Overview#The Code_verifier is specified in the Proof Key for Code Exchange by OAuth Public Clients
code_verifier = high entropy cryptographic random STRING using the Unreserved Characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~" from Sec 2.3 of RFC 3986, with a minimum length of 43 characters and a maximum length of 128 characters.
ABNF for "Code_verifier" is as follows.
code-verifier = 43*128unreserved unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" ALPHA = %x41-5A / %x61-7A DIGIT = %x30-39
NOTE: Code_verifier SHOULD have enough entropy to make it impractical to guess the value. It is RECOMMENDED that the output of a suitable random number generator be used to create a 32-octet sequence. The Octet sequence is then base64url encoded to produce a 43-octet URL safe string to use as the Code_verifier.