silent renew calls have incomplete scope and response_type

[mellis481]

I've defined the following settings for my UserManager:

{
    "authority": "https://my-auth-server.com/identity",
    "automaticSilentRenew": true,
    "client_id": "my-client-id",
    "post_logout_redirect_uri": "https://localhost:9000/ui/loggedout",
    "redirect_uri": "https://localhost:9000/ui/authorize",
    "response_type": "id_token token",
    "scope": "openid profile",
    "silent_redirect_uri": "https://localhost:9000/ui/silent-renew"
}

These settings are used successfully for the initial login handshake and I'm able to see them in the URLs. Login is working properly.

I'm now trying to test silent renew. Before the expires_at time is reached, I'm seeing some network traffic in my browser starting with this GET request:

https://my-auth-server.com/identity/connect/authorize
?client_id=my-client-id
&redirect_uri=https%3A%2F%2Flocalhost%3A9000%2Fui%2Fsilent-renew
&response_type=id_token
&scope=openid
&state=3556df28ba274881b3e3890e6261ebef
&nonce=df30f4f4aa9b40148a9662ebb65239c6
&prompt=none

I get a 302 response for this request with the following location header:

https://localhost:9000/ui/silent-renew#error=login_required&state=3556df28ba274881b3e3890e6261ebef

I'm trying to understand why the silent renew callback URL has the error=login_required hash. The one thing that caught my eye is that the silent renew request does not contain the full list of response_type and scope values. Why is that?

[brockallen]

I'm trying to understand why the silent renew callback URL has the error=login_required hash

I'm going to guess due to same-site cookie setting on the auth cookie at the STS.