Hi AndrWeis,
I’m not sure about the refresh token issue and can’t help you there. But my use case is similar to yours and I noticed something you may have overlooked.
Having the access_token returned in the url might not be safe. Other community members have posted about it.
My solution ended up being using checkSession() to get an access token after my initial authorization.
Sorry for adding to your problems rather than solving them but I thought I should say something.
As for refresh tokens, I know the responseType field decides what you get back. token === access_token and id_token is obvious. Perhaps there is a value you can enter to get the refresh_token?
Edit: Nevermind, I just saw the docs mention offline_access in scope should give you the refresh token.