For my Native app I’m calling
authorize() with a scope of
openid profile offline_access which results in a request to
/oauth/token with this payload:
Auth0 gives me this response:
When I refresh the
access_token the docs seem to indicate I should get back a new
id_token because I had an original scope including
/oauth/token post payload:
But the Auth0 response doesn’t include a new
Can someone tell me what I’m doing wrong?
This is a situation that we are already tracking; at this time, if you need the refresh token exchange to also return an ID token then you need to do one of the following actions:
- in the Dashboard go to client application advanced settings, select the OAuth section and enable the OIDC Conformant toggle.
- in the original request to the authorize endpoint include an audience parameter; for example, you can make the request with an audience set to
Have in mind that both of the above options will imply that requests from your client application will strictly follow the OpenID Connect specification. This may mean some breaking changes so do check the reference documentation.
Thanks @jmangelo! I chose the later option for my upcoming release; change to OIDC Conformant would have messed up my existing customers. The only other change I made was to add some additional scopes to the
authorize request to get the information I needed in the