# README
PKCE Library for Go
go-pkce
provides a PKCE library for Go, implementing the S256
challenge
method.
Functions are provided for generating verifiers, challenges from verifiers, and validating a challenge matches a verifier.
Additionally a wrapper around golang.org/x/oauth2.Config has been provided, which adds the additional parameters to be sent to the server.
Usage
Some usage examples.
Generate a new code verifier, challenge, and send to the server
func ExampleConfig() {
ctx := context.Background()
conf := &pkce.Config{
oauth2.Config{
ClientID: "YOUR_CLIENT_ID",
ClientSecret: "YOUR_CLIENT_SECRET",
Scopes: []string{"SCOPE1", "SCOPE2"},
Endpoint: oauth2.Endpoint{
AuthURL: "https://provider.com/o/oauth2/auth",
TokenURL: "https://provider.com/o/oauth2/token",
},
},
}
verifier, _ := pkce.NewCodeVerifier(32)
challenge, _ := pkce.CodeChallenge(verifier)
url := conf.AuthCodeURL("state", challenge, oauth2.AccessTypeOffline)
fmt.Printf("Visit the URL and log in: %s\n", url)
fmt.Print("Enter code from return URI: ")
code := ""
if _, err := fmt.Scan(&code); err != nil {
log.Fatal(err)
}
tok, err := conf.Exchange(ctx, code, verifier)
if err != nil {
log.Fatal(err)
}
client := conf.Client(ctx, tok)
}
# Functions
CodeChallenge takes a verifier, ensures it is within acceptable length, and generates the challenge to be sent to the server.
NewCodeVerifier returns a Base64 encoded string of random bytes of the given length.
VerifyChallenge is the same as VerifyChallengeErr, but errors are ignored and a single boolean value will be returned.
VerifyChallengeErr takes a given verifier and challenge and returns if they match.
# Constants
MethodS256 is the value to send with ParamCodeChallengeMethod to indicate we are using the S256 encoding method for our challenge.
ParamCodeChallenge is the key used to send the challenge value to the server.
ParamCodeChallengeMethod is the key used to send the challenge method to the server.
ParamCodeVerifier is the key used to send the code verifier to the server.
# Variables
ErrCodeVerifierByteLengthInvalid is returned when calling NewCodeVerifier with a byte length that is outside the permitted value (32-96 bytes).
ErrCodeVerifierLengthInvalid is returned when calling CodeChallenge with a verifier that is outside the permitted length (43-128 characters).