Expand description
Target-agnostic PKCE (RFC 7636) crypto helper (verifier/challenge/state).
Ungated on purpose — compiles on host AND wasm32 via getrandom::fill
(contrast the #[cfg(not(target_arch = "wasm32"))] peer/stdio entries).
Target-agnostic PKCE (RFC 7636) crypto helper for OAuth 2.0 Authorization
Code flows.
This module provides the pure cryptographic primitives needed to drive an
OAuth Authorization Code + PKCE flow — a code verifier, its S256 code
challenge, and a CSRF state value. Unlike the native CLI flow in
crate::client::oauth (which uses the optional rand dependency and is
therefore not available on wasm32), this module is ungated and uses
getrandom::fill for randomness so it compiles and runs identically on
the host and on wasm32-unknown-unknown (Web Crypto via the wasm_js
backend).
§Why a shared helper
Browser PKCE and the existing native loopback flow both need RFC 7636
verifier/challenge/state primitives. The native primitives are private and
pull in rand, which will not build on wasm. This helper extracts the exact
same logic (SHA-256 via the audited sha2 crate, base64url no-pad via
base64) with the RNG swapped to getrandom::fill, so it is reusable and
target-agnostic.
§Examples
use pmcp::shared::pkce::{generate_code_verifier, code_challenge_s256, generate_state};
// Generate a fresh PKCE pair for an authorization request.
let verifier = generate_code_verifier()?;
let challenge = code_challenge_s256(&verifier);
let state = generate_state()?;
// The verifier is a 43-char base64url (no-pad) string of 32 random bytes.
assert_eq!(verifier.len(), 43);
// The challenge is deterministic for a given verifier.
assert_eq!(challenge, code_challenge_s256(&verifier));§RFC 7636 Appendix B vector
use pmcp::shared::pkce::code_challenge_s256;
// The verifier/challenge pair published in RFC 7636 Appendix B.
let verifier = "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk";
let challenge = code_challenge_s256(verifier);
assert_eq!(challenge, "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM");Functions§
- code_
challenge_ s256 - Compute the S256 PKCE code challenge for a verifier (RFC 7636 §4.2).
- generate_
code_ verifier - Generate a PKCE code verifier (RFC 7636 §4.1).
- generate_
state - Generate an opaque CSRF
statevalue for an authorization request.