Error on document discovery

Questions
1

I am trying to configure OKTA in one of our CMS which allows to configure webhooks authorization based on client credentials grant type. I have setup a Authorization Server and an M2M application in OKTA with default scope and a policy with Grant Type -Client Credentials assigned to M2M client.
I use the Authoring URL as https://dev-<dev_id>.okta.com/oauth2/api_server_id and provide clientid, client secret along with audience (e.g.:- api://something). The application throws an error -
"Endpoint belongs to different authority: https://dev-<<id>.okta.com/oauth2/v1/clients".
I use dot peek to check the implementation and its using HttpClient to discover the document using IdentityModel.
I tried this my self and receive the same error. I am not expert in the security but wondering what I am missing.

authority_error
authority_error1019×207 24.9 KB

I also tried from postman to get the token
https://dev-div_id.okta.com/oauth2/api_server_id/v1/token and provided client_id, client_secret, audience, granttype, scope and receive the token
Are you able to help what I might be missing here. Please note since this third party app where I am configuring the settings, I can’t change the code.

Basically the ask is how to exclude registration_endpoint discovery without changing the code.
Thanks

2

So wait, which endpoint in Okta are you having trouble with? Is it failing to validate the token, or are you unable to even get a token in the first place?

3

Before even token is been requested, this is when the endpoints are been discovered using httpclient in .net. throws error -
“Endpoint belongs to different authority: https://dev-dev_id.okta.com/oauth2/v1/clients”
I have seen some code adjustments to exclude the registration_endpoint but I can’t make the code changes since this is a configured in one of out CMS (Content Management System)

4

Is it trying to hit the discovery doc then, https://${oktaDomain}/oauth2/${authServerId}/.well-known/openid-configuration?

I found this thread that mentions resolving this by skipping the endpoint/issuer validation checks: Error loading discovery document: endpoint belongs to different authority

5

yes the discovery doc you mentioned is what is trying to resolve all the endpoints. I have seen those resolution but unfortunately this is third party tool and can’t change the code.

Hence I tried myself in .net app to check if I am configuring it wrong but receive the same error-

authority_error1
authority_error11192×232 36.5 KB

So wondering if there is a way to skip this endpoint (/clients) check without code changes.
Just FYI. I have tried same with Auth0 and works fine.

6

This topic was automatically closed after 30 days. New replies are no longer allowed.