Appreciate the help @konrad.sopala and @john.gateley!
Do you mind expanding on
Do not play fast and loose with access tokens
From your link:
Using Web Workers to handle the transmission and storage of tokens is the best way to protect the tokens, as Web Workers run in a separate global scope than the rest of the application.
I imagined this may expand to a chrome extension’s service worker / storage API, but now I think maybe not?
I’m glad to hear session cookies are stored on the tenant domain and not on the callback domain, that does make things far easier. When I originally tried to get an access token from the webpages themselves, it didn’t work. After some digging I am seeing a reason why, the request is timing out:
Error: Timeout
at new OAuthError (index.js:33538)
at index.js:33556
at index.js:33718
at step (index.js:33484)
at Object.throw (index.js:33465)
at rejected (index.js:33456)
This is when I call getAccessTokenSilently using the react SDK, but I imagine it would be the same for the SPA SDK too. Oddly, the logs are showing that there was a successful silent auth, it just doesn’t seem to return on the page itself.
My google searches yielded nothing for timeouts and this specific method. I initially concluded this isn’t the correct way to go about things, but possibly something else is going awry?