The Code Challenge Service creates PKCE (Proof Key for Code Exchange) values used in an OAuth 2.0 authorization code flow. It produces a code verifier, and derives a corresponding code challenge that can be sent to an authorization endpoint.

• Create a random code verifier string suitable for use in PKCE.
• Derive a code challenge from a code verifier using the S256 transformation method.
• Enforce minimum code verifier length requirements to ensure compatibility with PKCE.

• CreateCodeVerifier: Creates a code verifier.
• CreateCodeChallenge: Creates a code challenge from the given code verifier.

A typical PKCE-based authorization code flow uses the service in two steps.

First, generate a code verifier and derive a code challenge. The application sends the code challenge and the challenge method to the authorization endpoint when requesting an authorization code.

Second, when the authorization code is received and exchanged for tokens, the application sends the original code verifier to the token endpoint.

In Blazorade Id, this service is typically used together with the Authorization Code Provider and the Authorization Code Processor.

The default implementation is CodeChallengeService.

It generates a verifier using lower-case letters and digits, with a random length between 43 and 59 characters. It derives the challenge using SHA-256, encodes it using Base64 URL-safe encoding rules, and sets the challenge method to S256.

CreateCodeChallenge throws an ArgumentException if the provided code verifier is null or shorter than 43 characters.

• RFC 7636: Proof Key for Code Exchange by OAuth Public Clients
• RFC 6749: The OAuth 2.0 Authorization Framework
• Microsoft identity platform documentation