-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpkce.go
More file actions
44 lines (37 loc) · 1.1 KB
/
pkce.go
File metadata and controls
44 lines (37 loc) · 1.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
package main
import (
"crypto/rand"
"crypto/sha256"
"encoding/base64"
"fmt"
)
// PKCEParams holds the code verifier and challenge for PKCE (RFC 7636).
type PKCEParams struct {
Verifier string
Challenge string
Method string
}
// GeneratePKCE generates a cryptographically random code_verifier and computes
// the S256 code_challenge as defined in RFC 7636 §4.1 and §4.2.
func GeneratePKCE() (*PKCEParams, error) {
b := make([]byte, 32)
if _, err := rand.Read(b); err != nil {
return nil, fmt.Errorf("failed to generate random bytes: %w", err)
}
verifier := base64.RawURLEncoding.EncodeToString(b)
sum := sha256.Sum256([]byte(verifier))
challenge := base64.RawURLEncoding.EncodeToString(sum[:])
return &PKCEParams{
Verifier: verifier,
Challenge: challenge,
Method: "S256",
}, nil
}
// generateState generates a cryptographically random state value for CSRF protection.
func generateState() (string, error) {
b := make([]byte, 16)
if _, err := rand.Read(b); err != nil {
return "", fmt.Errorf("failed to generate state: %w", err)
}
return base64.RawURLEncoding.EncodeToString(b), nil
}