Azure AD B2C missing access_token in refreshTokenGrant

[Anton-Plagemann]

Edit by @panva: See #719 (comment) for resolution.

---

What happened?

I got a an error Error refreshing token invalid response encountered when trying to use oidc-client v6 with Azure AD B2C and the refreshTokenGrant function.

The error comes from here:

openid-client/src/index.ts

Lines 2772 to 2783 in c7fb6e4

	try {
	result = await p
	} catch (err) {
	if (retryable(err, options)) {
	return refreshTokenGrant(config, refreshToken, parameters, {
	...options,
	flag: retry,
	})
	}
	errorHandler(err)
	}

but originates here:
https://github.com/panva/oauth4webapi/blob/aded09a90059e1d0b0b4cdf25834a0abafd52716/src/index.ts#L3323-L3325

The debugger showed, that the variable json (response from Azure AD B2C) has this value:

{
  id_token: "redacted",
  token_type: "Bearer",
  not_before: 1729706541,
  id_token_expires_in: 3600,
  profile_info: "redacted",
  scope: "offline_access openid",
  refresh_token: "redacted",
  refresh_token_expires_in: 7776000,
}

It seems like Azure AD B2C (my OIDC provider) responds only with an id token in a refresh request but the library always expects an access token to be present.

Version

v6.1.1

Runtime

Node.js

Runtime Details

Node v22.8.0

Code to reproduce

const discoveryUrl = `https://${config.B2C_TENANT_NAME}.b2clogin.com/${config.B2C_TENANT_NAME}.onmicrosoft.com/${config.B2C_SIGN_IN_POLICY_NAME}/v2.0/.well-known/openid-configuration`;

const clientConfig = await discovery(
  new URL(discoveryUrl),
  config.B2C_CLIENT_ID,
  {
    [clockTolerance]: 5,
    client_secret: config.B2C_CLIENT_SECRET,
  },
);

const refreshToken = "my-refresh-token";
const tokens = await refreshTokenGrant(clientConfig, refreshToken);

Required

• I have searched the issues tracker and discussions for similar topics and couldn't find anything related.
• I agree to follow this project's Code of Conduct

[panva]

The point of the refresh grant is to get a new fresh access token. As per the docs you've linked yourself there should always be one. I'd say the error is warranted.

[Anton-Plagemann]

Thanks for your prompt response!
Is there another (utility) function to get an id token using the refresh token or do I need to do this request manually?

[Anton-Plagemann]

Thanks, I found another solution/workaround: When I add the Client ID as the first scope I also get an access token and everything works:

Scopes before:

const b2cOidcScopes = "openid offline_access profile email";

Scopes after:

const B2C_CLIENT_ID = "90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6";  // Example value
const b2cOidcScopes = `${B2C_CLIENT_ID} openid offline_access profile email`;

Thanks for your help! Really appreciate it!