Okta for .net and configure swagger to use Implicit returns different issuer

bfakhriloo · March 5, 2021, 7:32pm

 services.AddAuthentication(options =>
            {
                options.DefaultAuthenticateScheme = OktaDefaults.ApiAuthenticationScheme;
                options.DefaultChallengeScheme = OktaDefaults.ApiAuthenticationScheme;
                options.DefaultSignInScheme = OktaDefaults.ApiAuthenticationScheme;
            })
            .AddOktaWebApi(new OktaWebApiOptions()
            {
                OktaDomain = _configuration["Okta:OktaDomain"],
            });

I have configured my swagger as below :

   app.UseSwaggerUI(options =>
            {
                options.RoutePrefix = "docs";
                options.SwaggerEndpoint("/swagger/v1/swagger.json", "Smart Engine API");
                options.DefaultModelsExpandDepth(-1);
                options.DefaultModelExpandDepth(99);
                options.ConfigObject.AdditionalItems.Add("tagsSorter", "alpha");
                options.EnableDeepLinking();
                options.InjectStylesheet("/docs/overrides.css");
                options.OAuthScopeSeparator(",");
                options.OAuthUsePkce();
            });

options.AddSecurityDefinition("OAuth2", new OpenApiSecurityScheme
        {
            Type = SecuritySchemeType.OAuth2,
            Flows = new OpenApiOAuthFlows
            {
                Implicit = new OpenApiOAuthFlow
                {
                    AuthorizationUrl = new Uri("https://my.okta.com/oauth2/v1/authorize?nonce=1"),
                    TokenUrl = new Uri("https://my.okta.com/oauth2/v1/token"),
                    Scopes = new Dictionary<string, string>
                        {
                        { "openid", "test" },
                        },
                }
            },
            Description = "Balea Server OpenId Security Scheme"
        });

When I click on authorize it is successful, but the generated token has different issuer, and it says " Bearer error=“invalid_token”,error_description=“The signature key was not found” "

The token :

{
 "ver": 1,
 "jti": "AT.xOnafeU_gKuGyMZD9Ui8WQb0HOBFzdG15tgYaL7sllM",
 "iss": "https://my.okta.com",
 "aud": "https://my.okta.com",
 "sub": "myemaiilAddress",
 "iat": 1614972591,
 "exp": 1614976233,
 "cid": "0oa372abtfziGiBhT5d6",
 "uid": "00uaear4itI8ZcELX5d6",
 "scp": [
  "openid"
 ]
}

But when I authenticate through Okta login widget I get this token :

{
 "ver": 1,
 "jti": "AT.ynGuoLqscjtE46cS1EPJqlOBDqMKUaCCA97w6q3TJ6o",
 "iss": "https://my.okta.com/oauth2/default",
 "aud": "api://default",
 "iat": 1614971812,
 "exp": 1614975412,
 "cid": "0oa372abtfziGiBhT5d6",
 "uid": "00uaear4itI8ZcELX5d6",
 "scp": [
  "profile",
  "openid",
  "email"
 ],
 "sub": "myemail",
 "customerattr": "ttttt",
}

In addition, it is not possible to get custom attributes by using Implicit.

erik · March 5, 2021, 8:31pm

Hello,
It looks like in the Swagger setup you are using the Org Authorization server
https://my.okta.com/oauth2/v1/authorize
https://my.okta.com/oauth2/v1/token

In the login widget you are using a custom authorization server ‘default’ (note default is a preconfigured custom authorization server)
https://my.okta.com/oauth2/default

With the Org authorization server you are not able to create custom scopes/claims which is why all you see is the openid scope even though you also request ‘test’. The public keys used to sign the access token from the Org Authorization server are not made public which is why you get,
"The signature key was not found"

Try changing the Swagger config to
https://my.okta.com/oauth2/default/v1/authorize
https://my.okta.com/oauth2/default/v1/token

Note in order for the ‘test’ to work you need to configure the default authorization server for that scope. More information about Org and Custom Authorization Servers can be found here. Creating custom scopes/claims.

system · March 6, 2021, 8:31pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.