Open himat opened 4 years ago
You could share it via an encrypted Cookie (with SameSite:Lax
set so that you get it when auth redirect endpoint is hit back). However, I think that using PKCE, in this case, is not required at all. PKCE is required when the client is public (i.e. it's a mobile app or a single-page website) and there is a risk that the auth code would be intercepted. Basically, your secret key is no more secret. See: https://tools.ietf.org/html/rfc7636 and https://medium.com/identity-beyond-borders/what-the-heck-is-pkce-40662e801a76.
Btw, the example is missing checking of CSRF that is returned in
I ran the example, and on the redirect page, I get
But I want to get the actual access token from this.
In the code, we have
and this
token
variable is the 2nd thing that is printed above.token
is of type oauth2::CodeTokenRequest.So I want to call
.request
on the CodeTokenRequest. But I get an error here because to call.request
, we have to do this:But the
pkce_verifier
was generated in the login route, whereas we call.exchange_code
in the redirect route.So how do I set the pkce verifier in the auth route which is handled by a different function than the login route?