My implementation of PKCE is pretty standard:
- Generate "code_challenge", "code_verifier" and "state"
- Open a ChomeCustomTab with a login/register UI, passing the "state" and "code_callenge"
- The user loggs in and the native app receives a callback, containing the "state"
- The app is verifying the "state" and triggering a request to get the JWT with the "code_verifier"
The issue is that the "code_verifier" and "state" are stored in the apps memory, and sometimes the Android system is killing the apps process while the user is in the ChomeCustomTab. The callback is received by a new app process that doesn’t have the "code_verifier" and "state" and they can’t be verified.
What are the best practices to store them? Is is safe to do it in device memory?
