search

thephpleague / oauth2-client

Easy integration with OAuth 2.0 service providers.
http://oauth2-client.thephpleague.com
MIT License
3.63k stars 751 forks source link

PKCE: Unset oauth2pkceCode from session after login? #991

Open hkirsman opened 1 year ago

hkirsman commented 1 year ago

There's this example in dev release for PKCE

// Store the PKCE code after the `getAuthorizationUrl()` call.
$_SESSION['oauth2pkceCode'] = $provider->getPkceCode();
// ...
// Restore the PKCE code before the `getAccessToken()` call. 
$provider->setPkceCode($_SESSION['oauth2pkceCode']);

What about unsettling the $_SESSION['oauth2pkceCode'] after setPkceCode() is done?

unset($_SESSION['oauth2pkceCode']);

There's no reason to keep it around, is there?