Question about monitorSession with refresh_token or ROPC #2048
Description
Hello,
I was going through the documentation about monitorSession and i am not 100% sure how it works. By reviewing the code i realized that SessionMonitor uses iframe to communicate with IDP, but I think there are at least two scenarios that monitorSession won't trigger events. I wanted to confirm with you (and maybe improve documentation if my hypothesis is correct):
Monitor session won't trigger events if:
- We use refresh_token: Since we don't use iframe to get new token we won't have events triggered. This is very popular scenario in situation where identity service is hosted on a different domain. Since Safari blocks third party cookies we cannot use silentRefresh and have to use refresh token.
- We use Resource Owner Password Credentials (ROPC) flow - in this scenario we do not navigate to IDP page so there is no cookie on IDP that can be used to refresh session silently. If i understand this flow right, there is no other possibility to get a new token besides "refresh token" and we circle back to point 1.
Does that mean that, in those scenarios, session won't be synchronized between browser tabs and developers will have to do some manual work to keep session synchronized?