I am attempting to implement an Auth Code Flow with PKCE with a refresh token in my react app. The docs imply that refresh tokens are supported, yet when I attempt to make a request for a token given the offline_access scope (to get a refresh token), I’m getting a 400 error and the system logs are showing “failure: unsupported_scope_browser_request”. I don’t see anywhere in the docs that offline_access is not allowed for a browser based (SPA or MPA) app. Is this what this error is implying. Here’s in my flow
Auth Request: (ClientId, RedirectUri, scope “openid offline_access”, responseType “code”)
→ returning a valid auth code
Token Request (ClientId, RedirectUri, grantType “authorization_code”, code codeVerifier )
→ 400 error for “failure unsupported_scope_browser_request”
If I omit “offline_access” from the scope in the auth request, the flow works and a access_token is returned but no refresh token.
Are refresh tokens not valid in a browser context? I’d rather not have to instantiate a full auth flow with page refreshes every hour when the access token expires.
Oh, and meant to say that this app is fully client side (no server side components out side of server service APIs I’m using the access_token to access). I’d rather not have to build backend services just to handle token refreshes.
Any help would be appreciated.
