Nonce inside a0.spajs.txs cookie is blocked by Azure Front Door due to SQL injection threat

Cross-posting as advised from

We are having an issue whereby our Azure Front Door web application firewall is blocking requests to our /callback page after successful authentication on auth0. It seems auth0 sets a cookie for the SPA SDK which contains nonce that gets flagged by the WAF as being a threat due to a sequence of characters resembling a SQL injection.

We have added an exception in the WAF since it is no risk to us, but this may trip up others who are hosting their apps behind AFD’s WAF.