I’m creating a REST API which is secured by a token issued by an Okta Authorization server.
When I retrieve the token from the “default” Authorization server, everything works.
I’ve created a second Authorization server (named “authServer2”). I’m able to use Postman to retrieve the token, and able to call the /introspect endpoint to verify the token is active.
However, when I attempt pass this token the header to my REST call, I get a 401 each time.
I’ve tried setting the AuthorizationServerId in the UseOktaWebApi call to both the name (authServer2) and the auth server ID I retrieved from the api/v1/authorizationServers endpoint (ausj69cno3wN4DWH20h7), but my API refuses to authorize using this Authorization server.
I have also setup a pretty wide open Access Policy and Rule which I believe are the same as what is setup in my default Authorization Server.
I’m a relative newbie to Okta in general, so I may have missed something, but I’m surprised I cannot seem to find a way to direct my API to verify the token against the Authorization Server that I choose.