I saw in a few places that Imlicit flow clients use iframe to get a new token silently, without user interaction. Why is that? Why can't the client just send a GET request to the authorization server and retrieve the token from the returned HTTP 301 response?
I saw iframe mentioned in these places:
- https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-third-party-cookies-spas
- https://auth0.com/docs/authenticate/login/configure-silent-authentication
I found this post: OAuth2 Implicit Flow - IFrame Refresh Identity. It says that the request sent from iframe carries a cookie with it. Is it not possible to attach such a cookie from a JS request?
