Could you please help me to assess whether using facade with Authorization Code Flow with PKCE does not break security concept behind original flow.
We have a requirement to provide a facade for IDP in order to not send a token to an application, the facade will put the token into a cookie instead. Thus modified PKCE flow will look like this:
Is presented PKCE flow with facade safe? What I meant is if a facade that adds additional requests to the original PKCE flow is not breaking the whole concept with code challenge and verifier.
The idea of PKCE is to make sure that the app that initiated the OAuth flow is the same app that eventually exchanges the code for tokens. In your solution, the app keeps the original code_verifier that it needs to finish the flow, so I think you adhere to PKCE here. I don't think that adding the facade changes much in the flow defined by OAuth (apart from translating some JSON responses to cookies).