I can get token from both end points
/oauth2/v1/authorize
oauth2/default/v1/authorize
How?
I found out that if you take token from one endpoint and validate on other then it will fail as it should.
Because my client was taking token from oauth2/default/v1/authorize
But API was validating with /oauth2/v1/introspect
I can make both client and API point to same end point but my question is why do we have other one working (note: I have only one default authorization server) ?
You technically have 2 authorization servers, your Okta Org is an authorization server (/oauth2/v1/authorize) and you have a custom authorization server named “default” (oauth2/default/v1/authorize).
This clears up many doubts, but now I need to figure out how to fix the issue. We have some custom claims needed for API authorization.
We have our setup in prod something like this.
API (using Okta Org - /oauth2/v1/authorize)
Web application using implicit flow (Okta Org - /oauth2/v1/authorize)
So they are working fine as expected but now comes the issue.
We need to add Native application and we have to use Authorozation code grant type.
Id_token we are getting here does not have custom claims.
How do we make it work?
I don’t see any way to get everything working without changing servers for API and Web application.
Do you have any suggestions?
Thanks again
When using the Okta org as authorization server, if both ID token and access token are requested, either individually (eg. response_type=id_token%20token ) or through authorization code flow (eg. response_type=code ), the ID token is minified and the claims are available through a separate request to /userinfo endpoint.
