Description
I'm building a SPA that's using oidc-client to authenticate to Azure AD using the OAuth 2.0 authorization code flow with PKCE to obtain an access token to use a custom (Java) API.
In order to be able to validate the access token I created a custom scope as explained under the Problem 1: Azure AD returns invalid JWT access token section at Making Azure AD OIDC Compliant and passed it as my UserManager scope so it is included when authorizing. I got authorizing and requesting initial access and refresh tokens all working as expected.
However when refreshing an access token using the /{tenant}/oauth2/v2.0/token resource I received a 400 Bad Request response containing this error message:
AADSTS90009: Application 'redacted-client-id'(redacted-client-id) is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier.
Per this discussion the error message is misleading, and Azure AD actually requires a scope parameter to be passed with the request per their documentation for refreshing the access token. I confirmed that providing my custom scope in a scope solved this problem by using Fiddler to manually add it into the request made by oidc-client before sending it onto Azure AD, and I successfully had my access token refreshed.
What would you think of adding an optional setting flag like includeScopeInTokenRefresh that could be used to send the scope from the settings with access token refresh requests?