I’m just looking into the new auth0-spa-js library and wanted to confirm that it does in fact allow the implementation of a refresh token so that the SPA effectively behaves like a native app and the user can be logged in indefinitely. The documentation for the new library seems to suggest that this is the case but existing refresh token documentation says that this is not recommended.
A Single-Page Application (normally implementing Implicit Flow) should not ever receive a Refresh Token
Thanks for taking the time to express the need for clarification. To answer your question, auth0-spa-js does not leverage refresh tokens. This is because the token would have to persist in the browser, and cannot be stored securely. From the doc:
" A Refresh Token is essentially a user credential that allows a user to remain authenticated indefinitely. This sensitive information should be stored securely and not exposed client-side in a browser."
Regardless of grant type, SPAs would require the token to stored client side. Instead, silent authentication is used to maintain the users session with the auth server.
I will pass on the need for clarification on the subject to the docs team.
Ok. That’s disappointing but thanks for clarifying. I misunderstood because the new library implements PKCE, which I understood did allow for refresh tokens, but I guess only for native app implementations.
That is correct. You simply cannot store a refresh token securely in the browser the way you can in a native app. You would not want to, as it is easily compromised via a xss attack.
As an update. I created a pull request for the doc with your suggested clarification.