How to use an SPA with Passwordless login, Silent Auth and Lock together

We are trying to achieve what feels like a basic use-case; use an SPA with Passwordless login, very short lived JWTs that are refreshed using Silent Auth, and leverage the platform as much as possible (i.e. use Lock)

We had this working nicely, but when we wanted to move from using the /delegate endpoint & refresh tokens to get new id tokens, its all got a bit complicated and confusing. Silent Auth appears to want OIDC compliance (and SSO (why?)) , which means our legacy grant types can’t be used, but we can’t simply switch to the oauth/tken endpoints from what I can see because we need Passwordless, and that means we have to use Hosted Login Pages!

Please can someone point us to something that outlines the approach we need to take. It feels a very basic use-case so I can’t see why it so complicated to understand.

The recommended approach (without any use of legacy endpoints or grants) for a scenario where you need a SPA using passwordless authentication to obtain access token for an associated API and then be able to refresh that token through the use of silent authentication could be accomplished by:

  • configuring the client application to use centralized login by redirecting the end-user to /authorize endpoint; use the authorize method of Auth0.js to accomplish this.
  • configure the hosted login page to use Lock Passwordless; you can do so by picking the existing passwordless template available when you enable hosted login page customization.
  • perform a silent authentication request to obtain refreshed access tokens when the initial one expires; you can use the checkSession method of Auth0.js to accomplish this.