When users try to access a Single-Page Application (SPA) after authenticating with Okta, they might see the following error:

AuthSdkError: The issuer [DOMAIN] does not match [CUSTOM DOMAIN]

This happens when the application expects a specific issuer URL, but Okta provides a different one during the authentication process.

• OpenID Connect(OIDC) application
• Single Page Application

This error occurs due to a mismatch between the issuer URL that the application expects and the issuer URL provided by Okta during the authentication flow.

The solution depends on the authorization server used.

Org Authorization Server

1. Log in to the Okta Admin Console.

2. Go to Applications > Applications tab and select the configured application.

3. Navigate to the Sign on tab.

4. Find the Issuer setting.

5. Change the Issuer setting from the static Okta URL to Dynamic (based on request domain).

6. Save the changes.

Custom Authorization Server

1. Log in to the Okta Admin Console.

2. Go to Security > API > Authorization Servers tab and select the authorization server that the application uses.

3. Navigate to the Settings tab.

4. Find the Issuer setting.

5. Change the Issuer setting from the static Okta URL to Dynamic (based on request domain).

6. Save the changes.

Related References

• Authorization Servers
• Auth JS 
• Issuer URL