The issuer [DOMAIN] does not match [CUSTOM_DOMAIN]

Hi there,

I’m trying to set up an application to work with Okta and I bumped into an issue with respect to Custom Domains. This is what I’ve done so far:

  • set up a custom domain for my organization
  • set the authorization server’s issuer URI to point to the custom domain
  • set the frontend Okta config to use the custom domain for the URI

When I go to my frontend, I correctly get redirected to the custom domain to login. Once I complete the login, I get redirected back to the frontend, but I get an exception stating something along the lines of “The issuer [DOMAIN] does not match [CUSTOM_DOMAIN]”, where DOMAIN is the original organization URL and CUSTOM_DOMAIN is the custom domain I set up.

Please let me know what I should do here. This feels like it’s a bug. If it’s not, I apologize please move the topic accordingly.

Thank you in advance!

Andrei

Hi @andrei,

Could you please provide me more details? What stack are you using?

Hi @andrei, did this ever resolve for you?

I just added a custom domain to my organization and frontend Okta config and am getting the same error. I am using a React SPA with the okta-react npm package and okta sign in widget.

The error is occurring when I am redirected back to implicit callback. The auth flow was working perfectly well before I enabled a custom domain and I’ve made sure that I am using the same custom domain throughout my frontend configuration. Any ideas @laura.rodriguez or others?

Ok I figured this out. I had just assumed we could replace the old issuer: {dev-xxx}/oauth2/default with something like: {mycustomurl}/oauth2/default

I didn’t realize that I had to create a new authorization server for my custom domain and use that as the issuer in my frontend. Once I did that and set my settings all worked fine.

Sorry for the post, hope this helps someone :slight_smile:

2 Likes

by new authorization server do you mean a whole new ‘application’ in okta?
edit: sorry, should have done my due dil before, posting
APi–> authorization servers
can just update settings there

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.