I see an article on Auth0’s site that states SPA’s should use Refresh Token Rotation:
Auth0 recommends using Refresh Token Rotation which provides a secure method for using Refresh Tokens in SPAs while providing end-users with seamless access to resources without the disruption in UX caused by browser privacy technology like ITP.
Just below that excript it says:
Auth0’s former guidance was to use the Authorization Code Flow with Proof Key for Code Exchange (PKCE) in conjuntion with Silent Authentication in SPAs. This is more secure solution than the Implicit Flow but not as secure as Refresh Token Rotation.
But the Auth0 Single Page App SDK also uses Authorization Code Flow with Proof Key for Code Exchange (PKCE), which is “former guidance”, per above.
The Auth0 SPA SDK handles grant and protocol details, token expiration and renewal, as well as token storage and cacheing. Under the hood, it implements Universal Login and the Authorization Code Grant Flow with PKCE.
Can someone help clarify this discrepancy? (or what I’m misunderstanding)