Authorization Code Flow with PKCE

I’m using this resource to get my auth flow working:

When I send the Auth request, the user is redirected to the login page. Is there a recommended way to store the code_verifier while the redirect happens? Local storage? Cookie?

Per the possible storage types you mentioned I’m assuming this is a SPA so one possibility could be to use an higher-level SDK and leave that detail for the SDK. I think the Auth0 SPA SDK (https://auth0.com/docs/libraries/auth0-single-page-app-sdk) uses cookies as the default storage mechanism for such data.

One advantage of cookies is that you can get automatic cleanup done by the browser for cases where a login request may be abandoned by the user.

2 Likes

Thanks! I’ll go for the cookie for now.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.