{"id":3739,"library":"pkce","title":"PKCE Code Verifier and Challenge Generator","description":"The `pkce` library is a lightweight Python module designed to simplify the generation of Proof Key for Code Exchange (PKCE) code verifiers and code challenges. It provides essential cryptographic helper functions for implementing the PKCE extension to the OAuth 2.0 Authorization Code Flow, particularly important for public clients (like mobile or single-page applications) that cannot securely store a client secret. The current version is 1.0.3, with an infrequent release cadence reflecting its stable and focused functionality.","status":"active","version":"1.0.3","language":"en","source_language":"en","source_url":"https://github.com/RomeoDespres/pkce","tags":["python","pkce","oauth","security","authentication","cryptography"],"install":[{"cmd":"pip install pkce","lang":"bash","label":"Install latest version"}],"dependencies":[],"imports":[{"note":"Main module import for PKCE utility functions.","symbol":"pkce","correct":"import pkce"}],"quickstart":{"code":"import pkce\n\n# Generate a code verifier and code challenge pair\ncode_verifier, code_challenge = pkce.generate_pkce_pair()\nprint(f\"Code Verifier: {code_verifier}\")\nprint(f\"Code Challenge: {code_challenge}\")\n\n# Alternatively, generate separately\nsingle_code_verifier = pkce.generate_code_verifier(length=128)\nsingle_code_challenge = pkce.get_code_challenge(single_code_verifier)\nprint(f\"\\nSingle Code Verifier: {single_code_verifier}\")\nprint(f\"Single Code Challenge: {single_code_challenge}\")","lang":"python","description":"This quickstart demonstrates how to generate a PKCE code verifier and its corresponding code challenge using the `pkce` library. You can either generate them as a pair or individually, specifying the desired length for the verifier."},"warnings":[{"fix":"Always use the SHA256 (S256) method for code challenge generation. The `pkce` library defaults to S256. Configure your OAuth 2.0 Authorization Server to enforce PKCE for all clients, disallowing the 'plain' method.","message":"OAuth 2.1 mandates PKCE for all Authorization Code flows, and the 'plain' code challenge method is considered insecure and a downgrade attack vector. Ensure your Authorization Server is configured to require PKCE (S256 method) and that clients always use S256.","severity":"breaking","affected_versions":"All versions (OAuth 2.1 standard as of January 2026)"},{"fix":"Thoroughly review OAuth 2.0 and PKCE best practices (e.g., RFC 7636, OAuth 2.1 security BCPs). Always validate redirect URIs strictly, use a cryptographically strong 'state' parameter to prevent CSRF, and store tokens securely (avoiding local storage for access tokens in browsers).","message":"While the `pkce` library generates the verifier and challenge, proper implementation of the full OAuth 2.0 Authorization Code Flow with PKCE requires careful handling of redirect URIs, state parameters, and secure token storage.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Integrate `pkce` with a comprehensive OAuth client library (e.g., `requests-oauthlib`, `Authlib`) or implement the HTTP requests and token management logic yourself, ensuring adherence to security best practices for each step of the OAuth flow.","message":"The `pkce` library is minimal, focusing solely on code verifier and challenge generation. It does not handle the full OAuth flow (e.g., making HTTP requests to authorization or token endpoints, token storage, or refresh).","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-11T00:00:00.000Z","next_check":"2026-07-10T00:00:00.000Z"}