Using session token to get refresh token (okta authentication api)



We would like to have an ios app with our own login experience (no redirect to okta login page) and with the use of MFA.
As far as we could understand the regular flows of openid connect will not allow to do that (because of the use of MFA).

So we built authentication flow base on okta api. We are able to authenticate, enroll/activate/verify MFA and getting one time session token and replace it with access token using /authorize api (response_type=token id_token).
The only problem we have is that we are not able to obtain refresh token.

In short the flow is
Authenticate->MFA verify->exchange session token with access token.
How do we get refresh token?

The flows on the /authorize require us to do additional authentication without MFA which we don’t want.
The flows on /token require that you already have a refresh token.