How to make 'issuer' match between OIDC app and default Authorization server?

Greetings,

Hoping someone can help, trying to setup SSO with an OIDC App, and running into an issue because the ‘issuer’ is not matching. I’m sure there must be a simple way to tweak this but have not found out how yet.

The issue is that the ‘default’ authorization server has an issuer like:

https://dev-9464637.okta.com/oauth2/default

Then the OIDC App I created has an issuer like:

https://dev-9464637.okta.com

When I debug my SSO flow it is eventually rejected due to mis-matching issuer.

I don’t see any way to select or tweak things to make these match. I cannot manually enter the issuer but have to select from drop-down that has only two options, either the issuer pasted above, or “dynamic (based on domain” option.

So how can I tweak the app/authorization server to make the issuer match please?

Make sure your OIDC application is using the “Default” Authorization Server as the issuer (usually via an issuer setting, that’s how Okta’s SDKs work).

Do you have control over how this application is making its /authorize requests?

Thank you for your reply.

How does one select the authorization server the OIDC application is using?

Is there a specific selection somewhere or is this just the uri values one is using? (Do not see on the UI where one would select this…)

I am using /oauth2/default for all my uri configs.

I don’t have control of how the /authorize req us made, but can define the uri of it.

Its based on the URLs the application is using. There shouldn’t be anything you need to do in the Okta admin UI.

If you want the app to use the default server, make sure to give it the endpoints found here: https://dev-9464637.okta.com/oauth2/default/.well-known/openid-configuration