Id_token and refresh_token are missing in the /oauth/token response

Hi, I’m using the PKCE flow and I also have a custom rule that adds some custom scopes to the access_token. The problem is that in the /oauth/token request the id_token and refresh_token are missing. If I disable the rule everything works fine.
I’ve noticed that altering the value of context.accessToken.scope inside the rule removes from the response the id_token and refresh_token.

Code example:
context.accessToken.scope = user.user_metadata.scopes.join(' ') + " account-onboard";

Note that this issue is present only when using the PKCE flow. In the standard flow the rule works fine.

Check the difference of the responses in the screenshots.
Rule enabled - https://user-images.githubusercontent.com/7419780/64268173-48569080-cf40-11e9-87bb-30469210c8c6.png

Rule is disabled - https://user-images.githubusercontent.com/7419780/64268174-48ef2700-cf40-11e9-8863-3f9542bffca4.png

Hi @johnnytmd5,

Welcome to the Auth0 Community Forum!

Are you using a SPA? If so, you should not be receiving a refresh token. Instead you should use silent authentication.

As for the id token, can you please provide some more context (framework, your code, the quickstart or tutorial you used)?

Thanks,
Dan

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.