Nuget package for .net core (Okta.AspNetCore) uses wrong MetadataAddress

Hello,
I’ve been trying to use the Okta.AspNetCore nuget package and the nifty extensions AddOktaWebApi and AddOktaMvc. But for some reason they do not work with our Okta authorization server setup. As far as I can tell, we do not need to use AuthorizationServerId, it should be default.
Both of the extension methods looks for the openid-configuration at the following address:
https://{our-domain}/oauth2/default/.well-known/openid-configuration
Problem is, in our okta auth server that configuration is placed here:
https://{our-domain}/.well-known/openid-configuration
The one that the extension method tries to reach gives a 401 response.

Using the default .net AddOpenIdConnect seems to work. For the resource server using AddJwtBearer and specifying the MetadataAddress in the options also seems to work.

So I’m curious what is going on with the okta extensions and why I can’t get them to get the configuration.

Best regards
Markus

Hi there. If you don’t have any URLs at the https://{our-domain}/oauth2/default/.well-known/openid-configuration endpoint but they reside at https://{our-domain}/.well-known/openid-configuration then you are most likely using an org authorization server, not default. Default is the default custom authorization server that comes with the API Access Management package - I know it’s kind of confusing!

Long story short, give the following a try in your config:

AuthorizationServerId = string.Empty

And see if that fixes your issue. I’ll leave a couple links here - one that explains where I came up with that value and one that explains org vs custom auth servers.

https://support.okta.com/help/s/article/Difference-Between-Okta-as-An-Authorization-Server-vs-Custom-Authorization-Server?language=en_US

Good luck!