Hello,
In Okta if you want to make management API calls (users/groups) with an OAuth access_token then that token is required to be minted from the Org authorization server. In order to use the access_token against various management API not only will the access_token need the correct Okta management scopes, the user will need to be part of a management role in Okta which grants them enough permission for the various management calls they will make.
Custom Authorization servers can’t mint tokens with Okta management scopes other then the okta.myaccount.* scopes which can only be used to manage the users own profile.
Okta does support the on-behalf of token exchange which will retain user context in the new access_token. No OpenID scopes can be requested though.
Thank You,