This comment from 2022 says other wise.
The context is this: I building both a custom OIDC Single Page application using PKCE and a corresponding external OIDC IDP. I am able to proceed with logging in (using the /authorize endpoint), but when i try to make a call to https://${OKTA_DOMAIN}.okta.com/oauth2/v1/token
, I get the error INVALID REQUEST: The grant was issued for another authorization server.
.
I am planning to use PKCE and have included the code challenge on the first authorize call. I believe this issue stems because in the external IDP configuration, there is a Client Secret fill that I have filled arbitrarily. This is because when I create an OIDC application integration, there is no Client Secret there.
I only have one external IDP and one application running. I have ensured that the client_id
provided during both the authorize and token are the same as the one I pass when I call Okta’s token endpoint. I suspect this is a Client Secret thing, but do not know how to create an OIDC IDP without a Client Secret.
How do I get around this?