I noticed in my testing that when I request scope okta.users.read.self using the same OIDC app in Okta reading the profile works fine with the default Okta api server.
When switching to a custom authorization server leaving everything else unchanged the request fails saying that the requested scope is not configured for the (custom) authorization server.
Now normally there is freedom to configure scopes on the custom auth server but it is not allowed to define a sope that contains the restricted word Okta so there is no way for me to expose an Okta scope in the custom auth server.
Is it the case that a custom authorization server does not support Okta built in scopes?
127.0.0.1 - - [09/Nov/2020 12:17:13] "GET /login HTTP/1.1" 302 -
{"state": "wr1c5sMw0gzQxRpt", "error": "invalid_scope", "error_description": "One or more scopes are not configured for the authorization server resource."}
127.0.0.1 - - [09/Nov/2020 12:17:14] "GET /redirect_uri?state=wr1c5sMw0gzQxRpt&error=invalid_scope&error_description=One+or+more+scopes+are+not+configured+for+the+authorization+server+resource. HTTP/1.1" 200 -