As a teacher I’d be worried about it.
A fully client-side application should use implicit code flow. Refreshing in that flow is simply doing the auth again. It amounts to either a refresh loop or a quick popup window, as the user will already have authorized it (unless force_verify is used)