Oauth/token not returning refresh token

I have a 3rd Party application (web application) set up and am currently unable to get the refresh token in my /token call after completing an Authorization Code Flow.

I’m kicking it off correctly I believe (indicating offline_access in scopes):

https://my-tenet/authorize?response_type=code&client_id=my-client-id&redirect_uri=http://localhost:4200/dashboard&audience=my-audience&scope=offline_access read:app create:app&state=STATE&prompt=login

Then when requesting oauth/token on return:


I still only get access_token:

{“access_token”:“eyJhbGci…”,“scope”:“create:app read:app offline_access”,“expires_in”:2592000,“token_type”:“Bearer”}

My 3rd Party application has the Refresh Token grant and is OIDC Conforment turned on. The API it is accessing as the audience does have Allow Offline Access turned on as well. I also have a rule set up, but all it’s doing is adding custom claims on the access_token so I think I’m safe there.

Anyone have any other leads I could look into?

If you do not get back a new refresh token , then it means your existing refresh token will continue to work when the new access token expires.

I’ve never received a refresh token in the first place or have ever seen a “refresh_token” property in my /oauth/token response…

Just pinging for visibility in case anyone else has any ideas? Otherwise I’ll have to continue playing with settings…