// Store the PKCE code after the `getAuthorizationUrl()` call.
$_SESSION['oauth2pkceCode'] = $provider->getPkceCode();
// ...
// Restore the PKCE code before the `getAccessToken()` call.
$provider->setPkceCode($_SESSION['oauth2pkceCode']);
What about unsettling the $_SESSION['oauth2pkceCode'] after setPkceCode() is done?
There's this example in dev release for PKCE
What about unsettling the $_SESSION['oauth2pkceCode'] after setPkceCode() is done?
unset($_SESSION['oauth2pkceCode']);
There's no reason to keep it around, is there?