This article clarifies why a delay occurs when the getAccessTokenSilently function encounters a 403 error during silent authentication. When a misconfiguration leads to a 403 response, the application experiences a delay equal to the timeoutInSeconds duration before the call resolves, resulting in a degraded user experience.

• Single Page Authentication (SPA)
• React
• Silent Authentication

The issue occurs because the Software Development Kit (SDK) utilizes the runIframe function to perform silent authentication. This function generates a hidden iframe and points it at the /authorize endpoint. The parent window waits for a postMessage from the iframe for the duration specified in timeoutInSeconds.

If a 403 error occurs, the system returns a standard error page that lacks the script required to send a postMessage back to the parent window. Due to the Same-Origin Policy, the parent window cannot inspect the contents of the iframe. Consequently, the application continues to listen for a response until the timeout period expires.

To ensure fast error responses and avoid long timeouts, use refresh tokens for authentication.

1. Set useRefreshTokens: true In the client configuration, to avoid iframe-based authentication after the initial sign-in.
2. (Optional) Set useRefreshTokensFallback: false to prevent the SDK from falling back to the hidden iframe method if the refresh token fails.

NOTE: When using refresh tokens, the SDK makes a POST request to /oauth/token. Unlike the iframe method, the SDK has full access to the response. If a 403 error occurs, the fetch call completes with the returned status, allowing the SDK to catch the error and reject the getAccessTokenSilently call immediately.

Related References

• getAccessTokenSilently Method Reference
• Using Refresh Tokens
• FAQ: missing_refresh_token Error After Upgrading