Okta Widget with Refresh Token

Good day all,

We are debating on using the Okta Widget with Auth Code Flow and PKCE on our site for the simplicity and time to delivery. One of the requirements though is to use a Refresh Token. My concern is in regards to the Okta Widget being a JavaScript library. Is it safe to use a Refresh Token with the Okta Widget? Everything I have read indicates that it is best practice to use a Backend channel when working with Auth Code Flow and Refresh tokens. If the Okta Widget is safe, then would it be possible to explain why for my better understanding?

Thanks in advance for any comments.

Refresh tokens are typically not supported by SPA applications. I don’t believe the Sign-In Widget supports using one either.

Thanks Mraible for your response.

I appreciate it.