.NET webforms with Okta as an Authorization Server

Questions
1

we are using .NET webforms to authenticate Okta user and log him in to our app. the code works fine with Custom Authorization Server. Our client uses Okta as an Authorization Server and I cannot make it work with it. Any help will be appreciated.

here is my code in Startup.cs:

public void ConfigureAuth(IAppBuilder app)

{

  app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

  app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

  app.UseCookieAuthentication(new CookieAuthenticationOptions());

  app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions

  {

    ClientId = _clientId,

    ClientSecret = _clientSecret,

    Authority = _authority,

    RedirectUri = _redirectUri,

    ResponseType = OpenIdConnectResponseType.CodeIdToken,

    Scope = OpenIdConnectScope.OpenIdProfile + " " + OpenIdConnectScope.Email,

    TokenValidationParameters = new TokenValidationParameters { NameClaimType = "name" },

    Notifications = new OpenIdConnectAuthenticationNotifications

    {

      AuthorizationCodeReceived = async n =>

      {

        // Exchange code for access and ID tokens

        TokenClient tokenClient = new TokenClient($"{_authority}/v1/token", _clientId, _clientSecret);



        var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(n.Code, _redirectUri);

        if (tokenResponse.IsError)

        {

          throw new Exception(tokenResponse.Error);

        }



        **var userInfoClient = new UserInfoClient($"{_authority}/v1/userinfo");**

        var userInfoResponse = await userInfoClient.GetAsync(tokenResponse.AccessToken);

        var claims = new List<Claim>(userInfoResponse.Claims) {

          new Claim("id_token", tokenResponse.IdentityToken),

          new Claim("access_token", tokenResponse.AccessToken)

        };

        n.AuthenticationTicket.Identity.AddClaims(claims);

      },

    },

  });

}

with Okta as Authorization Server the code fails on the line: var userInfoClient = new UserInfoClient($"{_authority}/v1/userinfo");

I tried var userInfoClient = new UserInfoClient($"{_authority}//oauth2/v1/userinfo"), but the result is the same:

Not Found

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Exception: Not Found

2

What have you set as the authority URL? It should be just your Okta domain (https://org.okta.com)

Also, what URL is the userinfo request going to per your logs?

3

I am using my Okta domain (https://org.okta.com) for authority URL and authority URl +oauth2/v1/userinfo ( (https://org.okta.com/oauth2/v1/userinfo) for userinfo

4

hmm… if you check the network events for this call, do you see it being made to the right endpoint?

5

yes. it fails on this line:
var userInfoClient = new UserInfoClient($"{_authority}/oauth2/v1/userinfo");

6

What URL do you see the API call being made to, not just what your code is configured to call?

7

I found the issue. It was a wrong TokenClient URL. But now I am getting this:

image
image1187×515 32.6 KB

What should be the value of _audience? In case of Custom Authorization Server its api:\default

8

Far as I know, authority should be Okta domain because if you add /.well-known/openid-configuration to that, you get the discovery doc (same as you would attaching that to org.okta.com/oauth2/default

Important note on the error you are seeing, you cannot locally validate tokens issued by the org authorization server: Signature Validation Failed on Access Token | Okta Help Center

9

I know about the authority, but what about _audience? it is used in validateToken call

10

sorry, misread. Audience will also be the Okta domain, but again, validateToken will not work with these tokens (see article linked above)

11

Do you have a .NET sample code to request the user claims from Okta org, by passing it in the authorization server header of https://example.okta.com/oauth2/v1/userinfo request?

12

We have .NET sample apps built with our SDK and you can use the GetClaimsFromUserInfoEndpoint() property to have it call /userinfo to get these details. To have our SDK use the Org AS, you need to set the “AuthorizationServerId” property to string.Empty (mentioned in the previously linked config docs).