Where I should store code_verifier (oauth 2.0 code authorization flow with PKCE)

7
votes

I'm currently working on an oauth 2.0 code authorization grant with PKCE in an SSR page (working with React in the front and Express in the back).

Where I should store code_verifier when client request to authorization server code (when authorization server creates code_challenge and code_verifier for verify latter). I have the authorization server running in an independent stack/infrastructure.

I should store code_verifier in req.headers ? (see Draft Campbell OAuth TBPKCE-00)

We are following RFC6749

1
node.jsreactjsoauth-2.0pkceoauth2orize
hey is it possible to share code samples which you already tried, it will help us to debug if you provide running code snippets and did you already google your problem? it would be great if you let us know what you have already researcheduser10972884

1 Answers

1
votes

I would suggest you to think about storing it in cookies, it is an easy way and it is not a really big deal if someone sees it. You can use the cookie-parser library for Node.js, which I personally really like and use almost daily, as it provides developer-friendly tools.

FYI: I am working on mainly on GraphQL APIs, and I find a good solution also to store the code_verifier in the context of the GraphQL Server, e.g. Apollo Server.