And the only change between your attempts is the issuer, right? In both the success and the failure case, are you using the same domain (in this case, the *.okta.com domain, as opposed to a custom domain configured for the org)?
that is correct. The only change was the issuer, and currently, I’m using a default developer okta domain as shown above for testing. I am also just using a testing account without any real users.
(it wouldn’t let me skip this number, but thanks for confirming!)
If you’re using the “Default” server, the Default policy and rule created for you should be fine, but when you make your own custom authorization server, you will need to make the policy and rule yourself.
It might be easier to have a support case open for this one. Can you do so in our Help Center (instructions here) or by emailing firstname.lastname@example.org (this email is primarily for integrators/partners).