Problem statement
Recently, our authentication began failing, and we were no longer receiving an id_token
in the response from /oauth/token
.
Cause
There was a server update on 4/17/23 that fixed a bug. The bug was allowing for a scenario where, if the scope of the initial /authorize
request did not include openid
, a new ID token would be issued in the response of a subsequent refresh token exchange.
If you have been relying on this behavior to obtain an ID token, you may have experienced the server update that caused you to no longer receive an id_token
in the response.
Solution
We recommend including the openid
scope in the /authorize
request. By doing so, a new ID token will be issued in the response of later refresh token exchanges.