Secure Your .NET 6 Web API

.NET 6 is here and many of us are making preparations to update .NET 5 codebases to .NET 6. As part of this review, today you will learn how to implement the client credentials flow in ASP.NET Core Web API.

This is a companion discussion topic for the original entry at

Hi, thanks for the informative post–very helpful to see the implementation.

This part caught my attention: “At this time, Okta does not provide a JWT Verification library for .NET”.

I’ve worked through this Okta guide here: Protect your API endpoints | Okta Developer

That Okta guide includes using an Okta nuget package that “enables your application to validate Okta access tokens”.

I’m trying to reconcile that Okta guide and your statement–when you say “At this time, Okta does not provide a JWT Verification library for .NET” are you saying this, because the nuget package in the Okta guide is too specific in validating only Okta access tokens and cannot be used to serve a broader need to verify a JWT regardless of where it came from?

Hi @dmckisic,

You’re right. The Okta.AspNet SDK is specific to Okta and the ASP.NET framework. If you need to validate tokens in other projects where the Okta.ASPNET is not an option you can do your validation manually as explained here.

I hope this helps!

1 Like

Hi, Laura. Very good explanation. I have reviewed it, but it doesn’t work for Postman as you described this. But could you provide a description how integrate OKTA with ASP.NET Core .NET 6, when ClientId and Secretes are used in the code directly and when call some end-point, user in a browser authmatically redirected to the OKTA login page.Really very few documentaion on OKTA integration with .NET 6 ASP.NET Core. Could you provide it please.

Best regards,
Vasili Holub

Great explanation,

As a c# webapi dev who’s used okta before to secure a webapi (.net core 3.1)b, you should re-write this to use the [Authorize] tag on the controller or controller method., instead of manually checking the token.

There is no way I’d use this article, for that single fact alone, even though I quite like rest of your implementation. [Authorize] is the best practice for how to add authentication to a controller method.

See how it’s implemented in this Okta article for .NetCore 3.1, using the tag correctly.



1 Like

hi, I am trying to call Okta service from Postman but getting invalid_client error and summary is “Invalid value for ‘client_id’ parameter”. Can you please guide me what might be going wrong here? thanks.

Thanks for your comment @ericbrown

I was about to go through all the steps to manually validate the token, not knowing I didn’t have to. I’m even using .NET authorization with the [Authorized] tags and having trouble with it, so I was about to start fresh with this article. Instead I followed the article you linked to and just needed a few tweaks to get up and running.

While I appreciate a detailed guide to manually validating tokens in .NET, it really should say that it isn’t necessary except in specific circumstances perhaps.