Recently I have written a Identity provider with openid connect. I have expose endpoint both token and oauth flow.
I know that we cannot provide refresh token to revoke either of the token in case of SPA. So what i have did is when my access token expired i always called the IDP server and its refresh my token, but the problem i am facing is the authentication is not placed silently at background, for sometimes a flash screen appear and my callback url called where i save the token again.
So is there any way i can revoke the access token without user knowing.
One way is to call identity provider after my token expires and refresh my token at background, but still if at the same time if user try to call api with old one he receives 401.