OAuth2: Is PKCE required if the callback is located in the backend?

Question

This is the architecture I want to follow

Source: What exactly is redirect_uri in Google OAuth2 request for getting authorization code in Mobile App?

I'm using a backend to exchange tokens with the authorization code, then send the tokens back to the frontend via set-cookie header.

Would PKCE be required for this case? I think it's unnecessary here since the client secrets can be safe in the Django server, just wanted a confirmation as I'm new to this realm.

Also, I'll be encrypting the state parameter in the front-end, and decrypting it in the backend probably using asymmetric keys.

Is there any security vulnerability in all of these approaches?

EDIT:

If PKCE is required, how could we share the code verifier between the client and the server?

Answer 1

PKCE is a must. PKCE prevents CSRF and authorization code injection attacks. You can read more here: https://oauth.net/2/pkce/

Also, I'll be encrypting the state parameter in the front-end, and decrypting it in the backend probably using asymmetric keys. Is there any security vulnerability in these approaches?

Yes, there are always security vulnerabilities. Oauth2 is not the solution to all security problems and with asymemetric keys it is important to change keys regulary.