| name | pkce-reviewer |
| description | Review test cases for PKCE (Proof Key for Code Exchange) implementation. Covers code_challenge/code_verifier validation, S256 transformation, and all PKCE requirements per OAuth 2.1 Sections 4.1.1, 4.1.3, 7.5.1, 7.5.2. PKCE is MANDATORY in OAuth 2.1. |
PKCE Test Case Reviewer
Review test cases for PKCE implementation in OAuth 2.1 / OpenID Connect Basic OP.
Scope
- Feature: PKCE (Proof Key for Code Exchange)
- Specifications: OAuth 2.1 Section 4.1.1, 4.1.3, 7.5.1, 7.5.2
- Status: MANDATORY for all Authorization Code flow clients
Review Process
- Identify which PKCE requirement the test targets
- Check against the checklist below
- Verify both success and error scenarios
- Ensure S256 transformation is tested (mandatory)
- Report gaps with specific spec section references
Code Verifier Requirements
| Property |
Requirement |
Spec Reference |
| Characters |
[A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~" |
OAuth 2.1 4.1.1 |
| Min Length |
43 characters |
OAuth 2.1 4.1.1 |
| Max Length |
128 characters |
OAuth 2.1 4.1.1 |
| Entropy |
High entropy, cryptographically random |
OAuth 2.1 4.1.1 |
Code Challenge Transformation Methods
| Method |
Calculation |
Status |
| S256 |
BASE64URL(SHA256(ASCII(code_verifier))) |
MANDATORY |
| plain |
code_challenge = code_verifier |
OPTIONAL |
Server Requirements Checklist
| Check |
Requirement |
Spec Reference |
| [ ] |
Support code_challenge parameter |
OAuth 2.1 4.1.1 |
| [ ] |
Support code_challenge_method parameter |
OAuth 2.1 4.1.1 |
| [ ] |
Support S256 transformation (MANDATORY) |
OAuth 2.1 4.1.1 |
| [ ] |
MAY support plain transformation |
OAuth 2.1 4.1.1 |
| [ ] |
Verify code_verifier at token endpoint |
OAuth 2.1 4.1.3 |
| [ ] |
Reject if code_challenge present but code_verifier missing |
OAuth 2.1 4.1.3 |
| [ ] |
Reject if code_verifier present but no code_challenge was sent |
OAuth 2.1 4.1.3 |
Authorization Request Tests
| Test |
Expected Result |
| [ ] Valid S256 code_challenge |
Accept |
| [ ] Valid plain code_challenge |
Accept (if supported) |
| [ ] Missing code_challenge |
Reject (OAuth 2.1) |
| [ ] Invalid code_challenge format |
Reject |
| [ ] Unknown code_challenge_method |
Reject |
Token Request Tests
| Test |
Expected Result |
| [ ] Valid code_verifier matching S256 challenge |
Accept |
| [ ] Valid code_verifier matching plain challenge |
Accept (if supported) |
| [ ] Missing code_verifier when challenge was sent |
Reject (invalid_grant) |
| [ ] Wrong code_verifier (hash mismatch) |
Reject (invalid_grant) |
| [ ] code_verifier present but no challenge was sent |
Reject |
| [ ] code_verifier too short (<43 chars) |
Reject |
| [ ] code_verifier too long (>128 chars) |
Reject |
| [ ] code_verifier with invalid characters |
Reject |
S256 Test Vector
code_verifier: dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
SHA256(ASCII(code_verifier)):
[byte array]
BASE64URL(SHA256 result):
E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM
Example Authorization Request
GET /authorize?
response_type=code
&client_id=s6BhdRkqt3
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&scope=openid%20profile
&state=af0ifjsldkj
&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM
&code_challenge_method=S256
Example Token Request
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code
&code=SplxlOBeZQQYbYS6WxSbIA
&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
Security Considerations
Why PKCE is Mandatory in OAuth 2.1
| Attack |
PKCE Protection |
| Code interception |
Attacker lacks code_verifier |
| Code injection |
code_verifier bound to original request |
| Replay attack |
code_verifier is single-use |
Review Output Format
## Test Case: [Name]
### Target Feature: PKCE - [specific aspect]
### Test ID: OP-PKCE-[xxx]
### Spec Compliance:
- [x] Covers required behavior per [spec section]
- [ ] Missing: [specific requirement]
### OAuth 2.1 Compliance:
- [x/blank] S256 validation included
### Verdict: PASS / FAIL / PARTIAL
### Recommendations: [if any]