# IFrameRefresh

This function is an `iframe`-based implementation for the [refresh token callback](/reference/identity-javascript-sdk/the-frontend-auth-package/frontendauth.md#async-setrefreshtokencallback-fn).

```javascript
import { IFrameRefresh } from '@vulos/identity-browser-sdk'

await auth.setRefreshTokenCallback(IFrameRefresh)
```

{% hint style="danger" %}
Before using this feature make sure your application fulfills the requirements and validate that the limitations won't cause issues for your application's user experience and flow.
{% endhint %}

{% hint style="warning" %}
If you are using a server-side rendered application you should use [The Backend Auth Package](/reference/identity-javascript-sdk/the-backend-auth-package.md) with a `code id_token` response type instead.
{% endhint %}

### Requirements

* That [`BaseAuth.processCallback()`](/reference/identity-javascript-sdk/the-base-package/authentication/baseauth.md#async-processcallback-authverifier-params) is always the first thing that gets called when an OpenID fragment/hash is a part of the URL (in the route that is the default redirect URL);
* That the application doesn't execute/render anything that might initiate a token refresh while a token is already being refreshed;
* If a token is being refreshed in a specific frame, that frame shouldn't do anything else;
* If your application handles the window `message` event, it **MUST NOT** stop event propagation/bubbling (using `Event.stopPropagation()` or `return false` in an event handler), you can notice that an event is sent by [`BaseAuth.processCallback()`](/reference/identity-javascript-sdk/the-base-package/authentication/baseauth.md#async-processcallback-authverifier-params) if it has the `Event.data.accessToken` or `Event.data.fail` properties;
* That your application runs in a browser window that supports `<iframe>` and is able to redirect;

### Limitations

This method doesn't actually refresh the tokens using the `refreshToken`, it creates an `iframe` that navigates to the authentication URL, and takes advantage of the persistent grant system.

If the user isn't logged in, removes their grant, or didn't make their grant persistent, this will result in a redirect to the consent screen / login screen.

If your application doesn't persist state automatically, this might cause problems because this callback might get called on any function call, make sure to check that the token isn't expired before calling any SDK method in this case.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev.vulos.io/reference/identity-javascript-sdk/the-frontend-auth-package/iframerefresh.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.