We are using the Auth0 Single Page App SDK on my project and we’re trying to cover all session related edge cases. For example: updating the quantity of a product in your cart after your ID token has expired. Note that we are sending over the ID token to our Magento instance and NOT the access token.
We are calling
getTokenSilently before our call to make sure a new token is fetched when our current one has expired. We know there is still an ITP browser related issue we need to take into account but lets ignore that for now.
My latest test:
- Wait 24 hours in order for my acces token to expire, in the meanwhile the ID token also expired as it only has a lifetime of 1 hour.
- Increase the quantity while still on the same page (no page refresh happened in those 24 hours)
- getTokenSilently triggered and returned a new access token.
I did not expect this token call to still be successful. I’ve found following block in the docs:
Get a new Access Token silently using either a hidden iframe and
prompt=none, or by using a rotating Refresh Token. Refresh Tokens are used when
useRefreshTokensis set to
truewhen configuring the SDK. - Auth0 Single Page App SDK
- Does this mean that I can keep on calling getTokenSilently until the end of time and I will keep on getting a new access token and ID token? In other words, is getTokenSilently using an iframe the same using refresh tokens?
- Will the
login_requiredever been thrown?
Thanks in advance!