Oidc-client-js: Silent sign in/silent renew via AJAX?

Technically possible, but not part of the spec. Back when they designed the spec, they did not want to take a dependency on CORS as it was not widely supported at the time.

Failing that, is there a way to do this manually and update the UserManager with the new token?

This already happens on silent renew processing. Am I missing your question?

I think you're missing my question - I'd make the AJAX request myself and grab the creds from the redirect URL - I'd then want to update the UserManager with these new creds that I have but didn't get via oidc-client-js.

Does your token service support CORS for the authorize endpoint?

Yep. It checks that the origin header, client ID and redirect URI are all for the same domain. If they are it'll allow it via CORS.

So then the next step is to validate the response... which will be a 302 and the results will be on the hash fragment. Can you read the URL on the ajax redirect? I don't think you can.

You can't read it on the redirect, but you can read the final URL once the AJAX call returns. If all else fails I could make it redirect to a page that just echos the fragment back as JSON.

Ok. You'd then need to call the callback APIs and you should be able to pass what would normally be in the hash fragment as a param to have the library perform the response processing which would then update the internal user storage.

All set on this issue -- can we close?

Okay, I managed to get the new base64-encoded id_token (the 3 sections separated by dots) from my OIDC provider over AJAX, but it doesn't return a new state. I've been poring through the code to try to figure out where I can insert this to have it update (and trigger the user load event) to have it update the user storage. Any ideas?

Sorry, not sure.