We have a SPA app composed to two parts that run independently of each other. Both sign in to Auth0. One of the two parts is the side navigation section, and the other part is the main app. The main app loads the side nav via a tag in the main index.html file.
Because these apps run independently, they both must get an access token on page reload, and they both periodically get a new access token. Doing everything twice increases page load time and puts more load on Auth0.
We have an idea to refactor our apps so the main app relies on the sidenav app to manage the access token. So only the sidenav logs in. The main app will communicate via some global function whenever it needs an access token.
What are the security concerns with this approach? Does creating such a global function expose us to a specific type of attack? Are there mitigations? Our system is an enterprise website without forums or ads, so we believe our exposure to XSS is minimal.
Thoughts?