This function is an iframe-based implementation for the refresh token callback.

import { IFrameRefresh } from '@vulos/identity-browser-sdk'

await auth.setRefreshTokenCallback(IFrameRefresh)

Before using this feature make sure your application fulfills the requirements and validate that the limitations won't cause issues for your application's user experience and flow.

If you are using a server-side rendered application you should use The Backend Auth Package with a code id_token response type instead.


  • That BaseAuth.processCallback() is always the first thing that gets called when an OpenID fragment/hash is a part of the URL (in the route that is the default redirect URL);

  • That the application doesn't execute/render anything that might initiate a token refresh while a token is already being refreshed;

  • If a token is being refreshed in a specific frame, that frame shouldn't do anything else;

  • If your application handles the window message event, it MUST NOT stop event propagation/bubbling (using Event.stopPropagation() or return false in an event handler), you can notice that an event is sent by BaseAuth.processCallback() if it has the Event.data.accessToken or Event.data.fail properties;

  • That your application runs in a browser window that supports <iframe> and is able to redirect;


This method doesn't actually refresh the tokens using the refreshToken, it creates an iframe that navigates to the authentication URL, and takes advantage of the persistent grant system.

If the user isn't logged in, removes their grant, or didn't make their grant persistent, this will result in a redirect to the consent screen / login screen.

If your application doesn't persist state automatically, this might cause problems because this callback might get called on any function call, make sure to check that the token isn't expired before calling any SDK method in this case.

Last updated