Hi, is there a way to allow the PKCE code to be used a second time after it has already been exchanged?
I’m using auth0 with directus login. The problem is, I also need the auth0 ID token to use in auth0-vue in my app, but directus doesn’t give it back to me after consuming the code. There’s no way to pass an ID token to directus. I’m trying to use the same code after redirect to obtain the ID token again after passing the code to the directus callback, but it doesn’t work and I’m told the code / state is invalid.
Is there any way to allow the PKCE code and state to be used to retrieve the same ID token a 2nd time?
The behavior you’re encountering is due to the security design of the OAuth 2.0 protocol, specifically how the Proof Key for Code Exchange (PKCE) flow is implemented. In PKCE, the authorization code (along with the PKCE code verifier) is designed to be a one-time use token. Once the authorization code is exchanged for tokens (ID token, access token, and refresh token), it cannot be used again.
I’m not entirely sure of your environment, but it might be worth looking into getting and using a refresh tokens to perform silent auth in order to get another set of tokens in your app.