I have a 3rd Party application (web application) set up and am currently unable to get the refresh token in my /token call after completing an Authorization Code Flow.
I’m kicking it off correctly I believe (indicating offline_access in scopes):
My 3rd Party application has the Refresh Token grant and is OIDC Conforment turned on. The API it is accessing as the audience does have Allow Offline Access turned on as well. I also have a rule set up, but all it’s doing is adding custom claims on the access_token so I think I’m safe there.
Doesn’t work for me either, even after enabling Refresh Token Rotation. I simply never see a refresh_token alongside the access_token. I have the offline_access scope set and I have the Refresh Token Grant Type enabled.
For future reference: It also depends on the SDK being using to initiate the authorize request. For example, in auth0-react there’s an authorizationParams property of useRefreshTokens which defaults to false: