after authorizing the management api using the oauth2 code flow with PKCE the response from POST https://login.tapkey.com/connect/token do not return a refresh token. Am I missing something?
The redirect for the user goes to https://login.tapkey.com/connect/authorize?client_id=[...]&redirect_uri=[...]&scope=write%3Agrants&response_type=code&state=[...]&code_challenge=[...]&code_challenge_method=S256"
After the callback I'm requesting POST https://login.tapkey.com/connect/token with the following form data:
[
"grant_type" => "authorization_code"
"client_id" => "[...]"
"client_secret" => null
"code" => "[...]"
"redirect_uri" => "[...]"
"code_verifier" => "[...]"
]
The response I get is
[
"access_token" => "[...]"
"expires_in" => 3600
"token_type" => "Bearer"
"scope" => "write:grants"
]
Like described here https://developers.tapkey.io/api/authentication/pkce/#refreshing-an-access-token, for getting a refresh_token you also need to request the scope "offline_access".