Do I need to have a unique app state and code verifier for each OIDC Auth Code Flow request/sign-in?
The samples that were provided by OKTA for Python did not seem to a unique value for each request, but:
- those were only sample applications to help get one started
- I did not extensively test this with many simultaneous users
What I have does seem to work, during my very limited testing, but it may not be correct.
What would be the problem of setting these values at application start up?