I have some questions related to renewing token in a single-page application that I hope someone can clarify for me.
1. Don’t use refresh tokens?
I’ve read that we shouldn’t use refresh tokens in SPAs, as it doesn’t fit with the authentication flow and because the tokens are more sensitive than what can usually be handled in a SPA (see restrictions section in https://auth0.com/docs/tokens/preview/refresh-token). It would be nice to get it confirmed that this is correctly read and that we should under no circumstances use refresh tokens in our SPA.
2. Use silent authentication?
3. Use renewAuth in auth0.js?
The referenced documentation of silent authentication ends up saying that for single-page applications
we can use the renewAuth method from auth0.js to do the request in a hidden IFRAME. In the GitHub README (https://github.com/auth0/auth0.js#api) it says about renewAuth that “the user must have an active SSO session at Auth0 by having logged in through the hosted login page of your Auth0 domain.” And from the site (https://auth0.com/docs/libraries/auth0js/v8) it also mentions that “[t]he renewAuth method allows you to acquire a new token from Auth0 for a user who is already authenticated against the hosted login page for your domain”. Is it actually required to use the hosted login pages for this? I ask because we need to embed it in our app and need more customizations than Lock provides last time I checked. Also, we tried it out with our own login page and the renewal still seemed to work, but we may be fooled by something.
4. Redirect and hash on URL rather than just a response?
This turned out rather long, but I hope that someone can help clarify the renewal of tokens in a SPA for us.
Thanks in advance,