RFC Errata
RFC 7636, "Proof Key for Code Exchange by OAuth Public Clients", September 2015
Source of RFC: oauth (sec)
Errata ID: 6471
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Tom Crossland
Date Reported: 2021-03-10
Section 7.1 says:
The client SHOULD create a "code_verifier" with a minimum of 256 bits of entropy. This can be done by having a suitable random number generator create a 32-octet sequence. The octet sequence can then be base64url-encoded to produce a 43-octet URL safe string to use as a "code_challenge" that has the required entropy.
It should say:
The client SHOULD create a "code_verifier" with a minimum of 256 bits of entropy. This can be done by having a suitable random number generator create a 32-octet sequence. The octet sequence can then be base64url-encoded to produce a 43-octet URL safe string to use as a "code_verifier" that has the required entropy.
Notes:
The "32-octet sequence" referenced in the original text seems to be inconsistent with Section 4.1, which states that the minimum length of the code_verifier is 43 characters. It would be consistent by changing "code_challenge" to "code_verifier".