-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpkce.go
More file actions
43 lines (36 loc) · 1.18 KB
/
pkce.go
File metadata and controls
43 lines (36 loc) · 1.18 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
package main
import (
"crypto/rand"
"crypto/sha256"
"encoding/base64"
"fmt"
"github.com/go-authgate/oauth-cli/tui"
)
// GeneratePKCE generates a cryptographically random code_verifier and computes
// the S256 code_challenge as defined in RFC 7636 §4.1 and §4.2.
//
// The verifier is a 32-byte random value base64url-encoded (43 chars, no padding).
// The challenge is BASE64URL(SHA256(ASCII(verifier))).
func GeneratePKCE() (*tui.PKCEParams, error) {
b := make([]byte, 32)
if _, err := rand.Read(b); err != nil {
return nil, fmt.Errorf("failed to generate random bytes: %w", err)
}
verifier := base64.RawURLEncoding.EncodeToString(b)
sum := sha256.Sum256([]byte(verifier))
challenge := base64.RawURLEncoding.EncodeToString(sum[:])
return &tui.PKCEParams{
Verifier: verifier,
Challenge: challenge,
Method: "S256",
}, nil
}
// generateState generates a cryptographically random state value for CSRF protection.
// Returns a 16-byte base64url-encoded string.
func generateState() (string, error) {
b := make([]byte, 16)
if _, err := rand.Read(b); err != nil {
return "", fmt.Errorf("failed to generate state: %w", err)
}
return base64.RawURLEncoding.EncodeToString(b), nil
}