My client has the
OIDC Conformant toggle enabled. I have implemented the authorization code flow in my application.
In my initial request to
/authorize, I include the following query params:
audience=https://my.audience.com response_type=code scope=openid profile offline_access
My understanding is by providing
audience I would like to retrieve an
access_token. By providing
openid I would like to retrieve an
id_token. And by providing
offline_access I would like to retrieve a
When I perform the code exchange on my callback endpoint after successful authentication, I do correctly get back a response from
/oauth/token with the
refresh_tokens that I require.
However, when I make a request to
/oauth/token with a
refresh_token, I only ever get back an
access_token, not an
There has been a similar thread posted last year where the solution was to make your application OIDC conformant by either enabling the toggle which I’ve done, or by providing
?audience in the initial
/authorize request which I’ve also done.