It works well when using rotating refresh tokens but the problem is that the user would potentially have to re-login every 90 days (max expiry for rotating tokens).
Implementing Authorization Code Flow (PKCE) in a Cordova app sets ‘origin’ header in the requests and Auth0 then doesn’t include the refresh token. Omitting the origin header would work and if this was a native app then I think this would work.
Resource Owner Password flow would work too but this approach isn’t recommended.
So my question is can I get a long-lived refresh token for a Cordova/Ionic app using Auth0?