Hi,
I am attempting to implement a client credentials flow, using Okta as idp.
In kong, I set config.issuer configuration to:
https://dev-xxxxxx.okta.com/oauth2/xxxxxx/.well-known/oauth-authorization-server
The returned token has an issuer which is a subset of this URL/:
https://dev-xxxxxx.okta.com/oauth2/xxxxxx
Kong then fails because it expects them to be the same:
2019/11/05 13:40:29 [notice] 23118#0: *1430947 [lua] handler.ljbc:0: [openid-connect] invalid issuer (https://dev-xxxxxx.okta.com/oauth2/xxxxxx) was specified for access token, https://dev-xxxxxx.okta.com/oauth2/xxxxxx/.well-known/oauth-authorization-serverwas expected, client: 216.172.64.18, server: kong, request: “GET /posts HTTP/1.1”, host: “ec2-3-228-156-158.compute-1.amazonaws.com:8443”
I think it should just be checking that the issuer returned is a subset of the specified issuer endpoint … ??
Please advise,
Thx
Dave