README

Implementation of RFC 7636

Usage

use function OAuth\PKCE\generatePair; use function OAuth\PKCE\generateChallenge; use function OAuth\PKCE\verifyChallenge; // Generate a pair $pair = generatePair(128); // Store this in session $codeVerifier = $pair->getVerifier(); // Pass this onto the /authorize endpoint of the OAuth server $codeChallenge = $pair->getChallenge(); $queryString = http_build_query([ 'redirect_uri' => 'https://example.com', 'response_type' => 'code', 'client_id' => 'xxxxx', 'code_challenge_method' => 'S256', 'code_challenge' => $codeChallenge, 'state' => $state, ]); // Use the verifier to exchange the auth code for a token $params = [ 'client_id' => 'xxxxx', 'client_secret' => 'xxxxx', // If you have one 'code' => $code, // Received on your redirect uri 'code_verifier' => $codeVerifier, // Fetched from the session ]; // On the server side: if (! verifyChallenge($codeVerifier, $codeChallenge)) { // Throw exception because the given code, code_verifier and code_challenge are not matching. } // Or if you've saved the code with the code_challenge as a key: // Query for a stored token with the given code and generated code_challenge $codeChallenge = generateChallenge($codeVerifier);

Contributing

Feel free to make a pull request. Give a concise but complete description of what is supposed to be added/changed/removed/fixed.

Testing

To test your code before pushing, run the unit test suite.

vendor/bin/phpunit

License

MIT