everything works, except that when I don’t use refresh tokens, my claim contains org_id and permissions, but when I do, the claim does not contain any of those:
Without refresh-token rotation I get:
I understand that you have issues with your claims when using a refresh token to get your access tokens.
I have just tested this myself and did not find the same observations. Instead, I was able to get the organization ID and permissions both in my initial request and the request when I used the refresh token to get my new tokens.
Given that, could you please share your /authorize request with me?
Thank you @rueben.tiow for your quick response. I am not sure if I understand correctly, but here is my /authorize request. If it is not what you wanted, kindly elaborate and I will get it done:
it forwards me to my callbackpage, with my access token set to a JWT token when logged in. the payload of that JWT token is the same as I mentioned in my original post. It does not have permissions and orgId in it.