When receiving tokenSet by code flow in access_token there are no scope

[AndTem]

Hello, when receiving tokenSet by code flow in access_token there are no scopes. But when authorizing through for example postman, scopes are present in the access_token. Not sure what the problem is? Maybe need to specify some parameter when configuring openid-client?

Example:

import { Issuer } from 'openid-client';

...
const issuer = await Issuer.discover(identityUrl);

const oidcClient = new issuer.Client({
  client_id: 'local_test',
  client_secret: 'secret',
  redirect_uri: 'http://localhost:3000',
  response_type: 'code',
  post_logout_redirect_uris: ['http://localhost:3000'],
  scope: 'openid offline_access test',
});
...
import { Strategy } from 'openid-client';

... 
new Strategy(
    {
      client: oidcClient,
      sessionKey: oidcSessionKey,
    },
    handleSuccessAuth
  );
...

Issuer.discover response:

{
  authorization_endpoint: 'https://myidentityserver/connect/authorize',
  backchannel_logout_session_supported: true,
  backchannel_logout_supported: true,
  check_session_iframe: 'https://myidentityserver/connect/checksession',
  claim_types_supported: ['normal'],
  claims_parameter_supported: false,
  claims_supported: [
    'sub',
    'updated_at',
    'locale',
    'zoneinfo',
    'birthdate',
    'gender',
    'website',
    'picture',
    'profile',
    'preferred_username',
    'nickname',
    'middle_name',
    'given_name',
    'family_name',
    'name',
    'email_verified',
    'email',
    'phone_number',
    'phone_number_verified',
    'address',
  ],
  code_challenge_methods_supported: ['plain', 'S256'],
  end_session_endpoint: 'https://myidentityserver/connect/endsession',
  frontchannel_logout_session_supported: true,
  frontchannel_logout_supported: true,
  grant_types_supported: [
    'authorization_code',
    'client_credentials',
    'refresh_token',
    'implicit',
    'password',
  ],
  id_token_signing_alg_values_supported: ['RS256'],
  issuer: 'https://myidentityserver',
  jwks_uri: 'https://myidentityserver/.well-known/openid-configuration/jwks',
  request_parameter_supported: true,
  request_uri_parameter_supported: true,
  require_request_uri_registration: false,
  response_modes_supported: ['form_post', 'query', 'fragment'],
  response_types_supported: [
    'code',
    'token',
    'id_token',
    'id_token token',
    'code id_token',
    'code token',
    'code id_token token',
  ],
  revocation_endpoint: 'https://myidentityserver/connect/revocation',
  revocation_endpoint_auth_methods_supported: [
    'client_secret_basic',
    'client_secret_post',
  ],
  scopes_supported: [
    'openid',
    'profile',
    'email',
    'phone',
    'test',
    'offline_access',
  ],
  subject_types_supported: ['public'],
  token_endpoint: 'https://myidentityserver/connect/token',
  token_endpoint_auth_methods_supported: [
    'client_secret_basic',
    'client_secret_post',
  ],
  userinfo_endpoint: 'https://myidentityserver/connect/userinfo',
};

[panva]

The tokenSet just gives you the properties received from the OpenID Provider. FYI the scope return property is also optional.

[AndTem]

Thanks for the answer. The problem was in the logic of the application.