Overview#

The Code_verifier is specified in the Proof Key for Code Exchange by OAuth Public Clients

The OAuth Client first creates a code_verifier, "code_verifier", for each OAuth 2.0 RFC 6749 Authorization Request, in the following manner:

code_verifier = high entropy cryptographic random STRING using the Unreserved Characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~" from Sec 2.3 of RFC 3986, with a minimum length of 43 characters and a maximum length of 128 characters.

ABNF for "code_verifier" is as follows.

code-verifier = 43*128unreserved
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
ALPHA = %x41-5A / %x61-7A
DIGIT = %x30-39

NOTE: Code_verifier SHOULD have enough entropy to make it impractical to guess the value. It is RECOMMENDED that the output of a suitable random number generator be used to create a 32-octet sequence. The Octet sequence is then base64url encoded to produce a 43-octet URL safe string to use as the code verifier.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-2) was last changed on 02-Aug-2015 20:36 by jim