failing to receive onedrive oauth refresh_token when authenticating through SSO

I have an app that supports saml based sso and oauth based access to cloud storage providers such as google drive, dropbox, and microsoft onedrive. I have an account setup that uses OneLogin as an identity provider, and my app and onedrive acting as service providers. the app requires users to authenticate with their cloud storage provider, so I redirect the user from the app to onedrive during this auth step. since they are using onelogin sso, they are redirected from onedrive to onelogin, they login to onelogin, and are redirected back to onedrive. Here they resume the oauth flow and agree to grant the app certain permissions and send back a code. I use this code to ping onedrive's /token route to exchange it for an access_token and a refresh_token. however we are not receiving the refresh_token, thus requiring the user to frequently have to reauthenticate with onedrive.

does anyone have any insight as to why we are not receiving a refresh_token? I have reached out to onelogin and microsoft as well (no progress/response yet). I have toyed around with settings in MS azure and onelogin but haven't solved the issue yet.

other details:

to be clear, the flow is:

  1. from app, attempt to oauth auth with onedrive
  2. get redirected to onelogin
  3. login to onelogin
  4. get redirected to onedrive
  5. grant permission for 3rd party app access
  6. get redirected back to app with access code
  7. exchange code for oauth tokens
  8. fail to receive refresh_token

thanks!