I don't believe you should explicitly include the offline_access scope when using Cognito. Based on my testing, refresh tokens are still enabled in Cognito even without the offline_access. The Cognito UI currently states that refresh tokens are always enabled:

Refresh token authentication is always enabled.