I am using the Authorization Code Flow for my application with Auth0 Organizations, where the login flow is set for Business Users > Prompt for Credentials.
I am hitting the /authorize
endpoint correctly with scope=openid offline_access
. When I test with a user who is only part of one organization, the organization picker does not show up, which is expected. When I hit the oauth/token
endpoint with the resulting authorization code, I correctly get a refresh_token
and id_token
in the response.
However, when I test with a user who is part of multiple organizations, and I pick one via the organization picker, I suddenly lose refresh_token
and id_token
in the response. The access_token
I get does indicate org_id
is set correctly though, so I know that the user has been authenticated successfully through the selected organization.
Why am I not getting a refresh_token
or id_token
with a user who is part of multiple organizations. Is there some additional configuration that I am missing? Any help appreciated, thanks.