Trouble getting refresh in Entra to work

[DerSimeon]

Hey, I’m trying to get automatic token refreshing to work in EntraID, but I’m not having much luck.

Here is my current provider configuration:

entra: {
    validateIdToken: true,
    validateAccessToken: true,
    scope: ['openid', 'profile', 'email', 'api://REDACTED/Access', 'MailboxSettings.ReadWrite', 'Calendars.ReadWrite', 'Presence.ReadWrite', 'offline_access'],
    responseType: 'code id_token',
    nonce: true,
    additionalAuthParameters: {
        prompt: 'select_account'
    },
    authorizationUrl: '',
    tokenUrl: '',
    redirectUri: '',
    clientId: '',
    clientSecret: '',
    exposeIdToken: true,
    exposeAccessToken: true,
    optionalClaims: ['oid'],
}

The five empty fields are being set using environment variables.

Logging in works without any issues. However, when it tries to refresh, I get this error: Application 'REDACTED'(REDACTED) is requesting a token for itself. This scenario is supported only if resource is specified using the GUID-based App Identifier.

I read online that setting the audience to api://REDACTED would fix this, and it seemed like it did—however, it broke the login flow. It then tried to open: https://login.microsoftonline.com/TENANT/.well-known/openid-configuration?appid=api://REDACTED

As far as I can tell, it should have been: https://login.microsoftonline.com/TENANT/.well-known/openid-configuration?appid=REDACTED

I then tried setting the audience to just REDACTED, but that resulted in a login loop with the error: [nuxt-oidc-auth]: [entra] Token validation failed: JWTClaimValidationFailed: unexpected "aud" claim value - Code: 500

I’d really appreciate any further guidance on this :)

All the best!