You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
(This issue may also be a problem for other languages, but I'll only speak to JS.)
Issue
The example uses base64URLEncode(crypto.randomBytes(32)) to create a code verifier. However, the characters ~ and . are never part of the verifier strings, as the RFC suggests that they should be.
Hosted Link: https://auth0.com/docs/flows/call-your-api-using-the-authorization-code-flow-with-pkce#create-code-verifier
Src: https://github.com/auth0/docs/blob/master/articles/flows/guides/auth-code-pkce/includes/create-code-verifier.md
(This issue may also be a problem for other languages, but I'll only speak to JS.)
Issue
The example uses
base64URLEncode(crypto.randomBytes(32))to create a code verifier. However, the characters~and.are never part of the verifier strings, as the RFC suggests that they should be.Comparison to
pkce-challengeI compared this to the npm package
pkce-challenge. I asked the maintainer why he wasn't using the simpler solution that your docs proppose.. I also created a codesandbox to verify the comparisons.Am I missing something here, or are the docs needing to be updated (or at least mention that it doesn't follow the RFC)?
The text was updated successfully, but these errors were encountered: