Code verifier and code challenge

I would like to know where exactly in the code are we using the code_verifier and code_challenge. I thought pkce flow works like :

  1. hit the /authorize endpoint with code_challenge as parameter to get the authorization_code.
  2. hit the /token endpoint with authorization_code and code_verifier as parameters to get id_token and access_token.
  3. Validate the id_token by sending it to /introspect endpoint.

How are the redirects done in the code? Does loginOkta() take care of all of these ?

Not 100% sure what you concern is about, but loginOkta based on the repo, which you attached, will do redirect. code_verifier/challenge is taken care of by okta-auth-js automatically, behind the scene, so you don’t need explicitly do anything, except setting a config parameter for okta-auth-js to use PKCE flow.


Thank you very much!