I’m trying to understand how to use nonce. According to the (documentation)[https://auth0.com/docs/api-auth/tutorials/nonce], nonce is used to prevent replay attacks. But all of the documentation talks to, and the example so, that the SPA is what is being protected. SPA’s do not service requests, they generate them.
In the example at the bottom of the page, they show retrieving the nonce from localStorage - which by definition is the web browser - and comparing the nonce. It says if the comparison files, “authentication should be rejected by the application.” There are two ways to read this. Myself and two others I work with read this as “the authentication of the user should be rejected”, but, this makes no sense, as the SPA does not do authentication. The second way to read this is “the SPA should reject the authenticity of the response, as it did not come from the service.” The second interpretation makes more sense. But the documentation is very imprecise.
Lastly, in an SPA, the SPA only can generate requests, it can not service them. So what is being protected?