Unable to retrieve refresh_token


I’m trying to obtain access_token, id_token and refresh_token to use with Kubernetes kubectl authentication as per their documentation at: https://kubernetes.io/docs/admin/authentication/#openid-connect-tokens

I’ve been down the pure API path via shell scripts and now the Javascript widget and don’t seem to ever be able to get all three token values, only ever id_token and access_token. I’ve tried the three separate app type of Web, Native and SPA but all have the same issue. The current Javascript code I have is as follows. It happily logs in and dumps use access_token and id_token to the JS console. What am I doing incorrectly here?

var oktaSignIn = new OktaSignIn({
	baseUrl: "...",
	clientId: '...',
	redirectUri: '...',
	authParams: {
		responseMode: 'form_post',
        responseType: [ 'token', 'id_token' ],
		scopes: [

  { el: '#okta-login-container' },
  function (res) {
    if (res.status === 'SUCCESS') {
    	console.log('res<%o>', res);

The app is configured in Okta as follows:



Quick look at it, I’m pretty sure it is because you are asking for tokens, and to get the refresh_token you need to use the /tokens endpoint AND the code flow.

Since Okta is OIDC compliant, the Authorization server must ignore offline_access if the response type is not code.