Error on document discovery

I am trying to configure OKTA in one of our CMS which allows to configure webhooks authorization based on client credentials grant type. I have setup a Authorization Server and an M2M application in OKTA with default scope and a policy with Grant Type -Client Credentials assigned to M2M client.
I use the Authoring URL as https://dev-<dev_id> and provide clientid, client secret along with audience (e.g.:- api://something). The application throws an error -
"Endpoint belongs to different authority: https://dev-<<id>".
I use dot peek to check the implementation and its using HttpClient to discover the document using IdentityModel.
I tried this my self and receive the same error. I am not expert in the security but wondering what I am missing.

I also tried from postman to get the token and provided client_id, client_secret, audience, granttype, scope and receive the token
Are you able to help what I might be missing here. Please note since this third party app where I am configuring the settings, I can’t change the code.

Basically the ask is how to exclude registration_endpoint discovery without changing the code.

So wait, which endpoint in Okta are you having trouble with? Is it failing to validate the token, or are you unable to even get a token in the first place?

Before even token is been requested, this is when the endpoints are been discovered using httpclient in .net. throws error -
“Endpoint belongs to different authority:”
I have seen some code adjustments to exclude the registration_endpoint but I can’t make the code changes since this is a configured in one of out CMS (Content Management System)

Is it trying to hit the discovery doc then, https://${oktaDomain}/oauth2/${authServerId}/.well-known/openid-configuration?

I found this thread that mentions resolving this by skipping the endpoint/issuer validation checks: Error loading discovery document: endpoint belongs to different authority

yes the discovery doc you mentioned is what is trying to resolve all the endpoints. I have seen those resolution but unfortunately this is third party tool and can’t change the code.

Hence I tried myself in .net app to check if I am configuring it wrong but receive the same error-

So wondering if there is a way to skip this endpoint (/clients) check without code changes.
Just FYI. I have tried same with Auth0 and works fine.

This topic was automatically closed after 30 days. New replies are no longer allowed.