We are trying to achieve what feels like a basic use-case; use an SPA with Passwordless login, very short lived JWTs that are refreshed using Silent Auth, and leverage the platform as much as possible (i.e. use Lock)
We had this working nicely, but when we wanted to move from using the /delegate endpoint & refresh tokens to get new id tokens, its all got a bit complicated and confusing. Silent Auth appears to want OIDC compliance (and SSO (why?)) , which means our legacy grant types can’t be used, but we can’t simply switch to the oauth/tken endpoints from what I can see because we need Passwordless, and that means we have to use Hosted Login Pages!
Please can someone point us to something that outlines the approach we need to take. It feels a very basic use-case so I can’t see why it so complicated to understand.