We are building a single page application which will, of course, talk to secured API’s.
After some serious reading around, we found that OpenID-connect – implicit grant might be the most secure way to go.
One of the characteristics of this flow is that there is no client-secret – fine – but also no refresh-token. The latter meaning that a re-authentication is required after the expiration of the JWT token.
Is there a way to make this a silent operation in which the user doesn’t have to authenticate again? The use-case is simply if a user remains active beyond the configured lifetime of his session, the session should be extended.