Okta for .net and configure swagger to use Implicit returns different issuer

 services.AddAuthentication(options =>
                options.DefaultAuthenticateScheme = OktaDefaults.ApiAuthenticationScheme;
                options.DefaultChallengeScheme = OktaDefaults.ApiAuthenticationScheme;
                options.DefaultSignInScheme = OktaDefaults.ApiAuthenticationScheme;
            .AddOktaWebApi(new OktaWebApiOptions()
                OktaDomain = _configuration["Okta:OktaDomain"],

I have configured my swagger as below :

   app.UseSwaggerUI(options =>
                options.RoutePrefix = "docs";
                options.SwaggerEndpoint("/swagger/v1/swagger.json", "Smart Engine API");
                options.ConfigObject.AdditionalItems.Add("tagsSorter", "alpha");

options.AddSecurityDefinition("OAuth2", new OpenApiSecurityScheme
            Type = SecuritySchemeType.OAuth2,
            Flows = new OpenApiOAuthFlows
                Implicit = new OpenApiOAuthFlow
                    AuthorizationUrl = new Uri("https://my.okta.com/oauth2/v1/authorize?nonce=1"),
                    TokenUrl = new Uri("https://my.okta.com/oauth2/v1/token"),
                    Scopes = new Dictionary<string, string>
                        { "openid", "test" },
            Description = "Balea Server OpenId Security Scheme"

When I click on authorize it is successful, but the generated token has different issuer, and it says " Bearer error=“invalid_token”,error_description=“The signature key was not found” "

The token :

 "ver": 1,
 "jti": "AT.xOnafeU_gKuGyMZD9Ui8WQb0HOBFzdG15tgYaL7sllM",
 "iss": "https://my.okta.com",
 "aud": "https://my.okta.com",
 "sub": "myemaiilAddress",
 "iat": 1614972591,
 "exp": 1614976233,
 "cid": "0oa372abtfziGiBhT5d6",
 "uid": "00uaear4itI8ZcELX5d6",
 "scp": [

But when I authenticate through Okta login widget I get this token :

 "ver": 1,
 "jti": "AT.ynGuoLqscjtE46cS1EPJqlOBDqMKUaCCA97w6q3TJ6o",
 "iss": "https://my.okta.com/oauth2/default",
 "aud": "api://default",
 "iat": 1614971812,
 "exp": 1614975412,
 "cid": "0oa372abtfziGiBhT5d6",
 "uid": "00uaear4itI8ZcELX5d6",
 "scp": [
 "sub": "myemail",
 "customerattr": "ttttt",

In addition, it is not possible to get custom attributes by using Implicit.

It looks like in the Swagger setup you are using the Org Authorization server

In the login widget you are using a custom authorization server ‘default’ (note default is a preconfigured custom authorization server)

With the Org authorization server you are not able to create custom scopes/claims which is why all you see is the openid scope even though you also request ‘test’. The public keys used to sign the access token from the Org Authorization server are not made public which is why you get,
"The signature key was not found"

Try changing the Swagger config to

Note in order for the ‘test’ to work you need to configure the default authorization server for that scope. More information about Org and Custom Authorization Servers can be found here. Creating custom scopes/claims.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.