We have two clients registered in our realm; frontend and backend. Frontend is defined openid-connect/public (HTML/Javascript app) and backend is openid-connect/bearer-only.

How can we generate an offline token for a given user that can be used towards our backend (which is bearer only)?

We have a lot of customers that is integrated to our API (which is our backend client).