I currently have an API proxy for generating and revoking OAuth2 access tokens.

In this proxy, there are flows for each operation (Generation, Revocation and Refresh).

I created a policy for generating access_token using client_credentials grant type, a policy for revoking access_token and a policy for refreshing access_token, each applied to the request field of each flow.

The problem I'm having is that when I do a request to the endpoint of the flow responsible for generating access_token (/oauth2/access_token), I only get the access_token. According to Apigee documentation, client_credentials can't generate refresh_token alongside the access_token.

The other problem is that the body of my "Refresh Access Token" policy doesn't return anything, even though I enabled the "GenerateResponse" option.

In my organization, we need to authenticate the client application without using a password and being able to extend the lifespan of the access_token without the user re-authenticating.

How should I proceed?