UseOktaWebApi only works with default Authorization server

I’m creating a REST API which is secured by a token issued by an Okta Authorization server.

When I retrieve the token from the “default” Authorization server, everything works.

I’ve created a second Authorization server (named “authServer2”). I’m able to use Postman to retrieve the token, and able to call the /introspect endpoint to verify the token is active.

However, when I attempt pass this token the header to my REST call, I get a 401 each time.

I’ve tried setting the AuthorizationServerId in the UseOktaWebApi call to both the name (authServer2) and the auth server ID I retrieved from the api/v1/authorizationServers endpoint (ausj69cno3wN4DWH20h7), but my API refuses to authorize using this Authorization server.

I have also setup a pretty wide open Access Policy and Rule which I believe are the same as what is setup in my default Authorization Server.

I’m a relative newbie to Okta in general, so I may have missed something, but I’m surprised I cannot seem to find a way to direct my API to verify the token against the Authorization Server that I choose.

It sounds like you are setting AuthorizationServerId correctly. It should be the ID of the authorization server you created. That should work! Not sure yet why it isn’t, let’s check a few things:

What was the audience value you defined on your new authorization server? That needs to be identical in your code as well.

Can you try setting your log level to warning or info? The middleware should be emitting a log message explaining which check is failing.

Hi, Nate, thanks for the reply!

  1. I initially set the authorization server’s audience to “api://default” (because that’s the value that works with the default authorization server). I also tried “https://localhost:44389” which is the address my API runs in debug mode. That’s the value I currently have it set at. Neither have worked.
  2. I noticed in my code, that I was not setting the OktaWebApiOptions.Audience value. I have set that now to “https://localhost:44389”. My code sets the following properties: OktaDomain, AuthorizationServerId, and Audience.
  3. The link to log level you sent is for ASP.NET Core. I am using ASP.NET with .NET Framework, not Core. I’ll dig around to see if I can find an equivalent setting, but if you have a link for .NET Framework, please post it and I’ll set it.

Nate - update… I now have the authorization working with 3 auth servers. There is only one peculiarity I can’t explain. My three auth servers are named “default”, “authServer2”, and “authServer3”.

authServer2 and authServer3 work when I pass in the AuthorizationServerId and Audience values. However, default doesn’t work the same.

According to the Okta API, my AuthorizationServerId for default is “aushxtf9bz6jEEd8vxyz” (I’ve changed the last 3 characters). But when I use that value, I get a 401. The only value that works for AuthorizationServerId is “default”. Is this intentional?

Also, can you point me to any documentation regarding the Okta.AspNet NuGet package I’m using? I haven’t been able to find any documentation from Okta regarding it.