Rp1 a OAuth2 refresh token is used to trade in for a new short-lived access token (which I'm sure you knew already ), but there's no need for that for how NodeBB uses SSO. It calls the authorization endpoint a single time to log the user in, and essentially disposes of the access token after calling the user info endpoint.
Additional logins just restart the same login process. There's no need to maintain API access, which is why there's no need for a refresh token. Does that help?
