Does PKCE i.e. options state: true the use as a serverless server?

[Superlokkus]

I am using this passport strategy on a serverless platform with the authentication code flow, and to improve security I was considering using the PKCE flow extension. As several issues and the project itself suggests, these options are not documented.

However by reading the code I can see that I seem to be able to add pkce: true in the options object, however the strategy constructor complains that "OAuth2Strategy requires state: true option when PKCE is enabled" . So naturally I am inclined to also add the undocumented ( #28 ) state option, but as far as I can tell, i.e. it's name suggests, or the unmerged PR !93 suggests, this would need to store a state on the server between authorization start and callback.

Since I can not make sure which server, holding different states, gets the callback by design in a server less environment, this implies PKCE is not supported in serverless environments?

[james-hu]

"this implies PKCE is not supported in serverless environments" - this is my understanding. And the workaround is to use a ElastiCache/Redis session store or DynamoDB session store together with the Lambda if you are using AWS.