Question about code_verifier

[aaaguirrep]

Hi, I am having the next doubt using authorization code:

Step 1.- I have a /login endpoint where the users are redirected to idp by the openid-client library. I create a code_verifier and code_challegue for this step.

Step2.- After the user authenticates I receive a redirect to my /callback endpoint with code value. So I am invoking callback method from openid-client to retrieve tokens. In this step i need the code, code_verifier from step 1 and params.

My question is: how to associate or identify the code_verifier to use in the step 2? Because i receive different request from different users at my callback endpoint.

I read the documentatio that i need to store it but I don't know how to associate with step 2.

Thanks in advanced.

Regards,
Arsenio

[panva]

Use exactly the same mechanism as you use for e.g. state, or nonce value persistance. This is commonly the session mechanism or a separate httpOnly; attribute tamper-proof cookie.

[aaaguirrep]

Thanks @panva I have read again the documentation and it is clear.

// store the code_verifier in your framework's session mechanism, if it is a cookie based solution
// it should be httpOnly (not readable by javascript) and encrypted.