Current Recommendation for SPA

What is the most current Auth0 recommendation for a Javascript based Single Page Application (SPA)?

I see an article on Auth0’s site that states SPA’s should use Refresh Token Rotation:

Auth0 recommends using Refresh Token Rotation which provides a secure method for using Refresh Tokens in SPAs while providing end-users with seamless access to resources without the disruption in UX caused by browser privacy technology like ITP.

Just below that excript it says:

Auth0’s former guidance was to use the Authorization Code Flow with Proof Key for Code Exchange (PKCE) in conjuntion with Silent Authentication in SPAs. This is more secure solution than the Implicit Flow but not as secure as Refresh Token Rotation.

The Auth0 Single Page App SDK, seems to be the most recent SDK and has a switch to use rotating Refresh Tokens.

But the Auth0 Single Page App SDK also uses Authorization Code Flow with Proof Key for Code Exchange (PKCE), which is “former guidance”, per above.

The Auth0 SPA SDK handles grant and protocol details, token expiration and renewal, as well as token storage and cacheing. Under the hood, it implements Universal Login and the Authorization Code Grant Flow with PKCE.

Can someone help clarify this discrepancy? (or what I’m misunderstanding)

Hi @dedicatedmanagers,

Sorry for the confusion here. I agree there is some wording there that is ambiguous.

Let’s clear this up:

Former guidance was to use the Authorization Code Flow with Proof Key for Code Exchange (PKCE) in conjunction with Silent Authentication in SPAs

The former/current guidance has to do with Silent Authentication VS Refresh Token Rotation (RTR). The Auth Code + PKCE flow is used to request tokens in either instance, so that should not be the focus of that sentence.

RTR is the current guidace.

I added a PR that should clarify that doc.

Thanks for the info!

No problem! Glad to help.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.