SSO for Okta in asp.net zero angular. While getting this error (IDX10501: Signature validation failed. Unable to match key)

sParia · November 12, 2020, 2:15pm

Hi I have implemented the angular side code like

–class LoginComponent–

async OktaLogin(){
    let res =await this.oktaAuth.token.getWithPopup(this.tokenParams);
    this.loginService.oktaLoginStatusChangeCallback(res);
    }

–class LoginService–

 public oktaLoginStatusChangeCallback(resp){
        const model = new ExternalAuthenticateModel();
        model.authProvider = ExternalLoginProvider.OPENID;
        model.providerAccessCode = resp.tokens.accessToken.value;
        model.providerKey = resp.code;
        model.singleSignIn = UrlHelper.getSingleSignIn();
        model.returnUrl = UrlHelper.getReturnUrl();
 
        this._tokenAuthService.externalAuthenticate(model)
                .subscribe((result: ExternalAuthenticateResultModel) => {
                    if (result.waitingForActivation) {
                        this._messageService.info('You have successfully registered. Waiting for activation!');
                        return;
                    }
 
                    this.login(result.accessToken,
                        result.encryptedAccessToken,
                        result.expireInSeconds,
                        result.refreshToken,
                        result.refreshTokenExpireInSeconds,
                        false,
                        '',
                        result.returnUrl);
                });
 
    }
_______________________________________________________________

and in the server code, I put this code -
https://support.aspnetzero.com/QA/Questions/5773#answer-eaebc7a4-d0aa-31ee-eeb0-39e9948957ea
, but in the code –

OpenIdConnectAuthProviderApi >> ValidateToken >> var principal = new JwtSecurityTokenHandler().ValidateToken(token, validationParameters, out var rawValidatedToken);
i’m getting this error –

IDX10501: Signature validation failed. Unable to match key: 
kid: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Exceptions caught:
 '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. 
token: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.

andrea · November 12, 2020, 4:36pm

What issuer are you using to generate/validate the tokens?

If you are not using a custom Authorization Server (such as /oauth2/default), then this error is expected when attempting to validate tokens generated by the built-in Org/Okta Authorization Server. Tokens issued by this server will not have matching keys available at the keys endpoint, as it is only designed to be used externally for OIDC (authentication), not OAuth (authorization) use cases.

sParia · November 12, 2020, 5:05pm

I’m using https:// {yourOktaDomain}/oauth2/default/.well-known/openid-configuration for validate.
If it’s wrong can please tell from where I should get it.

andrea · November 24, 2020, 10:12pm

I’d recommend ensuring that the org you are testing with has a license for the API Access Management feature. If you have sufficient admin permissions, you can check this within Okta: are you able to navigate to the following menu: Security -> API -> Authorization Servers?

If you can see a list of Authorization Servers, including the one that is made for you called “Default” then you can construct a metadata uri by taking the Issuer URI for the server you’d like to use and adding /.well-known/openid-configuration to it.

If you are not an admin, what happens if you attempt to navigate to https://{yourOktaDomain}/oauth2/default/.well-known/openid-configuration in your browser? Do you see a JSON response with a list of OIDC endpoints, or do you have an error saying “You do not have permissions to access the feature you are requesting?”