The recommended approach would imply that the user would go through the hosted login page where he would perform authentication. By going through this flow a session would be established at the Auth0 side and your application could later use it as means to obtain additional refreshed tokens.
The way you would obtain these additional tokens that would allow for your application to keep the user authenticated would be through the silent authentication procedure.
At this time, this is the available option for a SPA that wants to keep obtaining refreshed tokens without further user interaction. As an additional note, we understand that in very specific circumstances there may be a need for the input of user credentials to happen at the client application itself and not through the hosted login page; we’re working on providing alternatives for this flow, but I can’t provide you with a definitive timeline.