Missing id_token when refreshing tokens?

My client has the OIDC Conformant toggle enabled. I have implemented the authorization code flow in my application.

In my initial request to /authorize, I include the following query params:

audience=https://my.audience.com
response_type=code
scope=openid profile offline_access

My understanding is by providing audience I would like to retrieve an access_token. By providing openid I would like to retrieve an id_token. And by providing offline_access I would like to retrieve a refresh_token.

When I perform the code exchange on my callback endpoint after successful authentication, I do correctly get back a response from /oauth/token with the access_token, id_token and refresh_tokens that I require.

However, when I make a request to /oauth/token with a grant_type of refresh_token, I only ever get back an access_token, not an id_token.

There has been a similar thread posted last year where the solution was to make your application OIDC conformant by either enabling the toggle which I’ve done, or by providing ?audience in the initial /authorize request which I’ve also done.

Any ideas?

Hi there, an educated guess is that you have to add id_token to response_type as well. Like this:

audience=https://my.audience.com
response_type=code id_token
scope=openid profile offline_access

If this does not solve your issue, let me know and I will help you investigate.

Unfortunately that doesn’t solve the problem.

Adding id_token alongside code for the response_type did give me an id_token JWT response with my authorization code (which was a bit unexpected) and I do get a refresh token when I perform the code exchange. However, performing a refresh token request just yields an access_token rather than a new id_token like before.

Here’s the refresh token docs that I’ve been referring to which shows an id_token in the response.

Anything else you think I could try?

Hey there!

Sorry for such delay in response! We’re doing our best in providing the best developer support experience out there, but sometimes the number of incoming questions is just too big for our bandwidth. Sorry for such inconvenience!

Do you still require further assistance from us?