Hi, I recently started a new position and have previous OAuth experience at another company. I am working on a Core web API, and I noticed that there was not any access token verification within the API. One of my new colleagues told me that the verification wasn’t necessary because the SDK did this automatically. This is the code.
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = OktaDefaults.ApiAuthenticationScheme;
options.DefaultChallengeScheme = OktaDefaults.ApiAuthenticationScheme;
options.DefaultSignInScheme = OktaDefaults.ApiAuthenticationScheme;
})
.AddOktaWebApi(authOpt.Okta);
The options include a domain, server id, and audience.
I searched through the documentation and could not find anywhere explicitly referencing automatic verification.
Could somebody please point me to the documentation that explicitly identifies how to incorporate auto-verification of the access token?
Thanks,
Tom