Refresh token no longer returns id_token

Problem statement

Recently, our authentication began failing, and we were no longer receiving an id_token in the response from /oauth/token.

Cause

There was a server update on 4/17/23 that fixed a bug. The bug was allowing for a scenario where, if the scope of the initial /authorize request did not include openid, a new ID token would be issued in the response of a subsequent refresh token exchange.

If you have been relying on this behavior to obtain an ID token, you may have experienced the server update that caused you to no longer receive an id_token in the response.

Solution

We recommend including the openid scope in the /authorize request. By doing so, a new ID token will be issued in the response of later refresh token exchanges.