Adding new authorization server with custom domain issues

Hi,

My company is using Okta Developer Edition and we have an existing integration that uses the default Authorization Server. It’s configured like so (orgid is redacted):

Name: default
Audience: api://default
Issuer URI: https://dev-XXXXXXXXX.oktapreview.com/oauth2/default

We want to use a Custom Domain for our authentication flows so we went through the Custom Domain walkthrough, added DNS records, got everything verified and was eventually able to setup the new custom domain.

We then created a second Authorization Server without modifying the default one and configured the custom domain on the new server from the drop-down, similar to:

Name: Custom Domain
Audience: https://account.mycompany.com
Issuer URI: https://dev-XXXXXXXXX.oktapreview.com/oauth2/default

HOWEVER after saving this new auth server it broke our existing authentication flow in production!

Has anyone else encountered this before or know how to resolve? We had to delete the new auth server and custom domain and wait for DNS propagation for the issue to finally resolve itself so now we are afraid of creating the custom domain again. Please help.

Oh, one thing I should add which may have affected things…

After creating the second Authorization Server in addition to the default, when we first saved we mistakenly set the audience to the same value as the default Authorization Server, ie:

Audience: api://default

Is it possible that this is what broke our production authentication flow once this update was made?

Hi @Ergin! Are you able to reach your discovery URL with your new custom domain? You can open up a new browser tab and visit https://account.mycompany.com/oauth2/default/.well-known/openid-configuration - there you should see your new issuer is https://account.mycompany.com/oauth2/default for example.

@Ergin If you created a customized authorization server, you should use a different issuer including the authorizationId: /oauth2/ ${authServerId}.