Refresh token is null in AuthenticationCallback

I can’t reproduce it. I cloned this repo, replaced the credentials in the String.xml file with my own. Then added those 3 lines above to the builder configuration and run the sample. When I attempt to log in using a database connection user in classic Lock I get this log output:

Request:
D/OkHttp: {"device":"Custom Phone - 5.0.0 - API 21 - 768x1280","password":"******","scope":"offline_access openid profile email","client_id":"***************************","username":"*******","realm":"Username-Password-Authentication","audience":"https://jwks.lbalmaceda.auth0.com","grant_type":"http://auth0.com/oauth/grant-type/password-realm"}

Response:
D/OkHttp: {"access_token":"zzzz.xxxx.yyyy,"refresh_token":"********************","id_token":"zzzz.xxxx.yyyy","scope":"openid profile email delete:photos create:photos update:photos read:photos offline_access","expires_in":86400,"token_type":"Bearer"}

Check in your “https://my.audience” API settings (Auth0 Dashboard) that it allows users to obtain a Refresh Token. The next toggle must be turned ON:

On the Client configuration there’s an advanced settings section that allows you to enable or disable Grant Types for that client. This should be enabled already, but check it anyway:

Please do not include nor use the client_secret as part of a public client such as mobile app. Secrets are meant to be secrets, and there are specific flows designed to be used on these applications that don’t need such disclosure. The refresh token will be present on the response as long as the scope parameter on the log in request included the openid offline_access values, and as long as the application is of type “native” with “allow offline access” turned on.

As a reminder, while refresh tokens can be revoked, they do not expire and can be used to get a new pair of tokens, so treat them with the same level of secrecy as passwords.