I'm writing client app that will integrate with some Oauth2 provider. I will have native android app as front-end and spring-boot as backend. I would like to use authorization_code flow with PKCE. My question is who should generate code verifier and code challenge? My backend or my native app?
I can see two options:
1) Frontend is calling authorization endpoint. Backend is generating code_verifier and code challenge and returns code challenge to frontend, and redirect it to authoriztion server. User logs in, gives permissions, and then authorization code is received and forwarded to backend. Then backend is calling authorization server with code_verifier, client id and client secret and receives access token
2) FE is generating code_verifier and code challenge. It calls authorization provider with code_challenge, user logs in, gives permissions, and then authorization code is received. Frontend forwards authorization code with code_verifier, and then backend calls authorization provider with authorization code, code_verifier, client id and client secret.
Which approach is better and more secure?
