Hi, you can not make a /token request with the “offline_access” scope in the frontend since it could be a security concern.
Please see the post below from http://disq.us/p/22kc559:
Yes, most authorization servers will not issue refresh tokens to JavaScript apps, because they are more risky. With public clients, the refresh token is extremely powerful, since it can be used without a secret, so many providers eliminate this risk by just not issuing refresh tokens to any kind of public client.
You can get a refresh token with the PKCE flow but the /token request would have to be from the backend. You can test this by pasting the /authorize url in the browser to retrieve a code. Then make a /token request with Postman or curl with the “offline_access” scope and it should return a refresh token.