Auth0 Home Blog Docs

Missing id_token when refreshing tokens?

id_token
refresh_token

#1

My client has the OIDC Conformant toggle enabled. I have implemented the authorization code flow in my application.

In my initial request to /authorize, I include the following query params:

audience=https://my.audience.com
response_type=code
scope=openid profile offline_access

My understanding is by providing audience I would like to retrieve an access_token. By providing openid I would like to retrieve an id_token. And by providing offline_access I would like to retrieve a refresh_token.

When I perform the code exchange on my callback endpoint after successful authentication, I do correctly get back a response from /oauth/token with the access_token, id_token and refresh_tokens that I require.

However, when I make a request to /oauth/token with a grant_type of refresh_token, I only ever get back an access_token, not an id_token.

There has been a similar thread posted last year where the solution was to make your application OIDC conformant by either enabling the toggle which I’ve done, or by providing ?audience in the initial /authorize request which I’ve also done.

Any ideas?


#2

Hi there, an educated guess is that you have to add id_token to response_type as well. Like this:

audience=https://my.audience.com
response_type=code id_token
scope=openid profile offline_access

If this does not solve your issue, let me know and I will help you investigate.


#3

Unfortunately that doesn’t solve the problem.

Adding id_token alongside code for the response_type did give me an id_token JWT response with my authorization code (which was a bit unexpected) and I do get a refresh token when I perform the code exchange. However, performing a refresh token request just yields an access_token rather than a new id_token like before.

Here’s the refresh token docs that I’ve been referring to which shows an id_token in the response.

Anything else you think I could try?