In spa which do not have back end , storing refresh tokens safely is difficult hence silent authentication is an alternative to using refresh tokens. In OIDC ,if the user has allready logged on to the auth server and auth server cookie is set on the browser, then the user can get new tokens by initating auth flow,(with parameter prompt=none) which will ensure that the user will not be prompted for credentials again by auth server as he is allready logged on to the auth server). This is called silent authentication . Auth server will either return requested response back to app or return error if the user is not all ready authenticated.

To initiate a silent authentication request, add the prompt=none parameter when you redirect a user to the authorization end point of the auth server. If the user has all ready authenticated (and auth server cookie is set on the browser) , auth server will respond exactly as if the user has manually authenticated by providing user id and password. Hence silent authentication can be used to get new access token .

How ever silent authentication (in spa) is an issue because of third party cookies. The java script request to authorization server is a cross origin request as the origin of the spa (domain from where the spa is loaded) is not the same as domain of authorization server. Hence any cookies set by authorization server response will be third party cookies. On successful authentication, authorization server sets a third party cookie indicating user has authenticated.

If the browser supports 3rd party cookies, silent authentication will work as auth server cookie will be set and willl be sent to auth server along with silent authorization request.  If the browser does not support 3rd party cookies or if 3rd party cookies are disabled at browser settings, then auth server cookie will not be present on the browser and full page navigation is required for silent authentication to work (the cookies set by full page navigation will be first party cookies )

For this reason a better option is to use refresh token rotation in spa and store refresh tokens in local storage. Refresh token rotation helps a public client to securely rotate refresh tokens after each use. When refresh token rotation behavior is enabled , a new refresh token is returned each time the client makes a request to exchange a refresh token for a new access token.

Note that in implict flow, refresh tokens are not issued hence silent authentication must be used for getting new tokens.