Storing tokens in local state only?

[dncnkrs]

The OAuth strategy uses universal storage to store the token. Using OAuth authorization_code, it's mandatory to have either cookie or localStorage enabled, because the pkce state needs to be available when you arrive at the callback. This means the access token and refresh token are stored in a cookie and are JS accessible. To us this is unacceptable, because the token should never be stored in a cookie as it is XSS vulnerable.

We don't need to use any form of storage to persist sessions, either for the access or refresh tokens. Our auth server manages the session itself. We have no need for client persistence, so we would like to store in local state.

Is it possible to enable cookie storage for pkce and state params (where it's needed), but not for tokens (where it isn't needed)?