Product
Introducing License Enforcement in Socket
Ensure open-source compliance with Socket’s License Enforcement Beta. Set up your License Policy and secure your software!
Proof Key for Code Exchange Spec
A small (409-Byte gzipped) zero-dependency helper function for generating a high-entropy cryptographic random "code_verifier" (using Web Crypto API) and its "code_challenge" based on RFC 7636. (i.e. BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
)
This package does NOT use Math.random() which does not provide cryptographically secure random numbers, and should not use them for anything related to security.
This package is for browsers only (including IE 11), it uses Web Crypto API for generating random strings and SHA-256 hashing.
https://cdn.jsdelivr.net/npm/oauth-pkce@latest/dist/oauth-pkce.min.js
or with version
https://cdn.jsdelivr.net/npm/oauth-pkce@0.0.2/dist/oauth-pkce.min.js
npm i oauth-pkce
Typescript Ready
import getPkce from 'oauth-pkce'
// create a verifier of 43 characters long
getPkce(43, (error, { verifier, challenge }) => {
if (!error) {
console.log({ verifier, challenge });
}
});
// { verifier: "uxr7S_52pCoOPFpPPYWNvdw76k3ZnSN-J0PvD0iPL9B", challenge: "8L_tpjLD-Vcc3-G6ea2ifym8AQrushivXHMib5zPp1A" }
Use directly from CDN
<script src="https://cdn.jsdelivr.net/npm/oauth-pkce@0.0.2/dist/oauth-pkce.min.js" async defer></script>
getPkce(43, (error, { verifier, challenge }) => {
if (!error) {
console.log({ verifier, challenge });
}
});
React
import React, { useEffect, useState } from 'react';
import getPkce from 'oauth-pkce';
function Pkce() {
const { pkce, setPkce } = useState({});
useEffect(() => {
// getPkce relies on the window object for its crypto api
// put in in useEffect
getPkce(50, (error, { verifier, challenge }) => {
setPkce({ verifier, challenge });
});
}, []);
return (
<div>{pkce.verifier} | {pkce.challenge}</div>
);
}
This package uses callback style for minimising code size and compatibility with IE 11. Wrapp it in a Promise if you prefer async await style.
const { verifier, challenge } = await new Promise((resolve) => {
getPkce(43, (error, { verifier, challenge }) => {
if (error) throw error;
resolve({ verifier, challenge });
});
});
For node environment, use crypto module natively from node.
import crypto from 'crypto';
const base64 = crypto.createHash('sha256').update(code_verifier).digest('base64');
const base64UriEncoded = base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
const isValid = base64UriEncoded === code_challenge;
code_challenge is a Base64URL encoded string (RFC 4648). To verify the code_verifier
you need to convert the base64 value of crypto.createHash('sha256').update(code_verifier).digest('base64')
to a base64url encoded string.
In getPkce()
, base64url removes the pad characters "=" from code_challenge
getPkce(
codeVerifierLength: number = 43,
callback: (error: Error | null, value: { verifier: string; challenge: string })
)
FAQs
OAUTH PKCE code_verifier and code_challenge generator
The npm package oauth-pkce receives a total of 10,659 weekly downloads. As such, oauth-pkce popularity was classified as popular.
We found that oauth-pkce demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Product
Ensure open-source compliance with Socket’s License Enforcement Beta. Set up your License Policy and secure your software!
Product
We're launching a new set of license analysis and compliance features for analyzing, managing, and complying with licenses across a range of supported languages and ecosystems.
Product
We're excited to introduce Socket Optimize, a powerful CLI command to secure open source dependencies with tested, optimized package overrides.