Recently I've been working a bit at Australia's most recognized Airline and had to interact with Salesforce. The problem with their implementation of OAuth2.0 is that no refresh token