PKCE Flow with Org Authorization Server

Hello,

Context:

  • Front: Xamarin application
  • Back: Api .net 5.0
  • Okta Mobile application PKCE flow

I am setting up a Xamarin application with Okta authentication thanks to the nuget GitHub - okta/okta-oidc-xamarin: Okta OIDC SDK for Xamarin.

By specifying empty AuthorizationServerId to use the organization’s authorization server (because my My company’s Okta does not have additional authorization server).

The Okta app was created as a mobile app with PKCE enabled.

The authentication is going correctly, however I cannot validate the Token on the API side (.net 5.0)

Using the nuget GitHub - okta/okta-aspnet: okta-aspnet, it is forbidden to use the org server authorization.

Despite several tutorials to validate the Token, I still have a problem.

Is it possible to use org server authorization in this case?

Thank you in advance for your return.

The Org authorization server does NOT support local token validation.

If you are trying to secure a resource server with tokens issued by Okta you must either use a custom authorization server (will require the missing API Access Management feature) OR have your resource server use the introspect endpoint to do remote token validation. To do so, for every token sent to your resource server, your server will need to make an /introspect call to the authorization server that issued the token to check if it is still valid.

1 Like