Before you begin

This guide shows you how to use Okta as the user store for your web application and sign users in.

If you are building a single-page (browser) app, see Sign users in to your single-page application instead. Or, if you are building a server that returns API responses (but not HTML), see Protect your API endpoints.

This guide assumes that you:

• Have an Okta Developer Edition organization. Don't have one? Create one for free (opens new window).
• Know the basics of building Web applications.
• Have a project or application that you want to add authentication to.
• Are building a web app that's rendered by a server.

If you don't have an existing app, or are new to building apps, start with this documentation:

Instructions for

ASP.NET

Loading...

The ASP.NET MVC quickstart (opens new window) teaches you the basics of building an ASP.NET MVC application.

Or, if you want to skip this guide and just download a working sample app, download our ASP.NET MVC example (opens new window).

Refresh tokens and web apps

With browser-based apps, the risk of the refresh token being compromised is high when a persistent refresh token is used. This threat is greatly reduced by rotating refresh tokens. Refresh token rotation helps a public client to securely rotate refresh tokens after each use. A new refresh token is returned each time the client makes a request to exchange a refresh token for a new access token. Refresh token rotation works with SPAs, native apps, and web apps in Okta.

See the OAuth 2.0 for Browser-Based Apps specification (opens new window) for the latest spec information on using refresh tokens with browser-based apps.

Support

If you need help or have an issue, post a question on the Okta Developer Forum (opens new window).

Next: Understand the callback route