Self contained access tokens have the expiry info inside them, resoucre server can verify the token with public key of auth server and decode the token (without sending the token to auth server) , hence the authorization server does not have the capability to invalidate self contained access token. Hence self cotained jwt access tokens must have small life,  but if the access token has less life , to get new access tokens (without user logging in again) silent authentication or refresh tokens can be used. Refresh token provide better end user experience compared to silent authentication as  recent developments in browser privacy technology makes access to session cookie harder.

Note that opaque access tokens which the resource server sends to authorization server for introspection creates scalability issues for the authorization server.

To use the refresh token, make a POST request to the service’s token endpoint with grant_type=refresh_token, and include the refresh token as well as the client credentials. Note that client credentials must be posted as parameter in addition to refresh token only for confidential applications.

If you are requesting a Refresh Token for a mobile app using the corresponding Native Client (which is public), then you don't need to send the client_secret in the request since it's only required for confidential applications. Public clients cannot store client secret securely.

The response will be a new access token, and optionally a new refresh token(if refresh token rotation is enabled), just like you received when exchanging the authorization code for an access token.

REFRESH TOKEN ROTATION

While web application (oauth confidential client) can store store refresh token securely, oauth public clients(eg spa) cannot store refresh token securely.With refresh token rotation oauth public clients can store refresh token provided refresh token rotation is implemented as the threat of illegitimate access is reduced as refresh tokens are continually exchanged and invalidated. Refresh token rotation guarantees that every time an application exchanges a refresh token to get a new access token, a new refresh token is also returned. In case of spa , refresh token will be typically stored in local storage.

If you are requesting a Refresh Token for a mobile app using the corresponding Native Client (which is public), then you don't need to send the client_secret in the request since it's only required for confidential applications. Public clients cannot store client secret securely.

OTHER POINTS

Refresh tokens are not issued in implicit flow as implicit flow is too insecure for that..