On This Page

Okta ASP.NET Core MVC Quickstart

If you want a full, working example, head over to the ASP.NET Core Samples repository.

Create a new project

If you don't already have an ASP.NET Core project, create one using dotnet new mvc or the ASP.NET Core Web Application template in Visual Studio. Choose No Authentication as the authentication type.

Install these packages in the new project:

Add a Startup class

Make sure you have these using statements at the top of your Startup.cs file:

using Microsoft.AspNetCore.Authentication.Cookies;
using Okta.AspNetCore;

Add the following code anywhere in your ConfigureServices method, and add your Okta configuration:

Note: https://{yourOktaDomain} is different from your admin URL. Don’t include -admin in the value. When you copy your Okta domain from the Developer Console, you can find the correct value in the upper-right corner of the dashboard.

services.AddAuthentication(options =>
    options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OktaDefaults.MvcAuthenticationScheme;
.AddOktaMvc(new OktaMvcOptions
    OktaDomain = "https://${yourOktaDomain}",
    ClientId = "{clientId}",
    ClientSecret = "{clientSecret}"

// ... the rest of ConfigureServices

Then, in the Configure method, add this line above the UseMvc line:


Additional middleware configuration

The OktaMvcOptions class configures the Okta middleware. You can see all the available options in the project's README on GitHub. Once you have the middleware working, you can place the Okta configuration in appsettings.json and reference it with the Configuration pattern:

OktaDomain = Configuration["Okta:OktaDomain"],
ClientId = Configuration["Okta:ClientId"],

Secure your application's routes

With this middleware in place, use the [Authorize] attribute on controllers or actions to require a logged-in user:

public IActionResult Protected()
    // Only for logged-in users!
    return View();

Alternatively, you can create actions to log the user in (or out):

using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Mvc;
using Okta.AspNetCore;

public class AccountController : Controller
    public IActionResult Login()
        if (!HttpContext.User.Identity.IsAuthenticated)
            return Challenge(OktaDefaults.MvcAuthenticationScheme);

        return RedirectToAction("Index", "Home");

    public IActionResult Logout()
        return new SignOutResult(new[]

Run the project

Start the project in Visual Studio, or with this command:

dotnet run

Open http://localhost:8080 in a private or incognito window in your browser. (Note that your port may be be a random number instead of 8080.)

Try navigating to a route that has the [Authorize] attribute, or to the /Account/Login action you created above. You'll be redirected to the Okta Sign-In page.

That's it!

ASP.NET Core automatically populates HttpContext.User with the information Okta sends back about the user. You can check whether the user is logged in with User.Identity.IsAuthenticated in your actions or views, and see all of the user's claims in User.Claims.

The ASP.NET Core Samples repository has more examples of authenticating and interacting with the user's information (claims).

If you want to do more with the user, you can use the Okta .NET SDK to get or update the user's details stored in Okta.