Problem in authorization callback in .NET8

Bukran · March 21, 2024, 6:39am

Hi there. I’ve recently started working with Okta authentication and maybe I’m missing something. I have a Visual Studio project which has been configured as in the examples:

            string oktaConfig = Environment.GetEnvironmentVariable("OKTA_CONFIGURATION") ?? "Okta";
            builder.Services.AddAuthentication(options =>
            {
                options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
            })
            .AddCookie(options =>
            {
                options.Cookie.HttpOnly = true;
                options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
            })
            .AddOktaMvc(builder.Configuration.GetSection(oktaConfig).Get<OktaMvcOptions>());

This is the endpoint:

 [Authorize]
 [HttpGet("authorize")]        
 public async Task<IActionResult> Authorize()
 {
     try
     {
         return Ok("cool");
     }
     catch (Exception ex)
     {
         return Problem(ex.Message);
     }
 }

After loggin in, I’m getting the following exception:

The token is expected to be the new JsonWebToken, but somehow it’s the old JwtSecurityToken. I’ve read there has been some breaking changes in JWT implementation (Breaking change: Security token events return a JsonWebToken - .NET | Microsoft Learn) but I thought the package Okta.AspNetCore was ready to handle this issue as one can see inside OpenIdConnectOptionsHelper.cs

If I downgrade the project’s version to net7.0 everything progresses as expected. Has anyone experienced something similar while working on net8.0? Have I missed something from the documentation?

Thanks in advance.

erik · March 21, 2024, 7:09am

Hello,

This is a know issue with .NET 8

github.com/okta/okta-aspnet

Okta.AspNetCore 4.6.0

opened 08:33PM - 07 Mar 24 UTC

yongkeecho

bug

### Describe the bug? The authentication worked with Okta.AspNetCore 4.5.0. …4.6.0 gives exception as below: ``` InvalidOperationException: Cannot redirect to the authorization endpoint, the configuration may be missing or invalid. Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsyncInternal(AuthenticationProperties properties) Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsync(AuthenticationProperties properties) Microsoft.AspNetCore.Authentication.AuthenticationHandler<TOptions>.ChallengeAsync(AuthenticationProperties properties) Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, string scheme, AuthenticationProperties properties) Microsoft.AspNetCore.Authorization.Policy.AuthorizationMiddlewareResultHandler+<>c__DisplayClass0_0+<<HandleAsync>g__Handle|0>d.MoveNext() Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context) Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context) ``` In program.cs, ``` services.ConfigureApplicationCookie(options => { options.Cookie.HttpOnly = true; options.Cookie.SecurePolicy = CookieSecurePolicy.Always; }) .AddAuthentication(options => { options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme; }) .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme) .AddOktaMvc(new OktaMvcOptions() { OktaDomain = oktaApplications?.OktaDomain, ClientId = oktaApplications?.ClientId, ClientSecret = oktaApplications?.ClientSecret, AuthorizationServerId = oktaApplications?.AuthorizationServerId, CallbackPath = new PathString(OktaDefaults.CallbackPath), PostLogoutRedirectUri = new PathString(OktaDefaults.SignOutCallbackPath), Scope = oktaApplications?.Scopes }); ``` appsettings.json has ``` "Okta": { "OktaDomain": "https://gssotst.mycompany.com", "ClientId": "0obbifeizyd1jab0o697", "ClientSecret": "W1AcKeRn12dX3KBay9gjEQxYvt9lcyG751UxDuJ6xe-JMCHPkz1FZ5GAnVw0KNHK", "AuthorizationServerId": "", "Scopes": [ "openid", "profile", "email", "groups" ] } ``` If I add 'default' for **AuthorizationServerId**, I have ``` An unhandled exception occurred while processing the request. IOException: IDX20807: Unable to retrieve document from: 'https://gssotst.mycompany.com/oauth2/default/.well-known/openid-configuration'. HttpResponseMessage: 'StatusCode: 401, ReasonPhrase: 'Unauthorized', Version: 1.1 ``` ### What is expected to happen? no error ### What is the actual behavior? error ### Reproduction Steps? . ### Additional Information? _No response_ ### .NET Version dotnet 8. ### SDK Version 4.6.0 ### OS version _No response_

I assume you are using your Okta Org Authorization Server for testing?
If so can you try testing with a custom authorization server instead and see if the issue continues.

Thank You,

Bukran · March 21, 2024, 8:02am

Thank you very much for your quick reply; I was going nuts. Indeed, referencing Microsoft.IdentityModel.Tokens.JsonWebTokens in the net8 project results in the “InvalidOperationException: Cannot redirect to the authorization endpoint”. Removing the aforementioned reference leads to issues with tokens.

The project has been also tested with EntraId Authorization Server (named AzureAD before) and works in net8, so I guess we just have to wait until it’s resolved in a future version of Okta.AspNetCore.

Thanks again for your support.

system · April 25, 2024, 9:23am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.