PKCE Explained via *nix CLI
While studying OAuth/OIDC, I came up with a Bash one-liner analog to PKCE. So, if you're:
Then maybe this will make more sense to you:
(export CODE_CHALLENGE_METHOD="sha256sum"; uuidgen | tee CODE_VERIFIER | $CODE_CHALLENGE_METHOD | awk '{print $1}' | tee CODE_CHALLENGE; \
cat CODE_VERIFIER | $CODE_CHALLENGE_METHOD | awk '{print $1}')
9ef9e388f3e1c59f6547e14d799c95c5aa239200d5a29dd49b12c7b3c065e3ed
9ef9e388f3e1c59f6547e14d799c95c5aa239200d5a29dd49b12c7b3c065e3ed
After running that, you'll have:
Software Developer/Consultant
1 年The CODE CHALLENGE is not generated according to https://datatracker.ietf.org/doc/html/rfc7636#section-4.2 The hash value generated by the sha256sum command is a string in hexadecimal (HEX) format and must be converted to a string before base64 is applied to it. the correct script to generate CODE CHALLENGE would be: ```shell CODE_VERIFIER=$( echo $RANDOM | sha256sum --text | xxd -r -p | basenc --base64url | sed 's/=//g' | head -c 43 ); \ CODE_CHALLENGE=$(echo -n $CODE_VERIFIER | sha256sum --text | awk '{print $1}' | xxd -r -p | basenc --base64url | sed 's/=//g'); \ echo 'Code Challenge' $CODE_CHALLENGE; \ echo 'Code Verifier:' $CODE_VERIFIER; ``` You can check the generation of CODE_VERIFIED and CODE_CHALLENG using https://example-app.com/pkce
Senior Software Engineer at Solution Street
1 年I should add that I was not polite enough to write a shell script that wouldn't clobber any "CODE_CHALLENGE" or "CODE_VERIFIER" files that might live in your current directory ;-)