We have 2 database connection setup and are noticing that there are differences in how an access token is obtained via a refresh token when authenticating with the grant type password vs http://auth0.com/oauth/grant-type/password-realm.
With a refresh token from a password grant type, all the claims and scopes are retained in the new access token.
With a refresh token from a http://auth0.com/oauth/grant-type/password-realm grant type, we lose custom claims and all original scope except for offline_access.
Is there a configuration or way to make the refresh token for http://auth0.com/oauth/grant-type/password-realm to behave the same way as the password grant type, in other words retain all the claims and scopes in the new access token?
I was just able to test this on my end, and can’t seem to reproduce the issue you are seeing - I am seeing the expected behavior where while using the http://auth0.com/oauth/grant-type/password-realm grant type, the access token received in the refresh token flow contains the same scopes and claims as the initial access token.
Are you just omitting scopes in the request using the refresh token? Doing so should just return whatever was included in the initial request in which the refresh token was received.