RFC 7636, "Proof Key for Code Exchange by OAuth Public Clients", September 2015

Errata ID: 6471
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Tom Crossland
Date Reported: 2021-03-10

Section 7.1 says:

The client SHOULD create a "code_verifier" with a minimum of 256 bits
of entropy.  This can be done by having a suitable random number
generator create a 32-octet sequence.  The octet sequence can then be
base64url-encoded to produce a 43-octet URL safe string to use as a
"code_challenge" that has the required entropy.

It should say:

The client SHOULD create a "code_verifier" with a minimum of 256 bits
of entropy.  This can be done by having a suitable random number
generator create a 32-octet sequence.  The octet sequence can then be
base64url-encoded to produce a 43-octet URL safe string to use as a
"code_verifier" that has the required entropy.

Notes:

The "32-octet sequence" referenced in the original text seems to be inconsistent with Section 4.1, which states that the minimum length of the code_verifier is 43 characters. It would be consistent by changing "code_challenge" to "code_verifier".

Report New Errata