A common situation: SPA + REST. If one were to forego Auth0 and authenticate the web users with JWT's, one would have to store an XSRF token provided by the server on login in a cookie, and send it in the request headers, along with the JWT.
In the relevant official Auth0 guide, https://auth0.com/docs/architecture-scenarios/spa-api, the XSRF tokens are not mentioned at all. What if someone steals the Access Token from a user? Will they have access to my REST API for that user?
Auth0 has another guide Preventing Cross-site Request Forgery (XSRF or CSRF), but it's strangely brief, and I'm not seeing how it solves the problem I described.
the strategy Auth0 uses to prevent CSRF attacks is by the use of a nonce, which they call a state parameter
. This state
is generated with the authentication request, and then used to correlate the request with the response received from the authentication. (from Auth0 docs on how to mitigate CSRF attacks)
Relevant info from the Auth0 docs on the state parameter:
a unique and non-guessable value associated with each authentication request about to be initiated. It’s that unique and non-guessable value that allows you to prevent the attack by confirming if the value coming from the response matches the one you expect (the one you generated when initiating the request).
If you are using Auth0.js in your SPA this nonces or state generation and validation is automatically handled for you.