Oauth2/default/v1 or oauth2/v1

I noticed even though I have only one authorization server

I can get token from both end points


I found out that if you take token from one endpoint and validate on other then it will fail as it should.
Because my client was taking token from oauth2/default/v1/authorize

But API was validating with /oauth2/v1/introspect

I can make both client and API point to same end point but my question is why do we have other one working (note: I have only one default authorization server) ?

Hi Viks,

You technically have 2 authorization servers, your Okta Org is an authorization server (/oauth2/v1/authorize) and you have a custom authorization server named “default” (oauth2/default/v1/authorize).

You should take a look at this article to see what the differences are between the two:

Hi Warren,
Thanks for the information.

This clears up many doubts, but now I need to figure out how to fix the issue. We have some custom claims needed for API authorization.

We have our setup in prod something like this.
API (using Okta Org - /oauth2/v1/authorize)
Web application using implicit flow (Okta Org - /oauth2/v1/authorize)

So they are working fine as expected but now comes the issue.
We need to add Native application and we have to use Authorozation code grant type.
Id_token we are getting here does not have custom claims.
How do we make it work?

I don’t see any way to get everything working without changing servers for API and Web application.
Do you have any suggestions?
Thanks again

Hi @viks

When using the Okta org as authorization server, if both ID token and access token are requested, either individually (eg. response_type=id_token%20token ) or through authorization code flow (eg. response_type=code ), the ID token is minified and the claims are available through a separate request to /userinfo endpoint.