Thanks for this information, I still need to draw a couple lines here, but I think I see what has happened. If I’m incorrect let me know.
I think your org is an IT Product SKU or you are on an IT Product Trial that was created before 2017-07. Okta did some heavy surgery and some product modifications so we could have a better onboarding experience for API Access Management (The part of the product that provides OAuth 2.0). Unfortunately, there wasn’t a good way for Okta to move existing customers over to the new model (with the default authorization server) without breaking backward compatibility. This is probably way too much information, but I just wanted to let you know what is going on.
For you, in particular, you need to get the issuer for your API Access Managment authorization server, which can be found in Security -> API -> Authorization Servers:
That is the issuer you should use on both your client and server.
The current issuer for your ID Token and Access Token is using the Okta Org Authorization Server, which will generate an Access Token that can’t be validated by your server (it is meant for the Okta API endpoints).
Let me know if this is correct and if this resolves this for you.
Thanks,
Tom