Okta Auth in Blazor WASM
License: MIT License
This is a sample for Okta OpenID in Blazor WASM with Hosted Backend.
A full tutorial can be found in my YouTube Channel https://www.youtube.com/channel/UCjGgqULI1EX0VEoizrD6PYA
Hi @igalfsg , @coding-flamingo
Thank you for this sample project and YouTube video ... it has been of great help. I am stuck with a very specific requirement related to Okta, and hoping you would be able to guide.
Due to policies, we are not allowed to the use the default org level Okta audience - api://default
When an application is created in Okta, Okta creates an application specific audience - this value is available in the Application Sign On Tab => OpenID Connect ID Token section. Typically, this Audience value is same as the Application Client ID. Due to policies, we are supposed to use this audience for Bearer token generation to any call backend APIs.
After upgrading your project to .NET 7 version, on the Client application, I am specifying this Audience using AdditionalProviderParameters.
builder.Services.AddOidcAuthentication(options =>
{
options.ProviderOptions.Authority = builder.Configuration.GetValue<string>("Okta:Authority");
options.ProviderOptions.ClientId = builder.Configuration.GetValue<string>("Okta:ClientId");
options.ProviderOptions.ResponseType = "code";
options.ProviderOptions.DefaultScopes.Add("profile");
options.ProviderOptions.DefaultScopes.Add("address");
options.ProviderOptions.DefaultScopes.Add("email");
options.ProviderOptions.AdditionalProviderParameters.Add("Audience", builder.Configuration.GetValue<string>("Okta:Audience"));
});
And on the Server-side API project, I am enforcing for the same Audience value
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = OktaDefaults.ApiAuthenticationScheme;
options.DefaultChallengeScheme = OktaDefaults.ApiAuthenticationScheme;
options.DefaultSignInScheme = OktaDefaults.ApiAuthenticationScheme;
})
.AddOktaWebApi(new OktaWebApiOptions()
{
OktaDomain = Configuration["Okta:OktaDomain"],
Audience = Configuration["Okta:Audience"]
});
However, when the API is invoked from the Client application, I am getting 401 Unauthorized with error : Bearer error="invalid_token", error_description="The audience 'api://default' is invalid"
When I decode the Bearer token being passed along with request using jwt.io, I am seeing the token is issued for Audience api://default
Please let me know if you have any suggestions on how to enforce the tokens to be issued with application specific audience, rather than the org wide audience value. Appreciate any possible help!
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.