SPA's don't do authentication (replay attacks)

I’m trying to understand how to use nonce. According to the (documentation)[Mitigate Replay Attacks When Using the Implicit Flow], nonce is used to prevent replay attacks. But all of the documentation talks to, and the example so, that the SPA is what is being protected. SPA’s do not service requests, they generate them.

In the example at the bottom of the page, they show retrieving the nonce from localStorage - which by definition is the web browser - and comparing the nonce. It says if the comparison files, “authentication should be rejected by the application.” There are two ways to read this. Myself and two others I work with read this as “the authentication of the user should be rejected”, but, this makes no sense, as the SPA does not do authentication. The second way to read this is “the SPA should reject the authenticity of the response, as it did not come from the service.” The second interpretation makes more sense. But the documentation is very imprecise.

Lastly, in an SPA, the SPA only can generate requests, it can not service them. So what is being protected?

When talking about state, the documentation and the posts in this forum talk about how it is intended to prevent CSRF attacks. How does it do this? If I send a value to Auth0 when a user logs in - as the documentation says to do every time - if the request were being intercepted, the third-party would simply copy the state into their response. So when my SPA compares the response, it’s going to match. So how does this protect against anything?

Actually, I don’t understand how nonce is supposed to protect against replay attack, for the same reason.

I’m obviously misunderstanding something, but, have no idea what. Any help appreciated.