Proof Key for Code Exchange (PKCE)

[ilijaNL]

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the issue has not already been raised

Issue

Hello, i wonder how this libary is dealing with Proof Key for Code Exchange (https://oauth.net/2/pkce/).
As I understand correctly and checking out the code there is a generateStateFunction and checkStateFunction which is used to compare the state object (once generated on startup). To apply PKCE, do I need to implement my own generateStateFunction & checkStateFunction or is pkce already covered?

[mcollina]

Thanks for asking. The simple answer is that you likely know more about oauth2 than the maintainers of this library.
We use https://www.npmjs.com/package/simple-oauth2 internally.

[ilijaNL]

I noticed, I will raise a issue there. Thanks

Edit: lelylan/simple-oauth2#399

[big-kahuna-burger]

@ilijaNL PKCE and having state in Authorization Code Grant are two different things.

state parameter is already described and suggested to be used in OAuth 2.0 RFC 6749
for Implicit and Authorization Code Grant.

PKCE is a separate extension described in RFC 7636 that applies only for Authorization Code Grant for public clients, which prevents some attacks based on interception of authorization codes, when properly implemented by Auth Server and Client.