I found what was missing.
Essentially the rule does not behave exactly the same way as an action.
When there is a rule redirect and prompt=none, the rule returns an error indicating “interaction_required”, but the action just silently logs an error in Auth0 but still returns a valid code so it can be exchanged for an access token.
So, the way of getting an access token from the redirect app through silent auth is by having a condition in the redirect rule where it will only redirect if the client id is not the one used from the redirect app. Something like this:
function (user, context, callback) {
if (context.protocol !== "redirect-callback" && context.clientID !== REDIRECT_APP_CLIENT_ID) {
context.redirect = { url: "http://localhost:4200" };
}
return callback(null, user, context);
}
It would be good if the documentation is updated regarding how an action redirect behaves when prompt=none. The doc seems to indicate it should return an error, like the redirect rule, but it doesn’t. See Redirect with Actions
I hope someone else finds this useful.
Cheers!