-
Notifications
You must be signed in to change notification settings - Fork 0
PKCE
The Proof Key for Code Exchange (PKCE - pronounced pixie) extension describes a technique for public clients to mitigate the threat of having the authorization_code intercepted through what is known as a Authorization Code Interception Attack. The technique involves the client first creating a secret, and then using that secret again when exchanging the authorization_code for an access_token. This way if the code is intercepted, it will not be useful since the token request relies on the initial secret.
- This is a cryptographically random string using only the characters A-Z, a-z, 0-9, and the punctuation characters -._~ (hyphen, period, underscore, and tilde), between 43 and 128 characters long
- It should have enough entropy to make it impractical to guess the value
- It is recommended that the output of a suitable random number generator be used to create a 32-octet sequence. The octet sequence is then Base64-URL-encoded to produce a 43-octet URL safe string
BASE64URL-ENCODE(RANDOM_BYTES(LENGTH))
LENGTH can range from 32-96
PrimitiveSecurity.getRandomUnsignedCharacters(32)
.toString("base64")
.replace(/\+/g, "-")
.replace(/\//g, "_")
.replace(/\=/g, "");
cEVmlhtvCpKNhjfbhz-u0XIYsdMWLRU-_I5ZtNtGu_Q
ase64-URL-encoded string of the SHA256 hash of the code_verifier
BASE64URL-ENCODE(SHA256(code_verifier))
PrimitiveSecurity.hashSha256(code_verifier)
.toString("base64")
.replace(/\+/g, "-")
.replace(/\//g, "_")
.replace(/\=/g, "");
fwrCXzpMQ3kRWK4sX0QFDixozm3Gz8KdQQFJvxvHzEg
Client includes code_challenge and code_challenge_method=S256 parameters on the Authorization Request.
Using authorization_code produced in the digi.me application, and the code_verifier above, we can request an access token to the user's digi.me library.