Our idea is to use our own httponly strict cookie with access and refresh token in it for our mi croservices architecture.
We are primary using Authentication API to log users with our own custom Sign Page.
We were able to get the access_token on the authorize endpoint using the responsetype=token with sessionToken and redirecting the result as a form_post on our back end endpoint.
I was unable to retrieve the refresh_token despite adding the offline_access in the scope even if it is checked in my application setting.
I don’t want to use resource password flow since we prefer using sessionToken which will work with multi factor if needed in the future.
I also try using the code flow and redirecting the result on our back end but since the code flow need the client it’s return this error "PKCE code verifier is required when the token endpoint authentication method is ‘NONE’." This error occur even if we choose a .NET application
How can we achieve retrieving the refresh_token server-side ?