Overview#

The Code_challenge_method is specified in the Proof Key for Code Exchange by OAuth Public Clients

Example for the S256 Code_challenge_method#

The OAuth Client uses output of a suitable random number generator to create a 32-octet sequence. The octets representing the value in this example (using JSON array notation) are:"

[116, 24, 223, 180, 151, 153, 224, 37, 79, 250, 96, 125, 216, 173, 187, 186, 22, 212, 37, 77, 105, 214, 191, 240, 91, 88, 5, 88, 83, 132, 141, 121]

Encoding this octet sequence as a Base64url provides the value of the code_verifier:

dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk

The code_verifier is then hashed via the SHA256 hash Function to produce:

[19, 211, 30, 150, 26, 26, 216, 236, 47, 22, 177, 12, 76, 152, 46, 8, 118, 168, 120, 173, 109, 241, 68, 86, 110, 225, 137, 74, 203, 112, 249, 195]

Encoding this octet sequence as a base64url provides the value of the code_challenge:

E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM

The Authorization Request includes:

code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM
&code_challange_method=S256

The Authorization Server then records the code_challenge and code_challenge_method along with the Authorization Code that is granted to the OAuth Client.

In the Access Token Request to the token_endpoint the client includes the code received in the authorization response as well as the additional paramater:

code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk

The Authorization Server retrieves the information for the code grant. Based on the recorded Code_challenge_method being S256, it then hashes and base64url encodes the value of code_verifier. BASE64URL-ENCODE(SHA256(ASCII("code_verifier" )))

The calculated value is then compared with the value of code_challenge:

BASE64URL-ENCODE(SHA256(ASCII("code_verifier" ))) == code_challenge

If the two values are equal then the Authorization Server can provide the tokens as long as there are no other errors in the request. If the values are not equal then the request must be rejected, and an error returned.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-2) was last changed on 02-Aug-2015 20:48 by jim