Did you manage to find the grant refresh endpoint yet?

When calling //o/token?grant_type=authorization_code,
you get access_token in the returned json, but also refresh_token.

This seems to me that it must be possible to refresh the token instead of going through the entire login-sequence again (with all the CSRF protections in it).