Set a unique state parameter & store it in the current session to use it later in the onSuccess() callback method of the TcOAuthCallback to match if the state received from the authorization server is the same as set here to prevent request forgery attacks.
One good choice for a state token is a string of around 32 characters constructed using a high-quality random-number generator as we did above. Another approach could be a hash generated by signing some of your session state variables with a key that is kept secret on your back-end.
Truecaller OAuth SDK already verifies the request-response correlation before forwarding it to the your app.
Set the list of scopes to be requested.
Generate a unique code verifier & store it in the current session since it would be required later to generate the access token. It can be generated using the utility class CodeVerifierUtil provided in the SDK.
This utility method generates a random code verifier string using SecureRandom as the source of entropy with 64 as the default entropy quantity.
Set the corresponding code challenge using the code verifier generated in the previous step. This can be generated using the utility class CodeVerifierUtil provided in the SDK.
This utility method produces a code challenge from the supplied code verifier using SHA-256 as the challenge method and Base64 as encoding if the system supports it (all Android devices should ideally support SHA-256 and Base64), but in rare case if the device doesn’t, then this method would return null meaning that you can’t proceed further. Please ensure to have a null safe check for such cases.