POST /oauth/tokenContent-Type: application/x-www-form-urlencodedgrant_type=refresh_token&refresh_token=123&client_id=123&client_secret=123&scope=openid+profile&audience=https%3A%2F%2Fapi.example.com
audience and client_secret parameters are optional.
client_secret is not needed when requesting a refresh_token for a public application.
Refresh Tokens must be kept confidential in transit and storage, and they should be shared only among the authorization server and the client to whom the refresh tokens were issued.