I’m experiencing the same sort of challenge with implementing silent authentication as I think the poster of this thread CORS issue on silent authentication @darthf1 was having back in '19.
Another poster @dynosapp (not the O/P) said they fixed it by setting ‘no-cors’ on the Fetch request, without going into detail. That doesn’t make sense to me, as that prevents script from accessing the response.
To recap, the goal of silent reauthentication is for JavaScript to access the authorize endpoint and (in the happy path) discover that the SSO session is still active and commence the process for a new access token - receiving the same redirection but processing it directly in script. In the not-so-happy path, it will find out directly (because it set “prompt=none”) that the session is gone and it will then need to direct the user’s browser to the authorize endpoint to commence the interactive SSO journey to log back in again.
Does anyone have a better explanation/walk-through of how to actually make silent re-authentication work, CORS headers, JavaScript Fetch settings, and all?