AshAuthentication.Oauth2Server.PKCE (ash_authentication_oauth2_server v0.1.0)

Copy Markdown View Source

PKCE (RFC 7636) S256 helpers.

We only support S256plain is rejected at the authorize endpoint per OAuth 2.1.

Summary

Functions

challenge(verifier)

Compute the S256 code challenge for a verifier.

verify(verifier, challenge)

Constant-time comparison of verifier against a stored challenge.

Functions

challenge(verifier)

@spec challenge(String.t()) :: String.t()

Compute the S256 code challenge for a verifier.

challenge = base64url(sha256(verifier))

verify(verifier, challenge)

@spec verify(String.t() | nil, String.t() | nil) :: :ok | :error

Constant-time comparison of verifier against a stored challenge.

Returns :ok if they match, :error otherwise. Bad input shapes return :error rather than crashing.