I’m implementing the Authorization code flow with PKCE and planning to have my redirect_uri
as the backend.
In this case, while making the code to token exchange call (in the backend), I won’t be having information like the clientId
and code verifier
.
In the Auth code request, we’re passing the state
parameter, which gets returned back as a response in the backend via a redirect.
So, I’m planning to have my state
parameter as
{
"clientId":"test-client",
"targetUrl: "profile",
"codeVerifier":"xHchbhBDFJFhhDgbujFFfgVfGBffdfTKS"
}
and probably encrypt it and pass it in the authorization code request in the front-end.
Then when I receive the code
and state
in the backend, I can decrypt this in the backend and make the code to token request calls.
If this is an acceptable practice, what would be a good encryption method?
I tried RSA encryption, but I guess the data shouldn’t be more than 117 bytes, so I was thinking of AES encryption.
Or is there any better solution to get this information in the backend?