I, on the API side, not just validate the token, but find out WHO that token is for (as in which user)? Let’s say its the API that returns customer orders - well I need to make sure that the user calling it is either an administrator or is the actual customer (so I don’t return customer data to someone who shouldn’t see it). I have all the role stuff figured out, I just can’t, for the life of me, figure out how to determine who someone is via the token?

  2. Along those lines, is “sub” the unique identifier of a user in Okta? So that is what I could store in my database to relate data back to a specific user?

  3. I know that I will need to make sure I check the token (on the web app) and, if it expires, use the refresh token to get a new one. But that brings me back to not quite understanding how I access these tokens within the web app. Are the tokens accessible via the ClaimsPrincipal, or only through HttpContext.GetTokenAsync()?

Thanks so much for the help everyone. I’ve been banging my head against the wall for entirely too long trying to figure this out.