Getting 403 when trying to get authorization code using custom authorization server

Hi, I have a Springboot application that does OIDC workflow.

I tested using the org authorization server (https://{oktadomain}/oauth2/v1/authorize) to call the /authorize endpoint for the authorization code, I was able to retrieve the code.

However, when I tried to use the default custom authorization server (https://{oktadomain}/oauth2/default/v1/authorize), I kept getting 403:

Also, I tried to do manual testing through both and, and both successfully gave me the authorization code.

I also check the system log on the admin page, no error was shown. The only logs I could see were “Verify user identity success”. Does anyone have any idea what I did wrong? Thank you!

Note: I also added the localhost:8080 on my Trusted Origin, so I don’t think it’s the issue.

Were there any more details about the 403 in the browser network tab?

No, this is the only thing I can see in the network tab:

And the only change between your attempts is the issuer, right? In both the success and the failure case, are you using the same domain (in this case, the * domain, as opposed to a custom domain configured for the org)?

1 Like

Also, out of curiosity, but does this reproduce with all users in your org? If you create a new test user and try to log them in with either the Org auth server or the Default one, does it work?

1 Like

Not really sure but two things I’d check:

  • What is the URL the srpingboot app is generating to redirect to Okta. Does it look good/ Any differences between that and what’s generated for oidcdebugger?
  • Is the user you’re testing with assigned to the app?
  • Do you have an access policy and rules setup allowing the same openid flow? Or relying on the Default Policy?

Hi Andrea,
that is correct. The only change was the issuer, and currently, I’m using a default developer okta domain as shown above for testing. I am also just using a testing account without any real users.

Hi Abole,

  1. Yes, even when I tried to hardcode with the generated URL from the debugger (only changed the redirect uri), it didn’t work.
  2. Yes, I made sure the user is assigned to the app.
  3. I am only relying on the default one. Do I need to create a custom access policy?
  1. Want to share exactly what this URL looks like?
  2. (it wouldn’t let me skip this number, but thanks for confirming!)
  3. If you’re using the “Default” server, the Default policy and rule created for you should be fine, but when you make your own custom authorization server, you will need to make the policy and rule yourself.

It might be easier to have a support case open for this one. Can you do so in our Help Center (instructions here) or by emailing (this email is primarily for integrators/partners).