Auth Code with PKCE - Refresh Token

Per okta documentation for Auth Code with PKCE, scope=offline_access for response_type=code (/authorize endpoint) should return refresh token in addition to access token. Instead, I see an error that indicates, offline_access is an invalid scope.
Exact response: {“error”:“invalid_scope”,“error_description”:“Browser requests to the token endpoint may not include the offline_access scope.”}
Could you please let me know if I am missing something, or refresh_token is not supported with auth code flow with PKCE.
Please confirm.

Hi, you can not make a /token request with the “offline_access” scope in the frontend since it could be a security concern.

Please see the post below from http://disq.us/p/22kc559:
Yes, most authorization servers will not issue refresh tokens to JavaScript apps, because they are more risky. With public clients, the refresh token is extremely powerful, since it can be used without a secret, so many providers eliminate this risk by just not issuing refresh tokens to any kind of public client.

You can get a refresh token with the PKCE flow but the /token request would have to be from the backend. You can test this by pasting the /authorize url in the browser to retrieve a code. Then make a /token request with Postman or curl with the “offline_access” scope and it should return a refresh token.

1 Like

Thank you very much! I will try the request from Postman.

Hi, I am able to get authorization code by executing /authorize in the browser. However, this works only if the scope is “openid” (does not help with regardst to refresh token). /token from Postman with scope=offline_access does not seem to work. (invalid grant).

Hi, Just wanted to let you know that /token from Postman worked fine. I am now able to get “refresh_token”.
Thanks!