Issue when requesting a refresh token through a javascript web application

I am attempting to implement an Auth Code Flow with PKCE with a refresh token in my react app. The docs imply that refresh tokens are supported, yet when I attempt to make a request for a token given the offline_access scope (to get a refresh token), I’m getting a 400 error and the system logs are showing “failure: unsupported_scope_browser_request”. I don’t see anywhere in the docs that offline_access is not allowed for a browser based (SPA or MPA) app. Is this what this error is implying. Here’s in my flow

Auth Request: (ClientId, RedirectUri, scope “openid offline_access”, responseType “code”)
-> returning a valid auth code

Token Request (ClientId, RedirectUri, grantType “authorization_code”, code codeVerifier )
-> 400 error for “failure unsupported_scope_browser_request”

If I omit “offline_access” from the scope in the auth request, the flow works and a access_token is returned but no refresh token.

Are refresh tokens not valid in a browser context? I’d rather not have to instantiate a full auth flow with page refreshes every hour when the access token expires.

Oh, and meant to say that this app is fully client side (no server side components out side of server service APIs I’m using the access_token to access). I’d rather not have to build backend services just to handle token refreshes.

Any help would be appreciated.

Okta Support, is there anyone that can help me with this?

Hi @joepruitt

Due to security concerns, refresh tokens can not be requested at the moment through front-end channels. If you would like to extend the user’s session, then the best solution is to retrieve another set of access token and/or ID token before the session expires.