How to generate a PKCE code challenge with PHP ?
When you do not use the right functions, PKCE (Proof Key for Code Exchange) can sometimes be a real pain and can result in OAUTH2 attempts to get a token returning a “invalid code verifier passed”.
Why is it a pain ? because PHP doesn’t provide a version of the BASE64URL SAFE ENCODING, replying to the RFC4648
To generate a code challenge using PHP, follow those simple steps :
- First, generate an ASCII code verifier, matching the RegExp :
[A-Za-z0-9-._~]{43,128}
This code verifier has to be saved to be compared in the end of the process.
For example, let’s use
$code_verifier = '--6t5HeyDNhPx8C9MYOEFWAgj9q9Ijhg7at-WtGGmrgIVB';
2. Then, let’s start the code challenge generation. First step is SHA-256 encoding of the code verifier.
$hash = hash('sha256', $code_verifier)
This should return the hash
c006061843c7a4685a1b58194e6c89f0cd4bcbb2651aea14556041549e0ec535
3. Last step is where PHP built in base64url_encode function fails. We’ll do a workaround using base64url_encode and pack function.
$code_challenge = base64url_encode(pack('H*', $hash));
4. You now have a correct code challenge you can use to get an OAUTH2 access token
wAYGGEPHpGhaG1gZTmyJ8M1Ly7JlGuoUVWBBVJ4OxTU
Yeepee !
More resources :
You can generate or test your code challenges here : https://tonyxu-io.github.io/pkce-generator/
All the explanations and documentations of PKCE are listed here : https://oauth.net/2/pkce/