Authorize Endpoint does not return Refresh Token or Code

I am trying to refresh an access token before it expires for a Single Page Application using PKCE.

My understanding is that to refresh an access token I need to do the following:

  1. Select ‘Authorization Code’ and ‘Refresh Token’ in our Okta Application ‘General Settings’

  2. Call the Authorize endpoint to get a refresh token and a code

  3. Pass the refresh token and code from step 2 to the Token endpoint to generate a new access token and new refresh token.

I have done steps 1 through 3 above and configured the Okta Sign-In Widget in our SPA following documentation with the configuration referenced below however the authorize request shown below doesn’t seem to contain the Auth Params I set (namely ‘code’ and ‘prompt’) and as a result only an accessToken and idToken parameter are returned and placed into the browser local storage okta-token-storage key. A refresh token and code are not placed into local storage. I have tried with Okta Sign-In widget v 3.9.1 and the latest v 4.2.2

Have I missed something in the configuration?

Authorize Request:

oktaConfig: {
clientId: ‘XXXXXXXX’,
issuer: ‘’,
redirectUri: ‘http://localhost:8080/implicit/callback’,
scope: ‘openid offline_access profile email’,
authorizeUrl: ‘’,
userinfoUrl: ‘’,
prompt: ‘none’,
onAuthRequired: onAuthRequired,
onSessionTimeout: onSessionTimeout

widget = new OktaSignIn({
baseUrl: this.oktaConfig.issuer,
logo: ‘’,
language: ‘en’,
i18n: {
en: {
‘primaryauth.title’: ‘Please enter your credentials to login.’
features: {
rememberMe: false, // Setting to false will remove the checkbox to save username
authParams: {
pkce: true,
responseMode: ‘fragment’,
responseType: [‘code’, ‘token’, ‘id_token’],

Hi @lorinw00,

According to this documentation -

Authorization code with PKCE requests don't return refresh tokens if they are sent from SPAs or other browser-based apps. Instead, you can silently refresh tokens by making a call to the /authorize endpoint.

Follow this -

Also, the authorization code is an intermediate token that will be exchanged for an access/ID token. It is not saved in the browser local storage AFAIK.

These prior discussions might also help -