from various document, it seems storing refresh token is not recommended for browser based web application that cannot safely keep the refresh token. So, i am wonder whether i can configure keycloak to achieve the following (authorization code grant): 1. response with the access token only (token endpoint) 2. when the access token expired, rely on the SSO cookie, to invoke method/endpoint in keycloak to obtain a new access token via ajax. can you please share your way to cater for refresh token? And comment on my idea? thanks