Authorization Code Flow
Mitigate replay attacks when using the Implicit Flow
To mitigate replay attacks when using the Implicit Flow, a Refresh Tokennonce must be sent on authentication requests as required by the OpenID Connect (OIDC) specification.
The nonce is generated by the application, sent as a
nonce query string parameter in the authentication request, and included in the ID Token response from Auth0. This allows applications to correlate the ID Token response from Auth0 with the initial authentication request.
For more information on where to include the nonce, see Call API Using the Implicit Flow.
How it works
Generate a cryptographically random nonce
How to implement it
Persist nonces across requests
The generated nonce must be persisted in your web application using any of the following methods:
- HTML5 local storage value
Validate the ID Token
Once Auth0 responds with an ID Token, this token must be validated and decoded as usual.
nonce claim must contain the exact same value that was sent in the request.
If not, authentication should be rejected by the application.