OAuth Using OPEN_ID - Bug with the tokenset/claims value

[saikiran2197]

I have the following .env configurations

OPENID_SCOPE=openid profile email
OPENID_CALLBACK_URL=/oauth/openid/callback
OPENID_USE_PKCE=true
OPENID_AUTO_REDIRECT=true
OPENID_REUSE_TOKENS=true
OPENID_JWKS_URL_CACHE_ENABLED=true
OPENID_JWKS_URL_CACHE_TIME=600000
OPENID_USE_END_SESSION_ENDPOINT=true

I hit localhost:3080 and the page contonuously gets redirected to /login before erroring out..

Logs:
2025-08-11 14:06:55 info: MCP servers initialized successfully
2025-08-11 14:06:58 error: [refreshController] OpenID token refresh error Cannot read properties of undefined (reading 'email')
2025-08-11 14:07:41 error: [refreshController] OpenID token refresh error Cannot read properties of undefined (reading 'email')
2025-08-11 14:07:42 info: [openidStrategy] user found with openidId: redacted
2025-08-11 14:07:42 info: [openidStrategy] login success openidId: redacted | email: redacted | username: redacted
2025-08-11 14:07:44 error: [refreshController] OpenID token refresh error Cannot read properties of undefined (reading 'email')

Looking at the code on AuthController.js

  const tokenset = await openIdClient.refreshTokenGrant(openIdConfig, refreshToken);
  const claims = tokenset.claims();

The tokenset that is fetched only contains an access_token and no id_token, which results in claims = undefined.

When I set OPENID_REUSE_TOKENS=false, the code block above is not hit and the tokenset explicitly contains the id_token which results in the claims being a valid value.

Is this a bug or something wrong on my end?

[danny-avila]

This is only tested with Entra and Auth0 which required additional configuration, see:

#8837 (comment)

You may have the same audience issue and you can try that configuration.

[saikiran2197]

Hi @danny-avila, Dont think that has helped.
Adding a bit more context here to help determine if this is indeed a bug or not?

AuthController.js

const openIdConfig = getOpenIdConfig(); -> Resulting value = {}
const tokenset = await openIdClient.refreshTokenGrant(openIdConfig, refreshToken); -> refreshToken has a non-null value

However, the resulting tokenset only has an access_token and no refreshToken

{
  "access_token": "ey...",
  "token_type": "bearer",
  "expires_in": 7199
}

Observations:
OpenID is fully set up, so not sure why openIdConfig would result in an empty object?

[saikiran2197]

Workaround I've had to make for now...
Please do let me know if this is a correct workaround solution

Previous:
const claims = tokenset.claims();
Now:
const claims = jwtDecode(tokenset.access_token);

Previous:
const token = setOpenIDAuthTokens(tokenset, res);
Now:

const newTokenSet = { ...tokenset, refresh_token: refreshToken };
const token = setOpenIDAuthTokens(newTokenSet, res);