Hi again @matt.kaufman! Good to know it’s working as expected using HTTPS, it’s almost like offline_access is just being ignored here 
What happens if you omit the openid scope and only include offline_access? I believe openid should be added regardless with the password grant. What about if you create a “dummy” API in Auth0 for testing purposes, enable it for offline access, and pass in an audience of the identifier?
Thinking out loud here @lihua.zhang 