9. Set a unique state parameter & store it in the current session to use it later in the onSuccess() callback method of the TcOAuthCallback to match if the state received from the authorization server is the same as set here to prevent request forgery attacks.

stateRequested = BigInteger(130, SecureRandom()).toString(32)
TcSdk.getInstance().setOAuthState(stateRequested)

One good choice for a state token is a string of around 32 characters constructed using a high-quality random-number generator as we did above. Another approach could be a hash generated by signing some of your session state variables with a key that is kept secret on your back-end.

10. Set the list of scopes to be requested.

TcSdk.getInstance().setOAuthScopes(arrayOf("profile", "phone", ...))

// Currently available list of scopes :
- profile
- phone
- openid
- offline_access
- email
- address

Note : 
Please include the relevant scopes for your project. 
Make sure the scopes you’re requesting above are selected on the portal for your project

11. Generate a unique code verifier & store it in the current session since it would be required later to generate the access token. It can be generated using the utility class CodeVerifierUtil provided in the SDK.

codeVerifier = CodeVerifierUtil.generateRandomCodeVerifier()

This utility method generates a random code verifier string using SecureRandom as the source of entropy with 64 as the default entropy quantity.

12. Set the corresponding code challenge using the code verifier generated in the previous step. This can be generated using the utility class CodeVerifierUtil provided in the SDK.

val codeChallenge = CodeVerifierUtil.getCodeChallenge(codeVerifier)
codeChallenge?.let {
                TcSdk.getInstance().setCodeChallenge(it)
} ?: print(“Code challenge is Null. Can’t proceed further”)

This utility method produces a code challenge from the supplied code verifier using SHA-256 as the challenge method and Base64 as encoding if the system supports it (all Android devices should ideally support SHA-256 and Base64), but in rare case if the device doesn’t, then this method would return null meaning that you can’t proceed further. Please ensure to have a null safe check for such cases.