Saving state/nonce/verifier server-side, without cookies

[lode]

I'm having some issues with state/nonce/code-verifier being saved in session cookies in the client's browser.

Part of the issue is in load balancing, but that can be solved by using own session mechanisms, as discussed in #374.

More over, we see end-users not having the cookie anymore when they come back to use. Potentially because the use of using cookie deleting browser add-ons. Also in mobile apps using cookies is tricky with all the connections between app and website or other apps of OPs.

As far as I understand the usage of session cookies is not a requirement for a secure OIDC implementation. E.g. it is not mentioned in flow descriptions (https://infosec.mozilla.org/guidelines/iam/openid_connect.html and https://nestenius.se/net/demystifying-openid-connects-state-and-nonce-parameters-in-asp-net-core/). Thus I want to try saving this server-side, saving a document with the state as identifier of the document, and the nonce & code-verifier inside the document. When a end-user returns we receive the state and can lookup the data using the state.

Do you know if there are any specific downsides to this approach?

And if this is okay, I would like to adjust the code to pass the state when setting/getting the nonce / code-verifier, so extending those setters/getters are able to use a server-side storage instead of a client-side storage.