attemptSilentLogin doesn't take into account Auth0 session

[vafada]

Checklist

• [X] I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• [X] I have looked into the API documentation and have not found a suitable solution or answer.
• [X] I have searched the issues and have not found a suitable solution or answer.
• [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• [X] I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

the attemptSilentLogin will not do a silent login if req.oidc.isAuthenticated() returns true

req.oidc.isAuthenticated() will return true if the appSession (client side cookie) is still valid (cookie not yet expired)

the problem is if the underlying Auth0 Session (server side) already expired, the user isn't really authenticated anymore even though req.oidc.isAuthenticated() returns true

Describe the ideal solution

maybe the attemptSilentLogin function should also check if the Auth0 Session (server side) is still valid

Alternatives and current workarounds

the workaround right now is to make the session cookie expires duration shorter than the Auth0 Session (server side)

so calls to attemptSilentLogin middleware will actually trigger a silent login instead of just doing next()

Additional context

No response

[vafada]

maybe this block:

https://github.com/auth0/express-openid-connect/blob/e9993181114d3b1e6f6e3311f48eae3458ca41c5/middleware/attemptSilentLogin.js#L52-L56

should be

if (
      !silentLoginAttempted &&
      (!req.oidc.isAuthenticated() || req.oidc.accessToken.isExpired()) &&
      req.accepts('html')
    ) {