The documentation for the aud field of the JWT used in the private_key_jwt authentication mode lists https://${yourOktaDomain}/oauth2/default/v1/token. Any value other than a precise issuer URI + endpoint seems to result in the error included in the title. Are there other valid possibilities here? I would prefer to specify my authorization server’s audience as the audience to be provided on the JWT, rather than the token endpoint on the issuer URI. I’d prefer to not have to distribute the knowledge of the precise AZ issuer URI to all consumers.
@casba Did you try to create a customize server?
Under Security -> API, do you see authorization server tab?
Hi, quite old thread, but yes I can see that. We’re using a custom authorization server. To recap my question, it seems that the jwt-assertion requires the aud claim on the jwt to be the issuer of the authorization server. I was hoping that other values of aud would be supported, for example the audience that we configure for that authorization server (visible on the authorization server tab you mention).