I'm using bell and hapijs and trying to get the office365 provider to work, but it seems like the https://login.microsoftonline.com/common/oauth2/v2.0/token endpoint isn't giving me the access_token required for getting profile information.

This is the OAuth 2.0 flow I'm seeing:

First it redirects to

https://login.microsoftonline.com/common/oauth2/v2.0/authorize
?client_id=[client-id]
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%3A5430%2Fapi%2Fv1%2Flogin%2Fazure-ad
&state=[state]
&scope=openid%20offline_access%20profile

in oauth.js#L197

After a successful sign in from the Microsoft login, it redirects to the server and bell does a POST to https://login.microsoftonline.com/common/oauth2/v2.0/token with payload

{
  payload: 'grant_type=authorization_code&code=[code]&redirect_uri=http%3A%2F%2Flocalhost%3A5430%2Fapi%2Fv1%2Flogin%2Fazure-ad&client_id=[client-id]&client_secret=[client-secret]',
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded'
  }
}

in oauth.js#L242

This in turn gives me the following response

{
  "refresh_token": "MCTrMmd...",
  "id_token": "eyJ0eXAiOiJKV..."
}

From the OAuth 2.0 Authorization Code Flow documentation, it seems like I should be getting something more like

{
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
    "token_type": "Bearer",
    "expires_in": 3599,
    "scope": "https%3A%2F%2Fgraph.microsoft.com%2Fmail.read",
    "refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4...",
    "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctOD...",
}

Specifically, I need an access_token, because the following profile get request (oauth.js#L270) requires it for

Authorization: 'Bearer ' + payload.access_token

Even in Calling /token endpoint does not give me an access_token, it seems like the /token request gets more fields in the response.

Is there something I'm missing in the request?

Looking at your first request, it doesn't have the response_mode=query header, in contrast to the documentation:

In which it also states the expected successful response:

UPDATE: I was able to replicate this when I don't include the scope in the payload when trying to get the token:

Including the scope in the payload returns the access_token:

The scopes openid, email, profile, and offline_access don't seem to return an access_token.

Adding the User.Read scope does provide an access_token.

For bell, you would need something like:

server.auth.strategy('office365', 'bell', {
    provider: 'office365',
    scope: [
        'User.Read'
    ],
    password: 'something',
    clientId: 'clientId',
    clientSecret: 'clientSecret',
});

Although, there are still issues with the endpoint that bell's office365 provider has, documented here: How do I get the logged in users profile for Azure AD OAuth logins?

Figured this out from the investigation in https://stackoverflow.com/a/49424859/111884.