Thanks for sharing the HAR file, @dave6 - It looks like this isn’t a CORS failure–the OPTIONS method is not supported on the /authorize endpoint as it is expected the browser will request the page directly and not via an xhr request.
Some alternatives here would be:
- A redirect flow to /authorize with prompt=none
- getTokenSilently() method if using the auth0-spa-js SDK
- a refresh token flow (this can do an xhr request to /oauth/token)
You could look into refresh token rotation:
- Refresh Token Rotation
- With that setup you could likely extend the useful life of refresh tokens safely.
- You could also consider increasing the length of the browser session and use checkSession in auth0.js or getTokenSilently in auth0-spa-js:
Both of these will use the auth0 session cookie to request a new token in the background. Depending on your architecture this can cause unexpected behavior with Safari Intelligent Tracking Prevention and Chrome incognito mode. In that case refresh token rotation can sidestep those issues.