Hello,
When creating a new custom authorization server by default it will not contain any policies/rules, therefore no applications in Okta will be able to make use of it.
The preconfigured scopes for a new Okta Authorization Server assume there is a user context associated with the flow which will not be the case with Client Credentials (machie-to-machine). In most cases API services that accept tokens minted with a Client Credentials flow would be expecting custom scope(s) of some type that dictate the access that token has for the service.
- OAuth for Okta is using OAuth (Client Credentials or Authorization flow) in order to call Okta API endpoints with a bearer token instead of using an API Token.
- The Client Credentials flow (using a custom authorization server) is intended to mint tokens that can be consumed by your own API Services.
Thank You,