Class PkceChallenge

java.lang.Object
com.codename1.io.oidc.PkceChallenge
public final class PkceChallenge extends Object

One PKCE pair (RFC 7636). The code_verifier is kept by the client; the code_challenge (always S256 here) is sent to the authorization endpoint; the verifier is then presented to the token endpoint to prove possession.

PKCE is mandatory on every authorization-code flow this client initiates, even when a client_secret is configured -- providers like Google and Microsoft both require it for mobile public clients and tolerate it for confidential clients.

Since:
7.0.245

  • Field Details

    • METHOD_S256

      public static final String METHOD_S256
      Always "S256" -- the only value OidcClient emits. RFC 7636 also defines "plain" but it is forbidden by this client.
      See Also:

  • Method Details

    • generate

      public static PkceChallenge generate()
      Generates a fresh PKCE pair with a 64-byte (~86 char) verifier. The verifier characters are drawn from the unreserved set [A-Z][a-z][0-9]-._~ via base64url encoding of secure random bytes, per RFC 7636 section 4.1.

    • getVerifier

      public String getVerifier()
      The verifier that must be supplied to the token endpoint as code_verifier.

    • getChallenge

      public String getChallenge()
      The challenge to include on the authorization URL as code_challenge.

    • getMethod

      public String getMethod()
      Always returns METHOD_S256.