Module: MCP::Client::OAuth::PKCE
- Defined in:
- lib/mcp/client/oauth/pkce.rb
Overview
Generates the Proof Key for Code Exchange (PKCE) pair (RFC 7636) used to
bind an OAuth 2.1 authorization request to the same client that later
redeems the resulting authorization code. Without PKCE, an attacker
who steals an authorization code in transit (e.g. through a logged redirect URI)
can exchange it for an access token; with PKCE, the attacker would also need
the per-request code_verifier, which is never sent to the browser or any intermediary.
MCP authorization mandates the S256 method, so this module always returns
that method and refuses to expose plain as an option.
The module is stateless: callers ask for a fresh pair with generate for
every authorization request and discard the result once the token endpoint has accepted it.
Class Method Summary collapse
-
.generate ⇒ Object
Generates a PKCE pair (code_verifier and S256 code_challenge).
Class Method Details
.generate ⇒ Object
Generates a PKCE pair (code_verifier and S256 code_challenge).
28 29 30 31 32 33 |
# File 'lib/mcp/client/oauth/pkce.rb', line 28 def generate verifier = SecureRandom.urlsafe_base64(64) challenge = Base64.urlsafe_encode64(Digest::SHA256.digest(verifier), padding: false) { code_verifier: verifier, code_challenge: challenge, code_challenge_method: "S256" } end |