Hi,
auth0-spa-js validates the response automatically so you needn’t concern yourself with this. The library takes care of all of these low-level details.
Regardless, I will explain how this works internally:
When the /authorize URL is constructed a new transaction is created and associated with a newly generated state value that will be passed in the URL: auth0-spa-js/Auth0Client.ts at c757764b94cb1561c37b20cf6076c73c7ceef317 · auth0/auth0-spa-js · GitHub
When the user is redirected back to your app you should be calling handleRedirectCallback. This function retrieves the transaction using the state value from the query parameters: auth0-spa-js/Auth0Client.ts at c757764b94cb1561c37b20cf6076c73c7ceef317 · auth0/auth0-spa-js · GitHub
It then passes the transaction’s nonce to _verifyIdToken (which is just a wrapper around the verify function) : auth0-spa-js/Auth0Client.ts at c757764b94cb1561c37b20cf6076c73c7ceef317 · auth0/auth0-spa-js · GitHub
In verify you can then see the nonce value from the transaction is compared with that of the ID token. If they don’t match then validation fails: auth0-spa-js/jwt.ts at c757764b94cb1561c37b20cf6076c73c7ceef317 · auth0/auth0-spa-js · GitHub