Hi Auth0 community,
I am working on a mobile app for iOS and Android which displays a JavaScript web app in a WebView.
The Auth0 part takes place in the JavaScript web layer.
I use the Auth0-SPA-JS-SDK version 1.20.1 for this.
The login and logout process works well up to a certain point.
When I log into the app and close the app and then after a few days when I re-open the app I sometimes get this error message:
I get a “Timeout” error that seems to come from the SDK and an HTTP 403 message from /authorize:
This is what my Auth0Client creation looks like:
createAuth0Client({
domain: data.auth0Domain,
client_id: data.mobileAppClientId,
cacheLocation: 'localstorage',
useRefreshTokens: true,
audience: 'production',
})
On top of that I could also detect an iframe from Auth0 which then also shows up in the DOM:
The app uses refresh tokens with rotation to bypass the ITP technology from WKWebView (Safari).
Actually, no Auth0 iframes should be used with activated refresh tokens, do I see that correctly? If so, is it possible that the SDK does a fallback under certain circumstances?
And my main question is what the 403 error means and how can I solve it. 
Thanks a lot in advance!
Lawrence