By default new clients that get created as native or non-interactive do not receive the password or password realm grants. However, if they are first-party client application that you trust to directly handle user credentials you can still patch them through the Management API to include those grants and they will then be able to perform them. For your second question given there are many things that can cause a refresh token to not be issued I would suggest you to create a separate question if you haven’t done so already.