[SalesForce] Canvas Signed Request not sending refresh_token

See Signed Request Authentication.

Has:

• a change been made to the Permitted Users field from "Admin approved users are pre-authorized" to "All users may self-authorize", or
• when using "All users may self-authorize" and the access token was revoked by the administrator or a time limit was set on the token.

From the docs under Permitted User Value "All users may self-authorize":

If the user has previously approved the app and the access hasn’t been revoked or expired, Salesforce performs a POST to the canvas app with a signed request payload.

If the user hasn’t approved the app, or if the access has been revoked or expired, Salesforce performs a GET to the canvas app URL. The canvas app must handle the GET by accepting the call and looking for the URL parameter _sfdc_canvas_authvalue. If the canvas app receives this parameter value, the canvas app should initiate the approve or deny OAuth flow.
_sfdc_canvas_authvalue = user_approval_required
After the OAuth flow is initiated and the user approves the app, the canvas app should call the repost() method with a parameter of true to retrieve the signed request.

I had the same problem and just solved it.

You need to initialize a Web Server OAuth Authentication Flow using

response_type : 'code'

and complete fetching the tokens on the server. After you complete the oauth flow you can call the repost() function on the canvas page and you will get the signed request.

A User-Agent OAuth Authentication Flow is not good enough it seems.