Module: WorkOS::PKCE

Defined in:: lib/workos/pkce.rb

Overview

PKCE (Proof Key for Code Exchange) utilities for OAuth public-client flows.

WorkOS::PKCE.generate_code_verifier      # => "abc..."
WorkOS::PKCE.generate_code_challenge(v)  # => "xyz..."
WorkOS::PKCE.generate_pair               # => { code_verifier:, code_challenge: }

Constant Summary collapse

DEFAULT_VERIFIER_BYTES = Default verifier length in bytes BEFORE base64url encoding. 32 bytes → 43 characters of base64url, which is the RFC 7636 minimum.

Class Method Summary collapse

.generate_code_challenge(code_verifier) ⇒ Object

Compute the S256 code_challenge for a given verifier.
.generate_code_verifier(byte_length = DEFAULT_VERIFIER_BYTES) ⇒ Object

Generate a cryptographically random PKCE code verifier.
.generate_pair ⇒ Hash

Generate a fresh (verifier, challenge) pair.

Class Method Details

.generate_code_challenge(code_verifier) ⇒ `Object`

Compute the S256 code_challenge for a given verifier.



31
32
33

# File 'lib/workos/pkce.rb', line 31

def generate_code_challenge(code_verifier)
  Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier), padding: false)
end

.generate_code_verifier(byte_length = DEFAULT_VERIFIER_BYTES) ⇒ `Object`

Generate a cryptographically random PKCE code verifier.



26
27
28

# File 'lib/workos/pkce.rb', line 26

def generate_code_verifier(byte_length = DEFAULT_VERIFIER_BYTES)
  Base64.urlsafe_encode64(SecureRandom.random_bytes(byte_length), padding: false)
end

.generate_pair ⇒ `Hash`

Generate a fresh (verifier, challenge) pair.

Returns:

(Hash) —

{ code_verifier:, code_challenge: }

# File 'lib/workos/pkce.rb', line 37

def generate_pair
  verifier = generate_code_verifier
  {code_verifier: verifier, code_challenge: generate_code_challenge(verifier)}
end