We’ve integrated auth0 and GTM manager in our SPA. After returning from universal login the URL with query parameter code from auth0 is now pushed to GTM. Is this a security issue?
According to the spec, the code passed as a query param in the URL is short-lived (max 10 min.), and it cannot be used more than once to exchange for the Access Token and other tokens. This should not cause a security issue since the code is unusable once it has been passed back to Auth0 in exchange for tokens.