Description of the PCKE protocol in "OAuth 2.0 for Mobile or Desktop Applications" is misleading

Question

Description of the PCKE protocol in "OAuth 2.0 for Mobile or Desktop Applications" is misleading

Closed this issue 5 years ago · 1 comments

Basically, the usage of <URL safe Base64(SHA256(URL safe Base64(random 32 byte string)))> and <URL safe Base64(32 byte string) generated in step 3> in the OAuth 2.0 for Mobile or Desktop Applications article is somewhat cumbersome and potentially misleading.

The python example is significantly clearer:

The basis for the PCKE protocol is a particulalry encoded secret string random:

    random = base64.urlsafe_b64encode(secrets.token_bytes(32))

From this string, the challenge string code_challenge is created in several steps:

    m = hashlib.sha256()
    m.update(random)
    d = m.digest()
    code_challenge = base64.urlsafe_b64encode(d).decode().replace("=", "")

While the challenge string is used at the initial authorization step to receive an authorization code, the secret string is later used in combination with the authorization code at the token request step: The basic idea is to not give away your secret string for identification, before you've made sure that you are in fact communicating with an authorized server.

My suggestion would be to define both the secret string and the challenge string once in the text and then use the synonyms for the code examples:

random_string: <URL safe Base64(32 byte string)>
challenge_string: <URL safe Base64(SHA256(random_string))>

Hope this helps! 🙂

Answer 1 · 2020-07-03T01:16:27.000Z

Thanks for the suggestion!