Menu
I'm currently working on an oauth 2.0 code authorization grant with PKCE in an SSR page (working with React in the front and Express in the back).
Where I should store code_verifier when client request to authorization server code (when authorization server creates code_challenge and code_verifier for verify latter). I have the authorization server running in an independent stack/infrastructure.
I should store code_verifier in req.headers ?
(see Draft Campbell OAuth TBPKCE-00)
We are following RFC6749
297
Tokens received from OAuth providers are stored in a Client Access Token Store. You can configure client access token stores under the Libraries > OAuth2 Stores node in the Policy Studio tree view.
The Authorization Code Flow + PKCE is an OpenId Connect flow specifically designed to authenticate native or mobile application users. This flow is considered best practice when using Single Page Apps (SPA) or Mobile Apps. PKCE, pronounced “pixy” is an acronym for Proof Key for Code Exchange.
Use the auth code flow paired with Proof Key for Code Exchange (PKCE) and OpenID Connect (OIDC) to get access tokens and ID tokens in these types of apps: Single-page web application (SPA) Standard (server-based) web application. Desktop and mobile apps.
Google supports the Proof Key for Code Exchange (PKCE) protocol to make the installed app flow more secure.
I would suggest you to think about storing it in cookies, it is an easy way and it is not a really big deal if someone sees it. You can use the cookie-parser library for Node.js, which I personally really like and use almost daily, as it provides developer-friendly tools.
FYI: I am working on mainly on GraphQL APIs, and I find a good solution also to store the code_verifier in the context of the GraphQL Server, e.g. Apollo Server.
187
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
