I’m new to Okta. I’m demoing the Java Servlet example and am getting the following error when my Servlet Filter calls out to Okta. This is using a token generated by the oidcdebugger.com app.
Expected iss claim to be: https://dev-999999999.okta.com/oauth2/default, but was: https://dev-99999999.okta.com.
I noticed in the admin panel that the App I created has the https://dev-99999999.okta.com listed under issuer. This is showing up in the iss field of the JWT.
If you navigate to API > Security, do you see a default authorization server in there? If so, that’s a custom authorization server. You can read more about the difference between them at Authorization Servers | Okta Developer.
Your Java Servlet sounds to be configured correctly, but the token you are sending to it was not issued by the same authorization server, which in this case is the custom authorization server called “Default.”
If you’re using the OIDC Debugger tool, can you ensure that the authorize URL you are providing starts with https://dev-999999999.okta.com/oauth2/default instead of https://dev-999999999.okta.com?
You need to use one of the Custom Authorization Servers found under Security → API → Authorization Servers, otherwise your Java Servlet will not be able to validate the tokens. This means both the front end/client requesting the token and the Java Servlet must be referencing the same custom Authorization Server.
If you use a Web app (with Implicit → Access Token enabled in your Allowed Grant Types) to request an access token, as in my below screenshot, does OIDC Debugger work?
With a token issued with those settings and with your Java Servlet configured with the issuer as https://dev-999999999.okta.com/oauth2/default I expect this to work. If you’re still having issues with the OIDC Debugger tool, you may prefer trying to walk through the flow yourself by following our guides.
