Problem in authorization callback in .NET8

Hi there. I’ve recently started working with Okta authentication and maybe I’m missing something. I have a Visual Studio project which has been configured as in the examples:

            string oktaConfig = Environment.GetEnvironmentVariable("OKTA_CONFIGURATION") ?? "Okta";
            builder.Services.AddAuthentication(options =>
                options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
            .AddCookie(options =>
                options.Cookie.HttpOnly = true;
                options.Cookie.SecurePolicy = CookieSecurePolicy.Always;

This is the endpoint:

 public async Task<IActionResult> Authorize()
         return Ok("cool");
     catch (Exception ex)
         return Problem(ex.Message);

After loggin in, I’m getting the following exception:

The token is expected to be the new JsonWebToken, but somehow it’s the old JwtSecurityToken. I’ve read there has been some breaking changes in JWT implementation (Breaking change: Security token events return a JsonWebToken - .NET | Microsoft Learn) but I thought the package Okta.AspNetCore was ready to handle this issue as one can see inside OpenIdConnectOptionsHelper.cs

If I downgrade the project’s version to net7.0 everything progresses as expected. Has anyone experienced something similar while working on net8.0? Have I missed something from the documentation?

Thanks in advance.


This is a know issue with .NET 8

I assume you are using your Okta Org Authorization Server for testing?
If so can you try testing with a custom authorization server instead and see if the issue continues.

Thank You,

1 Like

Thank you very much for your quick reply; I was going nuts. Indeed, referencing Microsoft.IdentityModel.Tokens.JsonWebTokens in the net8 project results in the “InvalidOperationException: Cannot redirect to the authorization endpoint”. Removing the aforementioned reference leads to issues with tokens.

The project has been also tested with EntraId Authorization Server (named AzureAD before) and works in net8, so I guess we just have to wait until it’s resolved in a future version of Okta.AspNetCore.

Thanks again for your support.