Problem Statement
When a SPA JS SDK is used with Refresh Token support (useRefreshTokens: true), the SDK will still fall back to iframe-based silent authentication using the Auth0 session if the Refresh Token exchange fails. We want to avoid that and rely on Refresh Token exchange only.
Cause
This behavior happens by design in the SDK.
Solution
To avoid this fallback, you can set the useRefreshTokensFallback option to false in the SDK constructor. Eg:
auth0 = new Auth0Client({
// ... other configuration
useRefreshTokensFallback: false
});
This feature is available only in SPA JS SDK versions 1.22.0 upwards.