@Martheen thank you first. but this answer does not answer me. In Oauth 2.0, there are 4 roles, the resource server, the authorize server, the client, and the user of the client. I mean that refreshing the access token directly by the client id and secret, not by the user's credentials.

as why can refresh the access token by the client id and secret, becouse of the user has authorised, and while the client lossing users' refresh token, not representing the authorization is end and the authorization data is still stored in the authorization server. so the client can refresh access token just by there client id and secret and the authorization data stored in the authorization server.