One of the example rules uses this conditional for distinguishing signup from refresh:
if (context.stats.loginsCount > 1 || context.protocol === 'oauth2-refresh-token') {
return callback(null, user, context);
}
Because this is a SPA and there is no refresh token, you may need to also check if context.request.query.prompt === 'none' (the prompt used for silent auth).
Let me know how it goes.
Thanks,
Dan
also be aware of the limitations of checking for silent auth in the context of MFA