Module pkce

PKCE (Proof Key for Code Exchange) implementation for OAuth 2.0 security. PKCE (Proof Key for Code Exchange) implementation for OAuth 2.0.

This module implements the PKCE security extension defined in RFC 7636, which protects OAuth 2.0 authorization code flows from interception attacks. PKCE is particularly important for public clients such as mobile applications and single-page applications that cannot securely store client secrets.

PKCE Flow

1. Generate: Create a cryptographically random code verifier and its SHA256 challenge
2. Authorize: Send the code challenge with the authorization request
3. Exchange: Send the original code verifier when exchanging the authorization code for tokens

Example

use atproto_oauth::pkce;

// Generate PKCE parameters
let (code_verifier, code_challenge) = pkce::generate();

// Use code_challenge in authorization URL
println!("Authorization URL: https://auth.example.com/oauth/authorize?code_challenge={}", code_challenge);

// Later, use code_verifier when exchanging authorization code for tokens
println!("Token exchange: code_verifier={}", code_verifier);

Security

• Code verifiers are generated using cryptographically secure random number generation
• Challenges use SHA256 hashing with base64url encoding (without padding)
• Implements the S256 code challenge method as specified in RFC 7636

Functions

challenge

Creates a PKCE code challenge from a code verifier.

generate

Generates a PKCE code verifier and code challenge pair.