Token Authentication

dbrooks · February 3, 2023, 4:34pm

Hello, I am authenticating via a SPA redirect login, which sets the Bearer token.
What i need to do is verify that token on our backend C# API. The documentation has so many different approaches to this that I am confused at what we need set up on our Okta account.

I am using this code from the okta-auth-dotnet library:

var authClient = new AuthenticationClient(new OktaClientConfiguration()
            {
                OktaDomain = "https://domain.okta.com",
                Token = "API_Token",
                ConnectionTimeout = 360,
                DisableHttpsCheck = false
            });

            var authnOptions = new AuthenticateWithActivationTokenOptions()
            {
                ActivationToken = "token from Authorization header Bearer"
            };

            var authnResponse = authClient.AuthenticateAsync(authnOptions).Result

I receive the error: “OktaApiException: Authentication failed (401, E0000004)”. I know I am authenticated via the redirect, but I just want to be able to verify the token’s authenticity on the server before proceeding.
I have tried prefixing the API token above with SSWS (although i would think the framework would do this on its own?).

Is there a step I am missing here or is there a specific type of API we need to set up.

Any help appreciated.
Thanks.

andrea · February 3, 2023, 4:48pm

Have you taken a look at our .NET Resource Server examples, e.g. samples-aspnetcore/samples-aspnetcore-6x/resource-server at master · okta/samples-aspnetcore · GitHub? They’re designed to handle this for you and were even created to directly work with our SPA example apps.

dbrooks · February 3, 2023, 4:58pm

Yes, but we’re not using dotnetcore. I figured I could simply use this:
GitHub - okta/okta-auth-dotnet: Okta .NET Authentication SDK to call our okta service, providing the API key to verify a token.

I do not have administrator access to our okta developer account so I have to tell someone what to set up. Is there a specific type of API that we need set up for just authenticating tokens? Is that called a resource server?
I don’t know the nomenclature for which API to simply authenticate a token using the okta donet library.

dbrooks · February 3, 2023, 5:48pm

I suppose first, I need to know what the API type is to verify a token using your okta .net sdk.

Just for informational purposes, the user has already validated via okta-hosted redirect login. I only need to verify the token returned to the client on our backend.

*Do I need to see about scheduling with a developer for this question?

andrea · February 4, 2023, 12:24am

Oh, if you’re not using Core, we also have a .NET 4.x sample

The Auth SDK is for Primary Authentication into Okta, but if you’re sending Access Tokens (granted in your SPA) over to your resource server as auth, you’ll want to use something like our sample/.NET WebAPI SDK (4.x and Core). Then your resource server will validate this Access Token and use that to determine if the user is allowed to access the requested resource.