When talking about state, the documentation and the posts in this forum talk about how it is intended to prevent CSRF attacks. How does it do this? If I send a value to Auth0 when a user logs in - as the documentation says to do every time - if the request were being intercepted, the third-party would simply copy the state into their response. So when my SPA compares the response, it’s going to match. So how does this protect against anything?
Actually, I don’t understand how nonce is supposed to protect against replay attack, for the same reason.
I’m obviously misunderstanding something, but, have no idea what. Any help appreciated.