Silent Refresh

When using the implicit authentication flow, refresh tokens cannot be requested or used since the client application cannot be explicitly or securely authenticated, and therefore cannot be trusted with such a sensitive token. Silent refresh uses the assumption that the user is still logged into the OpenID Provider to automatically make another OpenID Connect authorization request and receive new tokens. This is done behind the scenes without interrupting the user experience.

The idea with silent refresh method is to have an iframe, too small for the user to see, with the request looking very similar to the authorization request the client application makes, to initially authenticate the user. There are client libraries for popular JavaScript frameworks that can track the lifetime of the access token and automatically refresh it before it expires.


App storePlay store