PKCE

Overview

PKCE (Proof Key for Code Exchange) prevents authorization code interception attacks. Grantex supports S256 method only.

Generate Challenge

pkce, err := grantex.GeneratePKCE()
if err != nil {
    log.Fatal(err)
}

fmt.Println(pkce.CodeVerifier)        // Random 43-char string
fmt.Println(pkce.CodeChallenge)       // SHA-256 hash, base64url-encoded
fmt.Println(pkce.CodeChallengeMethod) // Always "S256"

Full Flow

// 1. Generate PKCE pair
pkce, _ := grantex.GeneratePKCE()

// 2. Include challenge in authorization request
authReq, _ := client.Authorize(ctx, grantex.AuthorizeParams{
    AgentID:             "agent-id",
    PrincipalID:         "user-123",
    Scopes:              []string{"read:email"},
    CodeChallenge:       pkce.CodeChallenge,
    CodeChallengeMethod: pkce.CodeChallengeMethod,
})

// 3. Store verifier securely (session, database, etc.)
// ...

// 4. Include verifier when exchanging the code
tokenResp, _ := client.Tokens.Exchange(ctx, grantex.ExchangeTokenParams{
    Code:         "auth-code-from-callback",
    AgentID:      "agent-id",
    CodeVerifier: pkce.CodeVerifier,
})

PKCEChallenge Type

Field	Type	Description
`CodeVerifier`	`string`	43-character random string (base64url)
`CodeChallenge`	`string`	SHA-256 of verifier (base64url)
`CodeChallengeMethod`	`string`	Always `"S256"`

Overview

Authorization

Resources

Reference

Overview

Generate Challenge

Full Flow

PKCEChallenge Type

Overview

Authorization

Resources

Reference

​Overview

​Generate Challenge

​Full Flow

​PKCEChallenge Type

Overview

Generate Challenge

Full Flow

PKCEChallenge Type