Requesting Authorization Code (PKCE) using Custom Scope : via Authorize endpoint

All,

I am using a custom login page to invoke the OIDC handshake. Basically, I am fetching the session token using authn endpoint and then use OIDC handshake (via PKCE) using that session token.

If I use default scope, everything works as expected and Okta returns the Authorization Code along with State token. I can then use Code Verifier (PKCE), Client ID along with Authorization code to fetch the ID and Access Tokens.

However, if I request custom scopes through OIDC handshake Okta returns error instead of Authorization code. Below is a sample of what I get:

https://mycallbackurl.comcallback.html?state=Af0ifjslDkj&error=invalid_scope&error_description=Custom+scopes+are+not+allowed+for+this+request.

I am failing to understand why Okta would limit custom scopes.

Prework before raising this issue:
Yes, I did double-check that I added a new policy under Access policies (Authorization Servers) to allow that custom scope as part of the response.

After some more hit and try, it seems like even custom claims in default scopes will not show up in ID or Access Tokens, when using this flow. Okta generates those token but claims are missing. This feels wierd.

Note: I am using a generic Okta developer account and not the Enterprise Okta Tenent which was provided.

I appreciate any help I can get.

Regards,
Sandeep

Okay, I think I found the problem. Really weird.

I was using “ https://mydomain.oktapreview.com/oauth2/v1/authorize?xxxxx ” to request the tokens. Interestingly no matter what I do, Okta does not share those custom claims in the token, generated via this endpoint.

As I continue to troubleshoot, I do not know what triggered me to check the default authorization server’s Issuer URI. Seems like there was “ default” missing.

The moment I made the change to “ https://mydomain.oktapreview.com/oauth2/ default /v1/authorize?xxxxx ” custom claims started working.

Hope this helps to anyone who is in same boat as me.

1 Like

Hi @sr5301

Thank you for providing the solution. When using /oauth2/v1/authorize, the call is sent to the Okta authorization server. If you are using something like /oauth2/{auth_server}/v1/authorize then the request is sent to the custom authorization server.

You can check the value of {auth_server} in Admin under Security >> API >> Authorization Servers >> Issuer column for your authorization server (or API >> Authorization Servers >> Issuer if using the developer interface for the admin panel).

1 Like

Hi @dragos

Appreciate your explanation. “default” is the default authorization server comes when we spin up the Okta tenant and that is what I was using. Nevertheless, here is the interesting part,

https://mydomain.oktapreview.com/oauth2/v1/authorize?xxxxx

Above Authorize endpoint works it does get me the ID and Access Token. If above is working for default Scopes and Claims there was no reason for me to look for specific Issuer for default Authorization server.

I think the above behavior should be called out or added in the Okta documentation section, where these endpoints are explained.

With that said, Once again I appreciate your response and help.

Thanks
Sandeep

Hi @sr5301

No worries. For developer tenants, the custom authorization server feature (called API Access Management) is enabled by default. In production tenants, this requires a license purchase.

You can find out more details about the difference between the Okta authorization server and custom authorization servers here.