Some SPAs and mobile apps will use the oidc-implicit-profile for login. This is a different type of flow. The refresh token flow will be used for apps that can store a refresh token securely (native, regular web, not SPAs).
If you are using auth0-spa-js, this should work fine. If you use auth0.js, then you may need to add context.protocol !== 'oidc-implicit-profile'.
Also, I think you should be returning the cb if context.request.query.prompt === 'none'. Basically saying ‘if this is a silent auth, then start the callback. (instead of creating a user request to your DB)’
You may be best off with this conditional:
if (context.stats.loginsCount > 1 || context.protocol === 'oauth2-refresh-token' || context.request.query.prompt === 'none'){
return cb(null, user, context);
}
Which says the following:
- if the user has logged in more than once
OR - if this is a token refresh
OR - if this is a silent auth
THEN - callback to your application
OTHERWISE - assume this is a first login and create the user in your DB