Verify access token in ASP.Net Core 2.0 backend forwarded from Angular 4 SPA - OpenIDC


#1

Hi Okta developers,

I’m trying to build a sample app + backend as a proof of concept before I start to build a complex system using these technologies. I have an Angular 4 SPA, and a working Okta login based on this post:
https://developer.okta.com/blog/2017/04/17/angular-authentication-with-oidc

I also have a .Net core 2.0 API, providing data to the frontend. I would like to forward the access token from Angular and verify it in the API. I tried this:

When making request to the API, I get the token from the OAuthService:

 getAllArticles(){
    return this.http
    .get<Article[]>(this._theUrl,{
      headers: new HttpHeaders({
        'Content-Type':  'application/json',
        'Authorization': 'Bearer '+this.oAuthService.getAccessToken()
      }),
      observe: "body",
      responseType: "json"
    });
  }

I can see the token in the API in HttpContext, so it is coming through.

Then I tried to turn on Authentication in .Net Core in startup.cs -> ConfigureServices:

        services.AddAuthentication(options =>
        {
            options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
        }).AddJwtBearer(options =>
            {
                options.Authority = $"https://{companyName}.okta.com";
                options.Audience = $"https://{companyName}.okta.com";
                options.RequireHttpsMetadata = false;
            });

And this doesn’t work, I get Response 401 (Unauthorized) every time. I also tried to play around with TokenValidationParameters changing values without a luck.

Any help would be much appreciated!

Thanks,
Tibor


#2

Looking at your code in startup.cs, I suggest you try the following -

options.Authority is the authorization server that issued the access token. If you look at your front-end angular code (from the blog), it’s of the form - https://{companyName}.okta.com/oauth2/default
Login to your okta org and verify that you do have this default auth server.
If you have an Okta Developer Account, you already have a default auth Server created for you.

If you don’t have an existing authorizations server, or would like to create a new one, then you can find out how to do that in the Setting up Auth Server section

If you have the default auth server, change options.Authority to https://{companyName}.okta.com/oauth2/default

options.Audience should be the api://default (You can verify this in your okta org auth server setting. You can also change it to API that you’re protecting)

Disclaimer - I haven’t worked on .net, so I’m not sure if this alone will resolve your issue.
@nate.barbettini - Mind taking a look? :slight_smile:


#3

Yep, @vijet is correct. The Authority should be the full URL to the authorization server (matching what’s on the frontend). RequireHttpsMetadata is usually true as well.

FYI @bitibi, if you’re running the ASP.NET Core backend from the command line with dotnet run, you can adjust the log level to Information in appsettings.json and get a full stack trace of exactly why a particular token failed (leading to a 401). That can be helpful when you are troubleshooting!


#4

Thank you @vijet and @nate.barbettini !

You are right, the issue was Setting up Auth Server. I just joined a new company recently, have no full admin rights yet on Okta and couldn’t access the API menu option. However, I made a developer account to test and it works fine as you described!

Fantastic, thanks again!