Authorize Endpoint does not return Refresh Token or Code

I am trying to refresh an access token before it expires for a Single Page Application using PKCE.

My understanding is that to refresh an access token I need to do the following:

  1. Select ‘Authorization Code’ and ‘Refresh Token’ in our Okta Application ‘General Settings’

  2. Call the Authorize endpoint to get a refresh token and a code

  3. Pass the refresh token and code from step 2 to the Token endpoint to generate a new access token and new refresh token.

I have done steps 1 through 3 above and configured the Okta Sign-In Widget in our SPA following documentation with the configuration referenced below however the authorize request shown below doesn’t seem to contain the Auth Params I set (namely ‘code’ and ‘prompt’) and as a result only an accessToken and idToken parameter are returned and placed into the browser local storage okta-token-storage key. A refresh token and code are not placed into local storage. I have tried with Okta Sign-In widget v 3.9.1 and the latest v 4.2.2

Have I missed something in the configuration?

Authorize Request:

https://tw.oktapreview.com/oauth2/v1/authorize?client_id=XXXXXXXX&nonce=YYYYYYY&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fimplicit%2Fcallback&response_mode=fragment&response_type=id_token%20token&sessionToken=ZZZZZZZ&state=AAAAA&scope=openid%20offline_access%20profile%20email

oktaConfig: {
clientId: ‘XXXXXXXX’,
issuer: ‘https://tw.oktapreview.com’,
redirectUri: ‘http://localhost:8080/implicit/callback’,
scope: ‘openid offline_access profile email’,
authorizeUrl: ‘https://tw.oktapreview.com/oauth2/v1/authorize’,
userinfoUrl: ‘https://tw.oktapreview.com/oauth2/v1/userinfo’,
prompt: ‘none’,
onAuthRequired: onAuthRequired,
onSessionTimeout: onSessionTimeout
}

widget = new OktaSignIn({
baseUrl: this.oktaConfig.issuer,
logo: ‘’,
language: ‘en’,
i18n: {
en: {
‘primaryauth.title’: ‘Please enter your credentials to login.’
},
},
features: {
rememberMe: false, // Setting to false will remove the checkbox to save username
},
authParams: {
pkce: true,
responseMode: ‘fragment’,
responseType: [‘code’, ‘token’, ‘id_token’],
}
});

Hi @lorinw00,

According to this documentation - https://developer.okta.com/docs/guides/refresh-tokens/get-refresh-token/#get-a-refresh-token-with-the-code-flow

Authorization code with PKCE requests don't return refresh tokens if they are sent from SPAs or other browser-based apps. Instead, you can silently refresh tokens by making a call to the /authorize endpoint.

Follow this - https://developer.okta.com/docs/guides/refresh-tokens/get-refresh-token/#get-a-new-access-token-id-token-silently-for-your-spa

Also, the authorization code is an intermediate token that will be exchanged for an access/ID token. It is not saved in the browser local storage AFAIK.

These prior discussions might also help -
https://support.okta.com/help/s/question/0D51Y00005xyT6j/spa-oauth-flow-recommendation-and-token-refresh?language=en_US