Crate pkce_std

Source
Expand description

Handling Proof Key for Code Exchange.

PKCE specification is defined in RFC 7636.

§Abstract

PKCE (pronounced “pixy”) is a method to secure authorization codes in OAuth 2.0 authorization code flow. It is designed to prevent interception attacks.

§Abbreviations

  • PKCE: Proof Key for Code Exchange;
  • Auth: Authorization.

§Protocol

                                                  +--------------+
                                                  |     Auth     |
+--------+                                        | +----------+ |
|        |--(1)- Auth Request + code_challenge ---->|          | |
|        |         + code_challenge_method        | |   Auth   | |
|        |                                        | | Endpoint | |
|        |<-(2)----------- Auth Code ---------------|          | |
|        |                                        | +----------+ |
| Client |                                        |              |
|        |                                        | +----------+ |
|        |--(3)- Token Request + code_verifier ---->|          | |
|        |                                        | |  Tokens  | |
|        |                                        | | Endpoint | |
|        |<-(4)------------- Token -----------------|          | |
+--------+                                        | +----------+ |
                                                  |    Server    |
                                                  +--------------+

§0. Code creation

The client generates the code_verifier and derives the code_challenge from it using the code_challenge_method.

§1. Auth Request

The client sends the code_challenge and the code_challenge_method along with the regular authorization_code request to the Auth Endpoint.

§2. Auth Code

The server stores the code_challenge and the code_challenge_method for later use, responding with the usual authorization code.

§3. Token Request

The client sends the code_verifier along with the regular request to the Tokens Endpoint.

§4. Token

The server verifies the code_verifier against the stored code_challenge using the code_challenge_method, responding with the token if the verification is successful.

§Examples

Generating code_verifier and deriving code_challenge in one go:

use pkce_std::Code;

let code = Code::generate_default();

Alternatively, generating from random bytes:

use pkce_std::Code;

let code = Code::generate_encode_default();

Decoupling verifier and challenge:

let (verifier, challenge) = code.into_pair();

Verifying code_verifier against code_challenge:

let valid = verifier.verify(&challenge);

Re-exports§

pub use challenge::Challenge;
pub use code::Code;
pub use code::Pair;
pub use count::Count;
pub use length::Length;
pub use method::Method;
pub use verifier::Verifier;

Modules§

challenge
PKCE code challenges.
check
Checking PKCE code verifiers for validity.
code
Coupled PKCE code verifier and challenge pairs.
count
PKCE code verifier bytes count.
encoding
Encoding functionality.
generate
Generating random bytes and strings.
hash
Hashing functionality.
length
PKCE code verifier lengths.
method
PKCE code challenge methods.
verifier
PKCE code verifiers.

Macros§

const_borrowed_verifier
Constructs Verifier from value, panicking if it is invalid.