Proof Key for Code Exchange (PKCE) is an authorization code flow extension to OAuth which is necessary for mobile authentication but works well for web flows because the added security is transparent to the user. Specifically, PKCE prevents the following types of attacks:
Authorization code interception
Authorization code injection
This gem is an implementation of the RFC 7636 specification so you can leverage PKCE in your own code.
Implements the RFC 7636 specification.
Provides a simple object API for obtaining a challenge and verify code.
Provides max length security by default.
Answers a monad result.
To set up the project, run:
The object API is simple to work with as you only need to interact with the
PKCE constant. Example:
code = PKCE.call.success code.challenge # e2tGChTfGON-C55i0yu13-urIgDFuMCmo73F7TZmoiw code.verify # hYnx2WTJo7Bgu1-GqPUIYtRkb2W7pRBawkmdDi3omPdramb27Fp4rps_w6ozns-gbVCKFC2-Kno4P_b1H3FuxnlYIOd9Bo5yoTXq_xEHDJaB_fOfn2NaiCtcWQ8Bs91I
You can also pass in a custom length (default is maximum):
code = PKCE.call(length: 35).success code.challenge # R1b1Ka3jmrLKvQ7xW5QmP5MsCSEWtdoA2lo3r-SZDfg code.verify # ucKkqwoMzc9cyPcSGMbuVf3ivr4sep2mq15hGN9sVzl4X7g
In case of a failure, you’ll get a proper error message:
PKCE.call(length: 100).failure # Invalid PKCE verifier length: 100. Must be between 32..96.
include Dry::Monads[:result] case PKCE.call in Success(code) then puts code.inspect in Failure(message) then puts message end
Finally, since the code answered back is a Struct, you have a value object — which is frozen — that you can easily test and interact with:
PKCE.call.success # #<struct PKCE::Code challenge="dTiwjdltI-SBR1wHTEWa8zQs2kegLoIxJb2fb8emno0", verify="p4uH9lxdDMLmYLaLtYV0QJMi-o0FTQT29CJWYcdRsK0xJVsaFiQ981W5nSWDsWJgA-LS5hwKHEPcOAmVgOELNpolPhi3tcelBX9Y-z_hHUOq24DAAZOe0DU6VBb6zHCZ">
The following documents the workflow used to process and build authorization codes.
You can also use the IRB console for direct access to all objects:
To test, run:
bundle exec rake