Okta built in scopes not available for custom authorization servers?

I noticed in my testing that when I request scope okta.users.read.self using the same OIDC app in Okta reading the profile works fine with the default Okta api server.

When switching to a custom authorization server leaving everything else unchanged the request fails saying that the requested scope is not configured for the (custom) authorization server.
Now normally there is freedom to configure scopes on the custom auth server but it is not allowed to define a sope that contains the restricted word Okta so there is no way for me to expose an Okta scope in the custom auth server.

Is it the case that a custom authorization server does not support Okta built in scopes? - - [09/Nov/2020 12:17:13] "GET /login HTTP/1.1" 302 -
{"state": "wr1c5sMw0gzQxRpt", "error": "invalid_scope", "error_description": "One or more scopes are not configured for the authorization server resource."} - - [09/Nov/2020 12:17:14] "GET /redirect_uri?state=wr1c5sMw0gzQxRpt&error=invalid_scope&error_description=One+or+more+scopes+are+not+configured+for+the+authorization+server+resource. HTTP/1.1" 200 -

Yes, those are for the default authZ server only

Like @phi1ipp said, Custom AS does not support the OAuth for Okta API scopes, as noted in our documentation:

Only the Org Authorization Server can mint access tokens that contain Okta API scopes.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.