Overview#The Code_challenge is specified in the Proof Key for Code Exchange by OAuth Public Clients
- plain Code_challenge = code_verifier
- S256 Code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
If the OAuth Client is capable of using "S256", it MUST use "S256", as "S256" is Mandatory To Implement (MTI) on the server. OAuth Clients are permitted to use "plain" only if they cannot support "S256" for some technical reason and know via out of band configuration that the server supports "plain".
The plain transformation is for compatibility with existing deployments and for constrained environments that can't use the S256 transformation.
ABNF for "code_challenge" is as follows.
code-challenge = 43*128unreserved unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" ALPHA = %x41-5A / %x61-7A DIGIT = %x30-39