What are code_challenge and code_challenge_method?

victorporton · 2022-03-15T09:59:03.164Z

What are code_challenge and code_challenge_method?

What should I put into these fields?

Especially, what is code_challenge_method=plain? What should I put into code_challenge in this case?

IgorBrigadir · 2022-03-15T16:02:11.878Z

What exact endpoints are you calling and with what library / implementation?

gauloics · 2022-03-15T16:22:14.044Z

It seems he was only asking about code_challenge and code_challenge_method in OAuth 2.0, I’ve asked myself before, but haven’t had time to find out.
After seeing this post then I tried to find out and found the document here

Once the app has generated the code verifier, it uses that to derive the code challenge . For devices that can perform a SHA256 hash, the code challenge is a Base64-URL-encoded string of the SHA256 hash of the code verifier. Clients that do not have the ability to perform a SHA256 hash are permitted to use the plain code verifier string as the challenge, although that provides less security benefits so should really only be used if absolutely necessary.

@victorporton
From the quote, I think code_challenge_method=plain is code verifier that is not encoded, so its security is reduced, so use it only when it is really needed.