PKCE Code Verifier and Challenge Generator

1.0.3 · active · verified Sat Apr 11

The `pkce` library is a lightweight Python module designed to simplify the generation of Proof Key for Code Exchange (PKCE) code verifiers and code challenges. It provides essential cryptographic helper functions for implementing the PKCE extension to the OAuth 2.0 Authorization Code Flow, particularly important for public clients (like mobile or single-page applications) that cannot securely store a client secret. The current version is 1.0.3, with an infrequent release cadence reflecting its stable and focused functionality.

Warnings

breaking OAuth 2.1 mandates PKCE for all Authorization Code flows, and the 'plain' code challenge method is considered insecure and a downgrade attack vector. Ensure your Authorization Server is configured to require PKCE (S256 method) and that clients always use S256.
Fix: Always use the SHA256 (S256) method for code challenge generation. The `pkce` library defaults to S256. Configure your OAuth 2.0 Authorization Server to enforce PKCE for all clients, disallowing the 'plain' method.
gotcha While the `pkce` library generates the verifier and challenge, proper implementation of the full OAuth 2.0 Authorization Code Flow with PKCE requires careful handling of redirect URIs, state parameters, and secure token storage.
Fix: Thoroughly review OAuth 2.0 and PKCE best practices (e.g., RFC 7636, OAuth 2.1 security BCPs). Always validate redirect URIs strictly, use a cryptographically strong 'state' parameter to prevent CSRF, and store tokens securely (avoiding local storage for access tokens in browsers).
gotcha The `pkce` library is minimal, focusing solely on code verifier and challenge generation. It does not handle the full OAuth flow (e.g., making HTTP requests to authorization or token endpoints, token storage, or refresh).
Fix: Integrate `pkce` with a comprehensive OAuth client library (e.g., `requests-oauthlib`, `Authlib`) or implement the HTTP requests and token management logic yourself, ensuring adherence to security best practices for each step of the OAuth flow.

Install

pip install pkce Install latest version

Imports

pkce
```
import pkce
```
Main module import for PKCE utility functions.

Quickstart

This quickstart demonstrates how to generate a PKCE code verifier and its corresponding code challenge using the `pkce` library. You can either generate them as a pair or individually, specifying the desired length for the verifier.

import pkce

# Generate a code verifier and code challenge pair
code_verifier, code_challenge = pkce.generate_pkce_pair()
print(f"Code Verifier: {code_verifier}")
print(f"Code Challenge: {code_challenge}")

# Alternatively, generate separately
single_code_verifier = pkce.generate_code_verifier(length=128)
single_code_challenge = pkce.get_code_challenge(single_code_verifier)
print(f"\nSingle Code Verifier: {single_code_verifier}")
print(f"Single Code Challenge: {single_code_challenge}")

view raw JSON →