I am able to retrieve rotating refresh token using auth0 SPA SDK - however using non-rotating refresh token I am unable to retrieve on SPA (using PKCE authorization flow).
I understand the security risk of making non rotating refresh token available to public client (web browser here for example).
Questions:
- If I still want to access non-rotating refresh token in my SPA - how can I get it?
- If SPA is really out of question for this situation, can I retrieve non rotating refresh token using access token and client secret from backend?
I have the user authenticated and authorized to perform API calls in SPA. I want to make non rotating refresh token available to them.