The Okta support team for OIN is getting this error when I asked them to test this and make it available on the OIN.
error: unauthorized_client
error description: this client cannot use a custom authorization server
Please help on how should I move this forward. What I need to do?
Can you describe your problem in more details? I don’t quite understand your problem
My Okta Support (who approves the app to make it available on the OIN) gave me a clientid, clientsecret and orguri. I put that in play and it throws an error when they trying to login from their org dashboard. which says:
error: unauthorized_client
error description: this client cannot use a custom authorization server
It works well when I am using my own clientid, clientsecret and org uri.
The only difference is my ORGURI is something like this: https://dev-398914.okta.com/
and my Okta Supports ORGURI is this: https://adiyasal.okta.com
is there something different I have to do? The support team replies this to my query but I do not know what to do ?
Here’s a previous response from our Dev Support team:
The org authorization server has an issuer of “https://org.okta.com” with the discovery file available at “https://org.okta.com/.well-known/openid-configuration” which provides the URLs in the format of “https://org.okta.com/oauth2/v1/endpoint”.
The custom authorization servers (created through API Access Management feature) have an issuer in the format mentioned previously “https://org.okta.com/oauth2/{auth_server}” with the discovery file available at “https://org.okta.com/oauth2/{auth_server}/.well-known/openid-configuration”. This discovery file provides the endpoints in the format of “https://org.okta.com/oauth2/{auth_server}/v1/endpoint”.
In order to retrieve the /authorize, /token, /keys, /userinfo, /introspect endpoints, your application needs to access the discovery file by appending “/well-known/openid-configuration” to the issuer and parse the resulting JSON. Please note that the org authorization server does not return the signing keys for access tokens on /keys endpoint due to RFC restrictions.
Yeah, it’s a lot to digest, but let me ask you. When you test your application in your own tenant (organization), do you use default or custom authorization server? If you do use default, then try to to test if it works with custom as well. At least it seems like it might be an issue with them trying to run your application
Was there a solution to this? I have received the same response from the OIN team. They do however appear to be using the default auth server (https://adiyasal.okta.com/oauth2/default) rather than a custom one
For anyone running into this issue, try using the Org authorization server instead of any Custom authorization server. Our problem was using the default Custom authorization server instead of the Org authorization server.
The Org authorization server has uri https://${yourOktaDomain} while the default Custom authorization server has uri https://${yourOktaDomain}/oauth2/default/.