Hello!

I was developing a login in our internal SPA using Okta to do that, I created a dev account to start meanwhile our IT team was configuring the Okta application.

I used as issuer the `https://dev-{blabla}.okta.com/oauth2/default` and set up the frontend using the `@okta/okta-auth-js:7.4.2` and the backend in golang with `github.com/okta/okta-jwt-verifier-golang v1.3.1`. Everything was working well the login starts with the `authClient.getWithRedirect(...)` I was receiving the `access_token` and the `id_token`, then getting the access token and sending it to the backend as a Bearer, then the backend properly configured with same issuer and client ID, was using the `oktaVerifier.VerifyAccessToken` method which was resulting in success so in summary everything was working well...

Then IT team finally created the Okta application, so I set the issuer to our `https://{company}.okta.com/oauth2/default`, set the proper client ID, and soon I realised that the issuer should be set as `https://{company}.okta.com` as frontend redirect was not working, after I changed it the redirect was working, but I was receiving an authorization error in my backend I checked the internals of the library and I realised that the access token is compared against two keys retrieved from the `/oauth2/v1/keys` and none of those has the same key id as the access token `kid` meanwhile the id token returned by the same redirect has the `kid` matching one of the key ids, but I read that the id token should not be used in any case in the backend.

I can assure that the client id and the issuer are well set and are matching in both applications, but I cannot explain why now the access token cannot be validated in the backend, any help on this 🙏?