Hi @RJJ,
Great, I will mark this as resolved. The issue was an outdated SDK.
As for the consequences of using localstorage as the cache, I will repeat this warning from out docs:
Storing tokens in browser local storage provides persistence across page refreshes and browser tabs. However, if an attacker can achieve running JavaScript in the SPA using a cross-site scripting (XSS) attack, they can retrieve the tokens stored in local storage. A vulnerability leading to a successful XSS attack can be either in the SPA source code or in any third-party JavaScript code (such as bootstrap, jQuery, or Google Analytics) included in the SPA.
https://auth0.com/docs/libraries/auth0-single-page-app-sdk#change-storage-options
You can try just using refresh token rotation without the localstorage cache and see if that solves you problem.