User17117278321161340999 (Customer) asked a question.
How to retrieve code verifier from Okta SDK AFTER sign in by redirect
We're looking at implementing a solution to token sidejacking for our SPA as described here:
To do this I have created a POC using the https://github.com/okta/samples-js-react/ where we
- Firstly redirect the user to Okta to login using await oktaAuth.signInWithRedirect();
- Then we use a custom callback component to grab the auth code and hit our own api with the auth code etc. in order to make the token request
- In order to hit the token endpoint we need the code_verifier as a parameter as described here: https://developer.okta.com/docs/guides/implement-grant-type/authcodepkce/main/*exchange-the-code-for-tokens
- To get this from the redirect I am using a little bit of a hacky solution (see below), and I was wondering if there was an alternative (other than hitting the authorize endpoint in my own api as I would rather use the SDK to handle most things)
const storage = oktaAuth.storageManager.getSharedTansactionStorage().getStorage();
const values = Object.values(storage);
const mostRecentTransaction = values[values.length - 1].transaction;
const codeVerifier = mostRecentTransaction.codeVerifier;
My question is, how else could I use the SDK to retrieve the codeVerifier used in the authorize call?
Or, is there a better way to do this?
I figured out that I don't need to do this, I can simply provide the tokenUrl as an auth option as described here:
https://github.com/okta/okta-auth-js/blob/4dc55e9e8591af45fdd0134d00f5b9e40b7ec521/README.md#authorize-options
It was a little hard to figure out that this was possible but it works great!