How to add Authorization server id in the authorize url

Hello,

I am trying to get my authorize URL looking like https://${yourOktaDomain}/oauth2/${authorizationServerId}/v1/authorize like mentionned in the document, because I am using a custom authorization server and I need to get custom scopes.

However, after trying different combinations between the issuer and the discoverUri parameters in the createConfig method, my authorize URL keeps looking like
/oauth2/v1/authorize?scope=custom_scope&response_type=... (without the auth server ID that I am trying to add), according to the admin console

My createConfig is like the following :

  await createConfig({
    clientId: '0oaxxxxxxxxxxxxxxxxx',
    redirectUri: 'com.custom.app:/login',
    endSessionRedirectUri: 'com.custom.app:/logout',
    issuer: 'https://dev-xxxxxxxxx.okta.com/oauth2/ausxxxxxxxxxxxxxxxxxx',
    discoveryUri: 'https://dev-xxxxxxxxx.okta.com/oauth2/ausxxxxxxxxxxxxxxxxxx',
    scopes: ['custom_scope', 'openid'],
    requireHardwareBackedKeyStore: ENV.OKTA_REQUIRED_HARDWARE_BACKED_KEY_STORE,
    browserMatchAll: true,
  });

I tried removing the issuer, adding /v1/authorize, etc…
I am getting this error
{"error_code": "-600", "error_message": "Authorization error"}

and the console specifies that it is a “illegal_custom_scope” failure

Thank you for your help.

1 Like

Hello @Valentin,

What library/SDK are using, (React Native)?

The issuer setting you have looks correct.
For the discoveryUri should be one of,

https://{domain}.okta.com/oauth2/default/.well-known/oauth-authorization-server
https://{domain}.okta.com/oauth2/default/.well-known/openid-configuration

Both of the above URLs will list the authorization server endpoints / capabilities.

2 Likes

@erik’s example is perfect if you’re using the default auth server.

If you’re using a custom auth server, replace default in @erik’s example with auth server identifier. e.g.
https://thinknition.okta.com/oauth2//.well-known/oauth-authorization-server
https://thinknition.okta.com/oauth2//v1/authorize

Perhaps double check which auth server you’ve setup the access policies / scopes under?

1 Like

Thank you for your answers.

I omitted to specify that I am indeed on react-native (0.67.5) and I am using the latest version of the okta lib (@okta/okta-react-native 2.7.0).

@erik These URLs works well if I try them manually with Postman, but the problem is that I can not add my auth server id in the authorize URL via the library, and so I am having authorization error when I try to get a custom scope.

Thanks again for your help.

1 Like

Have you tried using the below for discoveryUri,

discoveryUri: 'https://dev-xxxxxxxxx.okta.com/oauth2/ausxxxxxxxxxxxxxxxxxx/.well-known/openid-configuration',
1 Like

Yes, I just tried but I got the same result (“Authorization error”).

After a quick look in the lib source, I noticed this sample of code

  const { origin } = new Url(discoveryUri);

  oktaAuthConfig = {
    ...oktaAuthConfig,
    storageManager: {
      token: {
        storageProvider: storageProvider
      }
    },
    issuer: issuer || origin,
    clientId,
    redirectUri,
    scopes
  };

  authClient = new OktaAuth(oktaAuthConfig);

so maybe that’s why whatever I put in the discoveryUri, it will be overwritten by the “origin” of the URL.
I also tried the value you suggested for the issuer, but I am getting the same result again.

Thanks again for your time

1 Like

Perhaps try to set:
issuer: 'https://{yourOktaDomain}/...',

As per GitHub - okta/okta-signin-widget: HTML/CSS/JS widget that provides out-of-the-box authentication UX for your organization's apps?

You could add some console logging to test your hypothesis if its being overridden or not.