Authentication Token endpoint not providing a Refresh Token?

We’re trying to call the Authentication Token endpoint with a call like this:

curl -X "POST" "" \
     -H 'Cache-Control: no-cache' \
     -H 'Content-Type: application/json' \
     -d $'{
  "password": "PASSWORD",
  "scope": "openid profile offline_access",
  "grant_type": "",
  "realm": "{OUR_REALM}",
  "username": "{USER}",
  "audience": "{AUDIENCE}",
  "client_id": "{CLIENT_ID}"

From a Native Client, and the API for that audience is set to Allow Offline Access.
However, in response we get:

  "access_token": ...,
  "id_token": ...
  "scope": "openid profile",
  "expires_in": 86400,
  "token_type": "Bearer"

So I’m not sure what we’re doing wrong. Are we using the flow incorrectly? What is the way we should be authenticating our mobile apps with a refresh token?

The token endpoint response includes a scope value that represents the requested scopes minus the offline_access one so one possible explanation is if you have a rule to restrict the issued scopes and that rule restricts the scopes being issued to not include the offline access one. I just updated a sample rule on a previous question to include a note about handling offline access when restricting scopes in rules so if you’re in that situation you may want to look at the linked quesion; have in mind, that the example rule in the linked question makes some assumptions so it should only be used if you consider it applicable also to your scenario.