I have an SPA application and a requirement is that there is no redirection to the hosted login page. This means that our custom login page hits the
/oauth/token endpoint with username and password and receives back an
access_token. Since this method is not using SSO, it’s not possible to refresh the token. A solution to this would be to use refresh token, but that’s not considered best practice.
In other words: is it possible to refresh an
access_token taken from
/oauth/token API? If this is not possible, that would be a show stopper for anyone not using the hosted login page