I am using a custom login page to invoke the OIDC handshake. Basically, I am fetching the session token using authn endpoint and then use OIDC handshake (via PKCE) using that session token.
If I use default scope, everything works as expected and Okta returns the Authorization Code along with State token. I can then use Code Verifier (PKCE), Client ID along with Authorization code to fetch the ID and Access Tokens.
However, if I request custom scopes through OIDC handshake Okta returns error instead of Authorization code. Below is a sample of what I get:
I am failing to understand why Okta would limit custom scopes.
Prework before raising this issue:
Yes, I did double-check that I added a new policy under Access policies (Authorization Servers) to allow that custom scope as part of the response.
After some more hit and try, it seems like even custom claims in default scopes will not show up in ID or Access Tokens, when using this flow. Okta generates those token but claims are missing. This feels wierd.
Note: I am using a generic Okta developer account and not the Enterprise Okta Tenent which was provided.
I appreciate any help I can get.