Socket
Socket
Sign inDemoInstall

oauth-pkce

Package Overview
Dependencies
0
Maintainers
1
Versions
5
Alerts
File Explorer

Advanced tools

Install Socket

Protect your apps from supply chain attacks

Install

oauth-pkce

OAUTH PKCE code_verifier and code_challenge generator

    0.0.6latest
    GitHub
    npm

Version published
Maintainers
1
Weekly downloads
12,018
increased by1.55%

Weekly downloads

Readme

Source

OAUTH PKCE code_verifier and code_challenge Generator for IE 11 and Modern Browsers

Proof Key for Code Exchange Spec

A small (409-Byte gzipped) zero-dependency helper function for generating a high-entropy cryptographic random "code_verifier" (using Web Crypto API) and its "code_challenge" based on RFC 7636. (i.e. BASE64URL-ENCODE(SHA256(ASCII(code_verifier))))

This package does NOT use Math.random() which does not provide cryptographically secure random numbers, and should not use them for anything related to security.

Browser ONLY

This package is for browsers only (including IE 11), it uses Web Crypto API for generating random strings and SHA-256 hashing.

CDN

https://cdn.jsdelivr.net/npm/oauth-pkce@latest/dist/oauth-pkce.min.js

or with version

https://cdn.jsdelivr.net/npm/oauth-pkce@0.0.2/dist/oauth-pkce.min.js

Usage

npm i oauth-pkce

Typescript Ready

import getPkce from 'oauth-pkce';

// create a verifier of 43 characters long
getPkce(43, (error, { verifier, challenge }) => {
  if (!error) {
    console.log({ verifier, challenge });
  }
});

// { verifier: "uxr7S_52pCoOPFpPPYWNvdw76k3ZnSN-J0PvD0iPL9B", challenge: "8L_tpjLD-Vcc3-G6ea2ifym8AQrushivXHMib5zPp1A" }

Use directly from CDN

<script src="https://cdn.jsdelivr.net/npm/oauth-pkce@0.0.2/dist/oauth-pkce.min.js" async defer></script>;

getPkce(43, (error, { verifier, challenge }) => {
  if (!error) {
    console.log({ verifier, challenge });
  }
});

React

import React, { useEffect, useState } from 'react';
import getPkce from 'oauth-pkce';

function Pkce() {
  const { pkce, setPkce } = useState({});

  useEffect(() => {
    // getPkce relies on the window object for its crypto api
    // put in in useEffect
    getPkce(50, (error, { verifier, challenge }) => {
      setPkce({ verifier, challenge });
    });
  }, []);

  return (
    <div>
      {pkce.verifier} | {pkce.challenge}
    </div>
  );
}

This package uses callback style for minimising code size and compatibility with IE 11. Wrapp it in a Promise if you prefer async await style.

const { verifier, challenge } = await new Promise((resolve) => {
  getPkce(43, (error, { verifier, challenge }) => {
    if (error) throw error;
    resolve({ verifier, challenge });
  });
});

Server Side code_verifier Verification

For node environment, use crypto module natively from node.

import crypto from 'crypto';

const base64 = crypto.createHash('sha256').update(code_verifier).digest('base64');
const base64UriEncoded = base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');

const isValid = base64UriEncoded === code_challenge;

code_challenge is a Base64URL encoded string (RFC 4648). To verify the code_verifier you need to convert the base64 value of crypto.createHash('sha256').update(code_verifier).digest('base64') to a base64url encoded string.

In getPkce(), base64url removes the pad characters "=" from code_challenge

API

getPkce(
  codeVerifierLength: number = 43,
  callback: (error: Error | null, value: { verifier: string; challenge: string })
)

Keywords

FAQs

Last updated on 27 Mar 2021

Did you know?

Socket installs a GitHub app to automatically flag issues on every pull request and report the health of your dependencies. Find out what is inside your node modules and prevent malicious activity before you update the dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc