Given an app using Oauth 2.0 Authorization Code Flow via Microsoft's msal.js, I login by providing my credentials. Then I fully clear my browser's state, cache, local/session storage, and refresh the page so that the single page application doesn't know I'm logged in, but I'm still logged in with the Microsoft backend.
When I initiate another login, it is able to do so silently, without re-asking me for my credentials.
Apparently, via a request to https://login.microsoftonline.com/redacted/oauth2/v2.0/token, the Microsoft backend can authenticate me as the same user even though I cleared the js memory and all cache/session/local storage
How does this request get a valid code / code_verifier to send to the Authorization Server in order to get an Access Token back for a user without re-entering credentials?
More details:
The following does require me to re-enter my credentials (as I would expect it to):
The following does not require me to re-enter my credentials and can log on silently:
I would expect the 3 "not" scenarios to require credentials, but they do not. How can I be authenticated without the browser keeping any local state?
The Microsoft library was storing a cookie owned by AAD, not my app. answer on github