This might be related to #1068, getting the same error as those users. I did some digging around, and if I understand @aeneasr post on this issue here correctly, this is basically caused by the silent renew requiring additional user consent, unless the callback URL has an HTTPS scheme.

This is clearly fine for normal deployment, but it breaks in local development. Would it be possible to whitelist "localhost" return URLs for that case, possibly as a server config variable? Browsers actually follow the same pattern, e.g. with service workers, which normally require https, except when the host is "localhost".