Setting up authentication in React Native usually leads you straight to expo-auth-session. It’s the standard for a reason—it handles the heavy lifting of browser redirects and session management so you don't have to.
But as anyone who has integrated Okta with PKCE knows, the "standard" flow usually has a few undocumented sharp edges.
While building out a recent auth flow, I hit a wall with the exchangeCodeAsync method. If you’re using PKCE (Proof Key for Code Exchange), the /authorization endpoint generates a code challenge that expects a matching code_verifier when you finally exchange your temporary code for an access token.
Here’s the catch: if you look at the Expo exchangeCodeAsync documentation (https://docs.expo.dev/versions/latest/sdk/auth-session/#authsessionexchangecodeasyncconfig-discovery),
you'll notice that the TokenRequestConfig and AccessTokenRequestConfig types don't actually include a codeVerifier key. If you try to pass it as a top-level property, the method ignores it; if you omit it, Okta (rightfully) rejects the exchange because it can't verify the original challenge.
