Unable to refresh AD access_token through Easy Auth (403)

Question

I cannot seem to figure out where I went wrong in setting up an Azure Easy Auth for an app service:

I have a single app service that uses Azure Easy Auth (with Azure AD as the provider) & a token store turned on. When I visit my application, I am prompted to login. Once logged in, I can visit /.auth/me and I can see both an access_token and a refresh_token. After 60mins or so, the access_token expires. The Microsoft docs explain all I have to do is call /.auth/refresh to generate a new access_token. This does not work for me - I am getting a 403 Access Denied back.

My scope does include offline_access and I am retrieving a refresh_token in /.auth/me but the refresh will just not work. It has also not been revoked since logging in. Annoyingly, I cant find any application logs to tell me why this is failing (I have turned everything on but I am running a Node js app which uses PM2 in the background and doesnt seem to log anything from the Easy Auth module?).

To make things stranger, I can manually retrieve a new token by using the OAuth endpoint (POSTing to https://login.microsoftonline.com/) so I don't believe there is any issue with any of the tokens in the token store.

What could be causing this? How can I debug it?

Edit: From doing some testing, it looks like this is caused by an extra scope in my login params. My application requires this scope, but removing it seems to fix the issue. I assume it is failing to refresh the token because the other scope does not support it? What updates do I need to do to allow token refreshing on this custom scope?

"loginParameters": ["scope=openid profile email offline_access api://xxx-xxx-xxx/user_impersonation"]

Answer 1

To fix this issue, I had to add the API scope of the app registration to the "Authorized client applications" for the app registration: