'How does a SPA stores PKCE code_verifier?
Considering Authorization Code Flow with PKCE inside an iframe as follows:
+-------------------+
| Authz Server |
+--------+ | +---------------+ |
| |--(A)- Authorization Request ---->| | |
| | + t(code_verifier), t_m | | Authorization | |
| | | | Endpoint | |
| |<-(B)---- Authorization Code -----| | |
| | | +---------------+ |
| Client | | |
| | | +---------------+ |
| |--(C)-- Access Token Request ---->| | |
| | + code_verifier | | Token | |
| | | | Endpoint | |
| |<-(D)------ Access Token ---------| | |
+--------+ | +---------------+ |
+-------------------+
How does a SPA application (React, for instance) can store a code_verifier as when a (B) callback occurs (considering a 302 redirection or window.location.replace) the page reloads and the state (original code_verifier) is lost?
How to implement this flow as same as a native mobile application, without storing code_verifier in a backend and just keep it in memory?
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|