Skip to main content

Module pkce

Module pkce 

Source
Expand description

Target-agnostic PKCE (RFC 7636) crypto helper (verifier/challenge/state).

Ungated on purpose — compiles on host AND wasm32 via getrandom::fill (contrast the #[cfg(not(target_arch = "wasm32"))] peer/stdio entries). Target-agnostic PKCE (RFC 7636) crypto helper for OAuth 2.0 Authorization Code flows.

This module provides the pure cryptographic primitives needed to drive an OAuth Authorization Code + PKCE flow — a code verifier, its S256 code challenge, and a CSRF state value. Unlike the native CLI flow in crate::client::oauth (which uses the optional rand dependency and is therefore not available on wasm32), this module is ungated and uses getrandom::fill for randomness so it compiles and runs identically on the host and on wasm32-unknown-unknown (Web Crypto via the wasm_js backend).

§Why a shared helper

Browser PKCE and the existing native loopback flow both need RFC 7636 verifier/challenge/state primitives. The native primitives are private and pull in rand, which will not build on wasm. This helper extracts the exact same logic (SHA-256 via the audited sha2 crate, base64url no-pad via base64) with the RNG swapped to getrandom::fill, so it is reusable and target-agnostic.

§Examples

use pmcp::shared::pkce::{generate_code_verifier, code_challenge_s256, generate_state};

// Generate a fresh PKCE pair for an authorization request.
let verifier = generate_code_verifier()?;
let challenge = code_challenge_s256(&verifier);
let state = generate_state()?;

// The verifier is a 43-char base64url (no-pad) string of 32 random bytes.
assert_eq!(verifier.len(), 43);
// The challenge is deterministic for a given verifier.
assert_eq!(challenge, code_challenge_s256(&verifier));

§RFC 7636 Appendix B vector

use pmcp::shared::pkce::code_challenge_s256;

// The verifier/challenge pair published in RFC 7636 Appendix B.
let verifier = "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk";
let challenge = code_challenge_s256(verifier);
assert_eq!(challenge, "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM");

Functions§

code_challenge_s256
Compute the S256 PKCE code challenge for a verifier (RFC 7636 §4.2).
generate_code_verifier
Generate a PKCE code verifier (RFC 7636 §4.1).
generate_state
Generate an opaque CSRF state value for an authorization request.