Support for "query" response_mode for silent authentication #1470
Description
Checklist
- I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
- I have looked into the documentation and API documentation, and have not found a suitable solution or answer.
- I have searched the issues and have not found a suitable solution or answer.
- I have searched the Auth0 Community forums and have not found a suitable solution or answer.
- I agree to the terms within the Auth0 Code of Conduct.
Describe the problem you'd like to have solved
Silent authentication with web_message response mode fails because the /authorize endpoint returns X-Frame-Options: SAMEORIGIN, preventing the hidden iframe from loading. As a result, the SDK cannot receive the authorization response via postMessage.
One of our other applications uses query response mode, and this works because the browser does not need to render any content in the iframe since the response is a 302 redirect with Location header.
Describe the ideal solution
Add a configuration setting to use query response mode for silent authentication requests.
silentAuthResponseMode: "query" | "web_message" // default to "web_message"
The SDK would then use this response mode in the /authorize request, and poll the iframe to get the response.
Alternatives and current workarounds
No response
Additional context
No response