I’m looking at using Auth0 LOCK with a new SPA web application.
I’m not that great with OAuth and all these flows, but I thought that SPA web apps need to use IMPLICIT flow. So, does LOCK do implicit flow? I think I only saw that it does code-flow?
Maybe I’ve got everything confused again…implicit/code/grant/flows/etc…
Currently the best documentation that is available for implicit grant is below:
As the use of Lock in conjunction with API authorization within your own client application is not very well documented yet, better option to make use of API authorization is to use Auth0.js v8 and go through the hosted login page.
Ok - so if we’re going to use the Auth0.js v8 file and go through the hosted login page then is there code that automatically tries to hit the /authorize endpoint to Silently get a new token? Surely there is code for this … because this is a common problem, right?
The suggestion in the comments about using Auth0.js v8+ and going through the hosted login page is indeed the recommendation for this scenario. In addition and to answer your follow-up question you can use the checkSession
method to obtain refreshed tokens while the end-user still has an active authentication session. See: Auth0.js v9 Reference