redux-oidc | managing OpenID Connect authentication in ReactJS / Redux | Authentication library

At a loss here, trying to do authorization code flow with oidc-client and redux-oidc, in my React app against an ADFS instance as the authorization server. My issue is that I am failing to post to .../adfs/oauth2/token with the authorization code during my SignInCallback, visually Part D) in the Diagram here. Every attempt results in a CORS error appearing in my browser, tried on Chrome and Firefox, there is no preflight check and I can see the id_token, access_token, and refresh_token in the response.

I can post from postman to that endpoint with no CORS error. The only workaround I've found was using a browser extension to allow CORS but this isn't suited for production. Why is my browser doing this?

My Config:

First, I know (or I think I've read) that you're never supposed to fire actions from reducers. In my situation, I'm using redux-oidc to handle authentication against my app. Once the user is logged in, redux-oidc fires a redux-oidc/USER_FOUND action and sets the user's profile in the state.oidc.user slice.

After login, I need to look up additional info about the user from my DB that isn't in the OIDC response. At the moment, I'm firing the fetchUserPrefs thunk from the redux-oidc.CallbackComponent.successCallback which works as expected.

My problem is when the user has an active session and opens a new browser, or manually refreshes the page and init's the app again, the callback isn't hit, so the additional user hydration doesn't happen. It seems like what I want to do is add an extraReducer that listens for the redux-oidc/USER_FOUND action and triggers the thunk, but this would be firing an action from a reducer.

Is there a better way to do this?

We have 3 apps: Client (React/SPA), API (ASP.NET CORE 3.1), and Auth (ASP.NET CORE 3.1 with IdentityServer 4).

Fairly recently, the app is starting to constantly do what appears to be a silent renew. As soon as the client app loads, I can see in the network tab that it immediately hits the authorize endpoint on the identity server, then I see the silent renew page load in an iframe on the app, then it hits the token endpoint on the identity server, then userinfo, and it just keeps cycling through this sequence - just never stops. Over an over. We use redux-oidc, which runs over oidc-client, and I can see within the console that this isn't being done or handled by redux-oidc. I can also see when handling events on the usermnanager that my token isn't expiring, so it doesn't appear to be kicking this off either. We have on our identity server samesite=none with the secure attribute too for cookies that come out of there as well, as I thought that might be the problem, but this is still occurring.

Is there something else we should be looking at? And why would this have all of a sudden recently started happening - we even backed our code out to a version from over a month ago, and the problem still occurs, so we're not aware of any code changes we did that could cause this as this just started happening within the last week I believe.