Blog

oidc-client-js: silent renew via iframes, CORS on session management endpoints, and third-party cookie phase-out

Silent renew relies on hidden iframes—when third-party cookies block, fall back to redirect flows that your CORS policy still documents.

Published: 2028-01-08Updated: 2028-01-101 min read

oidcspacors

Metadata

OIDC discovery documents can change endpoints—pin versions in CI and diff CORS allowlists.

JWKS rotation should not invalidate CORS headers on well-known paths.

Custom URL schemes in hybrid apps differ from https origins—maintain parallel CORS and OAuth redirect lists.

Deep links may bypass some CORS checks but still need TLS validation for token endpoints.