Generating a Code Verifier

Purpose

The code verifier and code challenge are used in order to protect the authorization code from authorization code interception attacks. These values are generated on the client's (your) side and is required for both the authorization request and the token request (Authorization).

Code Verifier

The code verifier will be used in the token request and will be checked against the code challenge (provided in the authorization request) in order to ensure that the authorization code has not been intercepted by a malicious party. Since the code challenge is based off the code verifier, you will need to generate this value first.

Format

Property	Value
Type	String
Minimum Length	43 Characters
Maximum Length	128 Characters
Allowed Characters	`[A-Z]` / `[a-z]` / `[0-9]` / `-` / `.` / `_` / `~`

Code Challenge

The code challenge is sent with the initial authorization request and is later used by the server (i.e. the OrangeHRM Starter application) to verify the authorization code sent in the token request.

The code challenge can be generated in two methods

Method	Generation	Explanation
Plain	`code_verifier`	The code challenge is the same value as the code verifier
S256	`base64urlencode(sha256(code_verifier))`	The code challenge is the Base64-URL-encoded string of the SHA256 hash of the code verifier

The plain method of generation should only be used if you cannot support the S256method. In all other cases it is recommended to use S256.

S256 Method

The S256 method involves two steps.

Generate the SHA256 hash of the code verifier
Encode the generated hash with Base64 URL Encoding

Base 64 URL encoding is a minor variation of Base64 encoding that uses only URL safe characters. You can implement it with the following code sample:

function base64_urlencode($str) {
  return rtrim(strtr(base64_encode($hash), '+/', '-_'), '=');
}

function base64_urlencode(str) {
  return btoa(String.fromCharCode.apply(null, 
    new Uint8Array(str)))
      .replace(/\+/g, '-')
      .replace(/\//g, '_')
      .replace(/=+$/, '');
}

📘
Check out these references!

OAuth 2.0 Simplified - Authorization Request

PKCE Code Challenge Generator

RFC 7636 - Client Creates a Code Verifier

RFC 7636 - Client Creates a Code Challenge

Once you have generated these two values, you can use them in order to obtain an access token!

Once you have completed this step and Registering a Client , you can move onto obtaining an access token!

Purpose

Code Verifier

Format

Code Challenge

S256 Method

📘Check out these references!

📘
Check out these references!