fix(core): make access_token optional for Azure SSO (#7457)

simeng-li · web-flow · commit 47b25473fe7a · 2025-06-16T13:52:15.000+08:00
make access_token optional in Azure OIDC SSO connector token response
diff --git a/.changeset/lemon-walls-fry.md b/.changeset/lemon-walls-fry.md
@@ -0,0 +1,15 @@
+---
+"@logto/core": patch
+---
+
+fix: make `access_token` optional for Azure OIDC SSO connector
+
+Previously, the Azure OIDC connector strictly required an access token in the token response, which caused issues with Azure B2C applications that only return ID tokens.
+
+This change makes the connector more flexible by:
+
+- Making access token optional in token response
+- Conditionally fetching user claims from userinfo endpoint only when:
+  - Access token is present in the response
+  - Userinfo endpoint is supported by the provider
+- Falling back to ID token claims when access token is not available
diff --git a/packages/core/src/sso/AzureOidcSsoConnector/index.ts b/packages/core/src/sso/AzureOidcSsoConnector/index.ts
@@ -4,8 +4,6 @@ import camelcaseKeys from 'camelcase-keys';
 import { decodeJwt } from 'jose';
 import { z } from 'zod';
 
-import assertThat from '#src/utils/assert-that.js';
-
 import OidcConnector from '../OidcConnector/index.js';
 import { fetchToken, getIdTokenClaims, getUserInfo } from '../OidcConnector/utils.js';
 import { type SingleSignOnFactory } from '../index.js';
@@ -76,13 +74,6 @@ export class AzureOidcSsoConnector extends OidcConnector implements SingleSignOn
     // Fetch token from the OIDC provider using authorization code
     const { idToken, accessToken } = await fetchToken(oidcConfig, data, redirectUri);
 
-    assertThat(
-      accessToken,
-      new SsoConnectorError(SsoConnectorErrorCodes.AuthorizationFailed, {
-        message: 'The access token is missing from the response.',
-      })
-    );
-
     // Need to decode the id token to get the tenant id
     const decodeToken = decodeJwt(idToken);
 
@@ -97,9 +88,10 @@ export class AzureOidcSsoConnector extends OidcConnector implements SingleSignOn
     // Verify the id token and get the claims
     const idTokenClaims = await getIdTokenClaims(idToken, oidcConfig, nonce, jwtVerifyOptions);
     // Fetch user info from the userinfo endpoint
-    const userInfoClaims = oidcConfig.userinfoEndpoint
-      ? await getUserInfo(accessToken, oidcConfig.userinfoEndpoint)
-      : undefined;
+    const userInfoClaims =
+      oidcConfig.userinfoEndpoint && accessToken
+        ? await getUserInfo(accessToken, oidcConfig.userinfoEndpoint)
+        : undefined;
 
     // Merge the claims from id token and userinfo endpoint as in Azure AD, some claims are only available in the userinfo endpoint
     const mergedClaims = {
