OKTA authentication with Asp.net web form

Questions OAuth/OIDC
1

Old system is using asp dotnet web form for windows AD and now I am using OKTA to authentication user and
when user visits https://localhost/SampleApp/index.aspx and OKTA system redirects to https://localhost/SampleApp/signin-oidc

but I get following error:
HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

Physical Path C:\2-Feb-2022\Releases\Applications\SampleApp\SampleApp\signin-oidc

Do I need to create some resource at this physical location?
SampleApp\SampleApp\signin-oidc

As per AI I don’t and as per it, My IIS is not able to establish a communication with Owin hence it is not redirecting index page.
Please advise how to resolve this issue

2

Hey thanks for asking this question, really tricky one could be many things, We might need more details on your setup, startup.cs, which flow etc to even point you in the right direction - if you have support access would recommend creating a Support case with Okta.

That said, There could be different causes based on your current windows environment and ASP version and packages you are using and IIS config but, more or less it falls in three buckets.

  1. Package missing / OWIN issues (If you ruled them out try two below.)
  2. Wrong NuGet package / Startup pattern - > Follow what our archived sample does if you cannot upgrade your package ( samples-aspnet-webforms/okta-hosted-login/okta-aspnet-webforms-example at master · okta/samples-aspnet-webforms · GitHub ) This is if you are
  3. IIS not routing the extensionless callback path to the OWIN pipeline (Could be)

The official Okta sample uses the Okta.AspNet NuGet package and its UseOktaMvc() extension method to overcome this.

Please note this is for ref purposes, which versions you are on can change this answer. Okta’s own ASP.NET Web Forms sample (now archived, and not supported but should be relevant to this case ) does the following.) Okta.AspNet SDK itself (GitHub - okta/okta-aspnet: okta-aspnet · GitHub) is not, so choose that supports your version.

So, below are some fixes you can try

1. Wrong callback path

/signin-oidc is the ASP.NET Core default. For classic ASP.NET Web Forms, change it to /authorization-code/callback in both your Web.config and your Okta app’s Sign-in redirect URIs and see if that helps, there could be a hardcoded path somewhere, if yes see if its configured correctly.

2. Use Okta.AspNet, not raw OWIN (best path ahead)

Install the Okta.AspNet NuGet package (4.x for .NET 4.8.1, 3.x for .NET 4.8). Your Startup.cs should use app.UseOktaMvc(new OktaMvcOptions { … }) - not app.UseOpenIdConnectAuthentication(…).

3. Route extensionless URLs through IIS

Add this to Web.config:

<system.webServer>

<modules runAllManagedModulesForAllRequests="true" />

</system.webServer>

Without it, IIS intercepts the callback before the OWIN pipeline can handle it.

Sample code - samples-aspnet-webforms/okta-hosted-login/okta-aspnet-webforms-example at master · okta/samples-aspnet-webforms · GitHub

If none of that help, give me what the logs without sensitive info say, we can figure it out.

3

Thanks for the reply, I have a classic Asp.net and I am not using MVC and how come app.UseOktaMvc(new OktaMvcOptions { … }) - not app.UseOpenIdConnectAuthentication(…) help to resolve this issue and how come application find the the startup to start the app.
I have in my web.config and following is part of web.config:

  <modules runAllManagedModulesForAllRequests="true">
	  <remove name="StaticFile" />
    <remove name="FormsAuthentication" />
       
        
    <remove name="RadUploadModule" />
    <add name="RadUploadModule" type="Telerik.Web.UI.RadUploadHttpModule" preCondition="integratedMode" />

    <remove name="RadCompression" />
    <add name="RadCompression" type="Telerik.Web.UI.RadCompression" preCondition="integratedMode" />

  </modules>

<handlers accessPolicy="Read, Execute, Script">
        <remove name="StaticFile" />


	<remove name="PageHandlerFactory-Integrated" />
	<add name="PageHandlerFactory-Integrated"
			 path="*.aspx"
			 verb="*"
			 type="System.Web.UI.PageHandlerFactory"
			 preCondition="integratedMode" />

	<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
  <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersion=v4.0" />
     
	<remove name="ChartImage_axd" />
  <add name="ChartImage_axd" path="ChartImage.axd" type="Telerik.Web.UI.ChartHttpHandler" verb="*" preCondition="integratedMode" />
  <remove name="Telerik_Web_UI_SpellCheckHandler_axd" />
  <add name="Telerik_Web_UI_SpellCheckHandler_axd" path="Telerik.Web.UI.SpellCheckHandler.axd" type="Telerik.Web.UI.SpellCheckHandler" verb="*" preCondition="integratedMode" />
  <remove name="Telerik_Web_UI_DialogHandler_aspx" />
  <add name="Telerik_Web_UI_DialogHandler_aspx" path="Telerik.Web.UI.DialogHandler.aspx" type="Telerik.Web.UI.DialogHandler" verb="*" preCondition="integratedMode" />
  <remove name="Telerik_RadUploadProgressHandler_ashx" />
  <add name="Telerik_RadUploadProgressHandler_ashx" path="Telerik.RadUploadProgressHandler.ashx" type="Telerik.Web.UI.RadUploadProgressHandler" verb="*" preCondition="integratedMode" />
  <remove name="Telerik_Web_UI_WebResource_axd" />
  <add name="Telerik_Web_UI_WebResource_axd" path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" verb="*" preCondition="integratedMode" />
    
	
</handlers>
4

To give you an answer, forget the Okta method name, its confusing, UseMVCoptions is just a name, its required to be used in Web forms for example in your flow, When a request hits your server, the processing order is:

Browser request → IIS. → ASP.NET pipeline (OWIN lives here) → Web Forms page handler (.aspx)

The name is misleading but intentional. UseOktaMvc is part of the Okta.AspNet package which targets classic ASP.NET Framework and not ASP.NET Core MVC. It works identically in Web Forms because OWIN sits in the request pipeline before IIS decides whether a request goes to a .aspx handler or anywhere else. Whether your app uses Web Forms or MVC is irrelevant to the OWIN middleware layer.

Code flow path would be something like below.

Microsoft.Owin.Host.SystemWeb triggers Startup discovery on application start. It checks three places in this order:

1. web.config appSetting key owin:appStartup

2. [assembly: OwinStartup(typeof(YourNamespace.Startup))] assembly attribute - (default)

3. A class named exactly Startup with a Configuration(IAppBuilder app) method - (fallback)

The recommended approach is the assembly attribute in your Startup.cs:



  [assembly: OwinStartup(typeof(YourApp.Startup))]

  namespace YourApp

  {

      public class Startup

      {

          public void Configuration(IAppBuilder app)

          {

              app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

              app.UseCookieAuthentication(new CookieAuthenticationOptions());

              app.UseOktaMvc(new OktaMvcOptions()

              {

                  OktaDomain = ConfigurationManager.AppSettings["okta:OktaDomain"],

                  ClientId = ConfigurationManager.AppSettings["okta:ClientId"],

                  ClientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"],

                  RedirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"],

                  PostLogoutRedirectUri = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"],

              });

          }

      }

  }

Fix for the 404

How does the above fix the 404?

The 404 is caused by using /signin-oidc as the callback path. That is the ASP.NET Core default and does not apply here. For classic ASP.NET with Okta.AspNet, the callback path is /authorization-code/callback. (based on your code its not changed)

So Update two places:

  1. web.config:
  2. Okta Admin Console → Applications → Your App → Sign-in redirect URIs: same URL

Your IIS configuration (runAllManagedModulesForAllRequests=“true” + ExtensionlessUrlHandler) is already correctly set up I think based on what you shared so no changes needed there.

Version note: Okta.AspNet 4.x requires .NET 4.8.1. If you are on .NET 4.8, you will need to either upgrade the framework or use 3.x (which is retired and no longer supported).

Refer the sample I shared if you have any issues setting this up/

5

I am not using ASP.NET Core and Okta.AspNet does not support .NET Framework 4.8.

6

The older 3.xx versions do Refer this - but you are right about okta not supporting it - we retired it as it had too many issues. I think this error is your project specific as usually if the config is applied middleware should pick it up, Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly. | Microsoft Learn

I sadly don’t see any other advice from either okta or microsoft that can help ? Has this worked for other projects? Something is not applying during your build that is requested at runtime, I cannot be sure without debug access honestly.

Please run the samples close to your architecture GitHub - okta/okta-aspnet: okta-aspnet · GitHub