My client has the OIDC Conformant
toggle enabled. I have implemented the authorization code flow in my application.
In my initial request to /authorize
, I include the following query params:
audience=https://my.audience.com
response_type=code
scope=openid profile offline_access
My understanding is by providing audience
I would like to retrieve an access_token
. By providing openid
I would like to retrieve an id_token
. And by providing offline_access
I would like to retrieve a refresh_token
.
When I perform the code exchange on my callback endpoint after successful authentication, I do correctly get back a response from /oauth/token
with the access_token
, id_token
and refresh_token
s that I require.
However, when I make a request to /oauth/token
with a grant_type
of refresh_token
, I only ever get back an access_token
, not an id_token
.
There has been a similar thread posted last year where the solution was to make your application OIDC conformant by either enabling the toggle which I’ve done, or by providing ?audience
in the initial /authorize
request which I’ve also done.
Any ideas?