Great explanation,
As a c# webapi dev who’s used okta before to secure a webapi (.net core 3.1)b, you should re-write this to use the [Authorize] tag on the controller or controller method., instead of manually checking the token.
There is no way I’d use this article, for that single fact alone, even though I quite like rest of your implementation. [Authorize] is the best practice for how to add authentication to a controller method.
See how it’s implemented in this Okta article for .NetCore 3.1, using the tag correctly.
Thanks,
Eric-