diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
index cc0f26322..395e1b0f7 100644
--- a/NEXT_CHANGELOG.md
+++ b/NEXT_CHANGELOG.md
@@ -6,6 +6,8 @@
 
 ### Bug Fixes
 
+ * Ensure that refresh tokens are returned when using the `external-browser` credentials strategy.
+
 ### Documentation
 
 ### Internal Changes
diff --git a/databricks/sdk/oauth.py b/databricks/sdk/oauth.py
index 48b218f08..e099dbf07 100644
--- a/databricks/sdk/oauth.py
+++ b/databricks/sdk/oauth.py
@@ -629,7 +629,11 @@ def __init__(
     ):
 
         if not scopes:
-            scopes = ["all-apis"]
+            # all-apis ensures that the returned OAuth token can be used with all APIs, aside
+            # from direct-to-dataplane APIs.
+            # offline_access ensures that the response from the Authorization server includes
+            # a refresh token.
+            scopes = ["all-apis", "offline_access"]
 
         self.redirect_url = redirect_url
         self._client_id = client_id
@@ -654,8 +658,6 @@ def noop_credentials(_: any):
             return lambda: {}
 
         config = Config(host=host, credentials_strategy=noop_credentials)
-        if not scopes:
-            scopes = ["all-apis"]
         oidc = config.oidc_endpoints
         if not oidc:
             raise ValueError(f"{host} does not support OAuth")