Hi, I’m using the PKCE flow and I also have a custom rule that adds some custom scopes to the access_token. The problem is that in the /oauth/token request the id_token and refresh_token are missing. If I disable the rule everything works fine.
I’ve noticed that altering the value of context.accessToken.scope
inside the rule removes from the response the id_token and refresh_token.
Code example:
context.accessToken.scope = user.user_metadata.scopes.join(' ') + " account-onboard";
Note that this issue is present only when using the PKCE flow. In the standard flow the rule works fine.
Check the difference of the responses in the screenshots.
Rule enabled - https://user-images.githubusercontent.com/7419780/64268173-48569080-cf40-11e9-87bb-30469210c8c6.png
Rule is disabled - https://user-images.githubusercontent.com/7419780/64268174-48ef2700-cf40-11e9-8863-3f9542bffca4.png