
BurnsR.32389 (Customer) asked a question.
We have OKTA integrated with our NET7 API, the configuration is quite basic:
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = OktaDefaults.ApiAuthenticationScheme;
options.DefaultChallengeScheme = OktaDefaults.ApiAuthenticationScheme;
options.DefaultSignInScheme = OktaDefaults.ApiAuthenticationScheme;
})
.AddOktaWebApi(new OktaWebApiOptions
{
OktaDomain = "https://" + Configuration.GetValue<string>("Okta:Host"),
Audience = Configuration.GetValue<string>("Okta:Claims:Audience"),
AuthorizationServerId = Configuration.GetValue<string>("Okta:ServerId"),
JwtBearerEvents = new JwtBearerEvents
{
OnMessageReceived = context =>
{
// Needed for SignalR
var accessToken = context.Request.Query["access_token"];
var path = context.HttpContext.Request.Path;
if (!string.IsNullOrEmpty(accessToken) && path.StartsWithSegments("/hubs"))
{
context.Token = accessToken;
}
return Task.CompletedTask;
}
}
});
We have upgraded our application to NET8 and we are now receiving this:
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10500: Signature validation failed. No security keys were provided to validate the signature.
We have managed to get this working by implementing:
var issuer = UrlHelper.CreateIssuerUrl(options.OktaDomain, options.AuthorizationServerId);
var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
issuer + "/.well-known/oauth-authorization-server",
new OpenIdConnectConfigurationRetriever(),
new HttpDocumentRetriever());
var tokenValidationParameters = new DefaultTokenValidationParameters(options, issuer)
{
SignatureValidator = (token, _) => ValidateTokenWithRetry(token, issuer, options.Audience)
};
and then not using the AddOktaWebApi extension from the Okta libraries and calling AddJwtBearer directly setting TokenValidationParameters.
Our question is why has this stopped working for NET8 and what is the recommended implementation from Okta?

Hi, @BurnsR.32389 (Customer)
Thank you for posting on our Community page!
This looks like a known change made by Microsoft some time ago, you can read about it here:
https://github.com/dotnet/aspnetcore/issues/52075#issuecomment-1815025177
For more information, I suggest you contact their Support directly as they may have better knowledge on the latest changes.
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Our issue exists regardless of whether we use SecurityTokenValidators or TokenHandlers, so I don't believe it's related to the Microsoft change you reference.
The issue here is that we need to implement SignatureValidator in order to attach the public signing keys manually since upgrading to .NET 8. We didn't need to do this when running on .NET 7.
The code supplied above works, to be clear, but is there any configuration you can advise on where we don't have to manually implement SignatureValidator in order for signature validation to work implicitly / via the Okta package?
Hi, @ForageJ.48182 (Customer)
Thank you for posting on our Community page!
I suggest opening a case with Support so they can take a more in depth look at the use case.
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.