<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
The [{$pagename}] is specified in the [Proof Key for Code Exchange by OAuth Public Clients]

!! [Example] for the S256 [{$pagename}]

The [OAuth Client] uses output of a suitable random number generator to create a 32-octet sequence.  The octets representing the value in this example (using JSON array notation) are:&quot;
%%prettify 
{{{
[116, 24, 223, 180, 151, 153, 224, 37, 79, 250, 96, 125, 216, 173, 187, 186, 22, 212, 37, 77, 105, 214, 191, 240, 91, 88, 5, 88, 83, 132, 141, 121]
}}} /%

Encoding this octet sequence as a Base64url provides the value of the code_verifier:
%%prettify 
{{{
dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
}}} /%

The [code_verifier] is then [hashed|Hash] via the [SHA256] [hash Function] to produce:
%%prettify 
{{{
[19, 211, 30, 150, 26, 26, 216, 236, 47, 22, 177, 12, 76, 152, 46, 8, 118, 168, 120, 173, 109, 241, 68, 86, 110, 225, 137, 74, 203, 112, 249, 195]
}}}

Encoding this octet sequence as a base64url provides the value of the [code_challenge]:
%%prettify 
{{{
E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM
}}}

The [Authorization Request] includes:
%%prettify 
{{{
code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM
&amp;code_challange_method=S256
}}}

The [Authorization Server] then records the [code_challenge] and [code_challenge_method] along with the [Authorization Code] that is granted to the
[OAuth Client].

In the [Access Token Request] to the [token_endpoint] the client includes the code received in the authorization response as well as the additional paramater:
%%prettify 
{{{
code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
}}}

The [Authorization Server] retrieves the information for the code grant.  Based on the recorded [{$pagename}] being S256, it then hashes and base64url encodes the value of code_verifier.
BASE64URL-ENCODE(SHA256(ASCII(&quot;[code_verifier]&quot; )))

The calculated value is then compared with the value of [code_challenge]:
%%prettify 
{{{
BASE64URL-ENCODE(SHA256(ASCII(&quot;code_verifier&quot; ))) == code_challenge
}}}

If the two values are equal then the [Authorization Server] can provide  the tokens as long as there are no other errors in the request.  If the values are not equal then the request must be rejected, and an [error|OAuth Error] returned.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>