failed to decode JWT: missing 'jwks_uri' from metadata

[whod81]

Hello -- I am using an Okta Enterprise account and trying to get the okta-hosted-login sample to work.

I have tried with an ISSUER of https://acmecorp.okta.com/oauth2/default and https://acmecorp.okta.com/oauth2/. -- they behave different.

Without the /default in ISSUER:
The Okta login screen comes up. But then the sample app seems to not know when a login occurs and you are redirects to the same screen. The sample app instance has an error:

2021/12/17 19:11:35 server starting at localhost:8080 ...
failed to decode JWT: missing 'jwks_uri' from metadata

With /default in ISSUER
The okta login screen does not come up. Instead I am sent to a 400 BAD REQUEST --- "Your request resulted in an error. The requested feature is not enabled in this environment." "Technical details ▾
Identity Provider: Unknown, Error Code: server_error". "Error: The requested feature is not enabled in this environment."

This is my .ENV file:
CLIENT_ID=qwerqwerqwerqwer
CLIENT_SECRET=qwerqwerqwerqwerqwer
ISSUER=https://acmecorp.okta.com/oauth2/

Here is my OPENID configuration:
mac:~ $ curl -s https://acmecorp.okta.com/.well-known/openid-configuration | jq
{
"issuer": "https://acmecorp.okta.com",
"authorization_endpoint": "https://acmecorp.okta.com/oauth2/v1/authorize",
"token_endpoint": "https://acmecorp.okta.com/oauth2/v1/token",
"userinfo_endpoint": "https://acmecorp.okta.com/oauth2/v1/userinfo",
"registration_endpoint": "https://acmecorp.okta.com/oauth2/v1/clients",
"jwks_uri": "https://acmecorp.okta.com/oauth2/v1/keys",
"response_types_supported": [
"code",
"id_token",
"code id_token",
"code token",
"id_token token",
"code id_token token"
],
"response_modes_supported": [
"query",
"fragment",
"form_post",
"okta_post_message"
],
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"password",
"urn:ietf:params:oauth:grant-type:device_code"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"profile",
"address",
"phone",
"offline_access",
"groups"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post",
"client_secret_jwt",
"private_key_jwt",
"none"
],
"claims_supported": [
"iss",
"ver",
"sub",
"aud",
"iat",
"exp",
"jti",
"auth_time",
"amr",
"idp",
"nonce",
"name",
"nickname",
"preferred_username",
"given_name",
"middle_name",
"family_name",
"email",
"email_verified",
"profile",
"zoneinfo",
"locale",
"address",
"phone_number",
"picture",
"website",
"gender",
"birthdate",
"updated_at",
"at_hash",
"c_hash"
],
"code_challenge_methods_supported": [
"S256"
],
"introspection_endpoint": "https://acmecorp.okta.com/oauth2/v1/introspect",
"introspection_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post",
"client_secret_jwt",
"private_key_jwt",
"none"
],
"revocation_endpoint": "https://acmecorp.okta.com/oauth2/v1/revoke",
"revocation_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post",
"client_secret_jwt",
"private_key_jwt",
"none"
],
"end_session_endpoint": "https://acmecorp.okta.com/oauth2/v1/logout",
"request_parameter_supported": true,
"request_object_signing_alg_values_supported": [
"HS256",
"HS384",
"HS512",
"RS256",
"RS384",
"RS512",
"ES256",
"ES384",
"ES512"
],
"device_authorization_endpoint": "https://acmecorp.okta.com/oauth2/v1/device/authorize"
}