Secure Your .NET 6 Web API

.NET 6 is here and many of us are making preparations to update .NET 5 codebases to .NET 6. As part of this review, today you will learn how to implement the client credentials flow in ASP.NET Core Web API.

This is a companion discussion topic for the original entry at

Hi, thanks for the informative post–very helpful to see the implementation.

This part caught my attention: “At this time, Okta does not provide a JWT Verification library for .NET”.

I’ve worked through this Okta guide here: Protect your API endpoints | Okta Developer

That Okta guide includes using an Okta nuget package that “enables your application to validate Okta access tokens”.

I’m trying to reconcile that Okta guide and your statement–when you say “At this time, Okta does not provide a JWT Verification library for .NET” are you saying this, because the nuget package in the Okta guide is too specific in validating only Okta access tokens and cannot be used to serve a broader need to verify a JWT regardless of where it came from?

Hi @dmckisic,

You’re right. The Okta.AspNet SDK is specific to Okta and the ASP.NET framework. If you need to validate tokens in other projects where the Okta.ASPNET is not an option you can do your validation manually as explained here.

I hope this helps!

1 Like

Hi, Laura. Very good explanation. I have reviewed it, but it doesn’t work for Postman as you described this. But could you provide a description how integrate OKTA with ASP.NET Core .NET 6, when ClientId and Secretes are used in the code directly and when call some end-point, user in a browser authmatically redirected to the OKTA login page.Really very few documentaion on OKTA integration with .NET 6 ASP.NET Core. Could you provide it please.

Best regards,
Vasili Holub