auth0-react VS auth0-spa-js

This post goes through how to build a PKCE client for browser using TypeScript based applications with no dependencies. If you want to know more about what PKCE (Proof Key Code Exchange) is you can read my previous post, What Is PKCE. Before I start on how do to this, as a general rule I would use a client side library provided by a reputable authentication vendor, like the React SDK provided by Auth0 for any production application I was building. If you're interested in what is going on under the hood in libraries like that, or you have a specific use case, or you're just interested in a hands on example of how PKCE works then I'll go through how I implemented this only using what is available in the browser.

This article aims to teach developers how to utilize user authentication to secure a React application with the help of Auth0’s React SDK which offers a high-level API for dealing with a variety of authentication related concerns while writing less code.

To integrate Auth0 into our React app, we’ll use auth0-react to connect the app with Auth0 and a hook called useAuth0 to get authentication state and methods. However, it is challenging to reach authentication states and methods outside the components.

https://github.com/auth0/auth0-react Look for a method called getAccessTokenSilently

Your message feels disingenuous and not in good-faith.

Auth0 clearly advises against the localStorage option which is most similar to Stytch's:

> _Important:_ This feature will allow the caching of data _such as ID and access tokens_ to be stored in local storage. Exercising this option changes the security characteristics of your application and _should not be used lightly._ Extra care should be taken to mitigate against XSS attacks and minimize the risk of tokens being stolen from local storage.

This is from the readme of the github you linked:

https://github.com/auth0/auth0-spa-js/tree/0de9c6bf61d37fc21...

And since their other client-only solutions have major UX challenges (as you highlight), I expect most Auth0 users have landed on the secure option.

This is very different from Stytch - which as far as I can tell - doesn't disclose or acknowledge the risk, and instead willingly puts developers at increased risk. Throughout this thread, you've been dismissive of the risk despite security organizations clearly indicating that HttpOnly is best-practice.

You've found a legitimate comparison in Firebase, but for me, you've taken several steps too far trying to compare to Auth0.

Auth0 provides the auth0-spa-js package which offers two ways to authenticate users:

Therefore, I have transformed the library [@auth0/auth0-spa-js](https://github.com/auth0/auth0-spa-js), which is another official Auth0 client library, to have an authentication hook and methods that can be accessible outside the components.

auth0-spa-js must run on a secure origin. See https://github.com/auth0/auth0-spa-js/blob/master/FAQ.md#why-do-i-get-auth0-spa-js-must-run-on-a-secure-origin for more information. 32 | it("renders a login button", () => { 33 | > 34 | const { getByText } = render( | ^ 35 | 36 | 37 |