The Code_challenge is specified in the Proof Key for Code Exchange by OAuth Public Clients

The OAuth Client then creates a Code_challenge derived from the code_verifier by using one of the following transformations on the code_verifier:

If the OAuth Client is capable of using "S256", it MUST use "S256", as "S256" is Mandatory To Implement (MTI) on the server. OAuth Clients are permitted to use "plain" only if they cannot support "S256" for some technical reason and know via out of band configuration that the server supports "plain".

The plain transformation is for compatibility with existing deployments and for constrained environments that can't use the S256 transformation.

ABNF for "code_challenge" is as follows.

code-challenge = 43*128unreserved
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
ALPHA = %x41-5A / %x61-7A
DIGIT = %x30-39

More Information#

There might be more information for this subject on one of the following: