/oauth/token not returning id_token

When I try POST method http://server.com/oauth/token I expect response like this one

{
  "access_token":"eyJz93a...k4laUWw",
  "refresh_token":"GEbRxBN...edjnXbL",
  "id_token":"eyJ0XAi...4faeEoQ",
  "token_type":"Bearer",
  "expires_in":86400
}

but I get response like this

{
  "access_token":"eyJz93a...k4laUWw",
  "token_type":"Bearer",
  "expires_in":86400
}

My request :

{
  "grant_type": "authorization_code",
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET",
  "code": "AUTHORIZATION_CODE",
  "redirect_uri": https://YOUR_APP/callback
}

What I am doing wrong? I need to get id_token from this call in order to use it in the application.

The authorization code grant is performed in two steps; the first at the authorization endpoint /authorize and the second at the token endpoint /oauth/token.

The response contents received from the token endpoint is mostly influenced by the parameters sent in the first interaction with the authorization endpoint. In particular, you should take in consideration the following:

  • if you want to receive an ID token in this grant then the initial request to authorize must include the openid value as one of the scopes provided.
  • if you want to receive a refresh token in this grant then the initial request to authorize must include the offline_access value as one of the scopes provided.

You did not include the parameters you use at the authorization endpoint so a definitive answer about the root cause of the issue cannot be provided, however, it may be due by failing to provide the expected configuration to the authorization endpoint.

In addition, have in mind that refresh tokens during an API authorization request will only be granted if the associated API allows the issuing of a refresh token. Again, the provided information does not allow to ascertain if this is an API authorization request or just a user authentication request so this may or may not apply to your situation.

If the above does not lead you to find the root cause of the issue then you need to include not just the parameters you send to the token endpoint, but also the parameters you send to the authorization endpoint. In addition, information about the configuration of the client application in question might also be useful.

2 Likes

Thank you for your answer. I added openid as scope for /authorize request and now I have id_token.