🪪 fix: Pass Scope in OpenID Refresh Token Grant for Azure Custom API (#11770)

* fix(auth): pass scope parameter in OpenID refresh token grant

   When using Azure Entra ID with a custom API scope (e.g., api://app-id/access_user)
   and OPENID_REUSE_TOKENS=true, the refresh token exchange fails with AADSTS90009
   because the scope parameter is not included in the refresh request.

   Azure AD v2.0 requires the scope parameter when refreshing tokens issued for
   custom API audiences. Without it, Azure interprets the request as the app
   requesting a token for itself and rejects it.

   This fix passes OPENID_SCOPE as the scope parameter to refreshTokenGrant(),
   maintaining backward compatibility (no scope sent if OPENID_SCOPE is not set).

   Fixes: refresh token 400 error with Azure custom API scopes
   Tested: Azure Entra ID + Token Reuse + SharePoint integration

* style(auth): fix ESLint multiline arguments formatting

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

api/server/controllers/AuthController.js

@@ -79,7 +79,12 @@ const refreshController = async (req, res) => {
 
     try {
       const openIdConfig = getOpenIdConfig();
-      const tokenset = await openIdClient.refreshTokenGrant(openIdConfig, refreshToken);
+      const refreshParams = process.env.OPENID_SCOPE ? { scope: process.env.OPENID_SCOPE } : {};
+      const tokenset = await openIdClient.refreshTokenGrant(
+        openIdConfig,
+        refreshToken,
+        refreshParams,
+      );
       const claims = tokenset.claims();
       const { user, error, migration } = await findOpenIDUser({
         findUser,