I am trying to implement OAuth 2.0 Authorization Code Flow in a multi-tenant application.
I first requested authorization for "openid profile email" scope at login.microsoftonline.com/organizations/oauth2/v2.0/authorize
and then used the code I obtained along with
grant_type=authorization_code, client_id, client_secret, redirect_uri for an access token at login.microsoftonline.com/organizations/oauth2/v2.0/token
The response I got contained only id_token, and token_type=Bearer. Why wasn't I given the access_token and expired_at fields?
I tried to provide the scope again at the token call but the response came back the same. The spec says it should contain the access token. I also tried /common endpoints but things are the same.
You are using the Azure AD v2.0 endpoint. You can tell this by the fact that your url has v2.0 in it.
In the v2.0 endpoint, if you only ask for scopes that are contained in the id_token (i.e. openid profile email) and don't ask for any other scopes (i.e. https://outlook.office.com/contacts.read) you will only get back an id_token. This due to the fact that you're basically telling Azure AD that you only want profile info and aren't talking to any apis, therefore won't need an access token.
On the other hand, if you include a scope for an api (i.e. https://outlook.office.com/contacts.read) you'll get back an access_code.