it seems for me like the Auth0 app (https://manage.auth0.com) doesn’t use their own promoted authentication workflows for themself (please tell me if this is wrong). The app seems to be a React SPA but I can’t find any JWT tokens. It looks like they are just use sessions.
Also I can’t find any of the bigger companies like Airbnb, Netflix, Twitch, … use this approach.
My own use case would be securing a SPA which calls APIs but it doesn’t feel very secure that no one of the battle tested companies use the approach promoted bei Auth0.
Thanks for your question. I’m happy to chat about this and do my best to explain it!
JSON Web Token is an encoding mechanism. The JWT format itself is not the key factor. Rather, the choice of strategy depends on your application topology.
In Auth0 documentation and tutorials, we default to guidance that allows for maximum flexibility; this includes the ability to call APIs that may be anywhere (your own domain, or elsewhere). The Auth0 dashboard (https://manage.auth0.com) only calls Auth0 APIs on an Auth0 backend and does not request anything off-domain. This is why the dashboard uses cookies.
If you’re calling your own APIs on the same domain as your SPA, then you could choose to use cookies as well. However, this approach can be less flexible if the scope of your application’s future is unknown. If a developer were to architect their SPA to call their own APIs and opted to use cookies, if they later needed to call an external API, cookies would not work for the cross-domain API.
You can read more about Single Page Applications in this article on OAuth 2.0 implicit grant and SPA. There’s currently activity in the standards world to describe the approach in the article and its implementation more thoroughly, and Auth0 will give additional guidance on it as well as the situation develops.
I hope this answers your question — or if you have additional questions, please let us know!