I'm developing an SPA with Azure AD B2C as the identity provider. I'm using the MSAL JavaScript library and it's mostly working fine. I can create users, log in and get access tokens for my Web API back-end.
The only issue at the moment is that the B2C endpoint is not returning refresh tokens so when the access token expires, the acquireTokenSilent method in the UserAgentApplication class, which is meant to refresh expired access tokens using the refresh token, fails.
My application in B2C is configured with "Include web app / web API" and "Allow implicit flow" set to "Yes" in its Properties. In the API Access section, both the "openid" and "offline_access" scopes are ticked under "Access the user's profile". The application itself has "read", "write" and "user_impersonation" scopes (not sure if that matters).
"offline_access" is included in my scopes and I event tried creating an application one, like the read/write scopes and include that as well (as "https://mytenant.onmicrosoft.com/testapp/offline_access") but nothing seems to work. The responses never have a refresh token, neither for the id token not for the access token.
What I have noticed is that when I go to the SignUp-SignIn policy I created and try to run the endpoint from there, the "offline_access" scope isn't even available in the drop-down. Even if I copy the "run endpoint" link at the bottom and add the scope to the URL before running it, the response doesn't include a refresh token.
When I click on the link at the top, it seems to give me some details about the endpoint and only "openid" is under the supported scopes.
Not sure what I'm missing here so any ideas would be appreciated.
