I have an SPA application and a requirement is that there is no redirection to the hosted login page. This means that our custom login page hits the /oauth/token endpoint with username and password and receives back an access_token. Since this method is not using SSO, it’s not possible to refresh the token. A solution to this would be to use refresh token, but that’s not considered best practice.
In other words: is it possible to refresh an access_token taken from /oauth/token API? If this is not possible, that would be a show stopper for anyone not using the hosted login page