Dhavalc2012
commented
3 years ago Update : To set SHA-256 for code_verifier, you have to pass an additional parameter code_challenge_method=S256 along with code_challenge paramter.
Closed Dhavalc2012 closed 3 years ago
Dhavalc2012
commented
3 years ago Update : To set SHA-256 for code_verifier, you have to pass an additional parameter code_challenge_method=S256 along with code_challenge paramter.
Dhavalc2012
commented
3 years ago I made mistake here. Documentation is correct but the flow is confusing. My perception was that the code verifier is built using code challenge. However, it is other way around.
There seems to be some readability issue or a mistake on the PKCE page (https://heimdall.ezralazuardy.com/documentation/pkce)
The section labeled
Creating code_verifierseems to be talking about code_challenge and the later section labeledCreating code_challengeseemed to be talking about code_verifier. So the titles should be updated to reflect their respective sections.Another thing to note here is during my testing: code_verifier seems to be a plain string rather than encrypted SHA-256 by default. So a note should be included for those trying out the PKCE method.
Also, it would be worth noting on the top of the PKCE documentation that the flag of is_confidential has to be set to false for the PKCE to take effect.