Id token doesn't include groups when refreshing


I have the following problem. Using authorization code flow I get an id token with groups claim(there are access and refresh tokens as well), but when I refresh the tokens using the refresh token I get the id token without the groups claim.

From what I’ve read here and here I understand that in the first case I get fat id token and in second one I get minimal id token. Unfortunately according to the documentation that shouldn’t be so, because I supply openid scope which should give me a minimal token, but I get fat token and on refresh I get neither fat token nor minimal token, but something in the middle, because I have profile data, but missing group claims.

What I need is that in both cases(token request and refreshing token) to receive id token with groups claim. Could you help me understand what I’m missing from the documentation, as what I understand doesn’t appear to be what I see?

Here’re the response messages for reference(I’ve decoded the access and id tokens):

Token request (id token with groups claim):

Token refresh (id token without groups claim):

@yordan.tsolov I’m able to reproduce this same behavior. Can you open a support case so that this can be investigated as a bug?