At a most basic level, all that’s required is setting useRefreshTokens: true and enabling refresh token rotation for the relevant application in your dashboard settings.
Here’s a working example if you’d like to check it out - If I omit the useRefreshTokens: true flag then the application will resort to using silent auth if I click the “ping” button (getTokenSilently) of the external API page. With useRefreshTokens: true, you can see the offline_access scope included in the initial authorize request constructed on login, and subsequently a refresh token returned from the token endpoint:
@Jerome.Piquet.AD I have most if it working, except when I logout in the application without leaving the application, and then log back in again, the application users 3rd party cookies. I don’t understand why Auth0 did not use cookies on the first login, but it uses them the second time?