Why use state, or even nonce?

When talking about state, the documentation and the posts in this forum talk about how it is intended to prevent CSRF attacks. How does it do this? If I send a value to Auth0 when a user logs in - as the documentation says to do every time - if the request were being intercepted, the third-party would simply copy the state into their response. So when my SPA compares the response, it’s going to match. So how does this protect against anything?

Actually, I don’t understand how nonce is supposed to protect against replay attack, for the same reason.

I’m obviously misunderstanding something, but, have no idea what. Any help appreciated.

A post was merged into an existing topic: SPA’s don’t do authentication (replay attacks)