It looks like the "Unexpected issuer claim" error is caused by the "issuer" property of the discovery response body not matching the "Issuer endpoint" value of the server description. So my question then would be, when you submit a discovery request from your REST client of choice, does the response "issuer" value match the issuer endpoint? If not, could it be an issue with the way the OAuth server is configured? Or are you accessing the OAuth server through a proxy so that the endpoint you're hitting is not the actual URL of the OAuth server?
The URL that the discovery request gets sent to is:
[issuer-endpoint]/.well-known/openid-configuration
So you might try hitting that endpoint in Postman to see what comes back.
You might also try turning on ISCLOG to log what's happening. I'm not seeing anything in the doc specifically on ISCLOG, though it is mentioned in the context of other topics, for example:
https://docs.intersystems.com/iris20221/csp/docbook/Doc.View.cls?KEY=GRE...
The value of ^%ISCLOG corresponds to the verbosity of the logs, where higher is more verbose. I'm not sure how high the scale goes, but I'm pretty sure it's less than 10, so I always just set it to 10.
You can skip setting the "Category" subscript to log all categories.
And don't forget to turn off ISCLOG when you're done!
kill ^%ISCLOG
or
set ^%ISCLOG=0
No worries, OAuth is a complicated subject. If the OAuth server you're trying to define in IRIS doesn't support the "well-known" endpoint, then I think you'll have to enter the server description manually, as opposed to having IRIS fetch it by discovery. You can read about how to do that here:
https://docs.intersystems.com/iris20221/csp/docbook/DocBook.UI.Page.cls?...