ExMCP.Internal.Authorization.PKCE (ex_mcp v0.10.0)

View Source

This module implements the standard MCP specification.

PKCE (Proof Key for Code Exchange) implementation for OAuth 2.1.

PKCE is required by the MCP authorization specification for all authorization code flows to prevent authorization code interception attacks.

This module implements RFC 7636 with S256 code challenge method.

Example

# Generate code verifier and challenge
{:ok, verifier, challenge} = ExMCP.Internal.Authorization.PKCE.generate_challenge()

# Use challenge in authorization request
# Use verifier in token exchange request

# Verify a code challenge (server-side)
:ok = ExMCP.Internal.Authorization.PKCE.verify_challenge(verifier, challenge)

Summary

Functions

generate_challenge()

Generates a code verifier and code challenge for PKCE.

validate_code_verifier(code_verifier)

Validates that a code verifier meets RFC 7636 requirements.

verify_challenge(code_verifier, expected_challenge)

Verifies that a code verifier matches the provided code challenge.

Functions

generate_challenge()

@spec generate_challenge() :: {:ok, String.t(), String.t()} | {:error, term()}

Generates a code verifier and code challenge for PKCE.

Returns a cryptographically random code verifier and its SHA256-based code challenge suitable for OAuth 2.1 authorization code flow.

Example

iex> {:ok, verifier, challenge} = ExMCP.Internal.Authorization.PKCE.generate_challenge()
iex> is_binary(verifier) and is_binary(challenge)
true
iex> String.length(verifier) >= 43 and String.length(verifier) <= 128
true

validate_code_verifier(code_verifier)

@spec validate_code_verifier(String.t()) :: :ok | {:error, :invalid_code_verifier}

Validates that a code verifier meets RFC 7636 requirements.

Code verifiers must be between 43 and 128 characters long and contain only unreserved URI characters.

Example

iex> ExMCP.Internal.Authorization.PKCE.validate_code_verifier("invalid!")
{:error, :invalid_code_verifier}

iex> {:ok, verifier, _} = ExMCP.Internal.Authorization.PKCE.generate_challenge()
iex> ExMCP.Internal.Authorization.PKCE.validate_code_verifier(verifier)
:ok

verify_challenge(code_verifier, expected_challenge)

@spec verify_challenge(String.t(), String.t()) :: :ok | {:error, :invalid_challenge}

Verifies that a code verifier matches the provided code challenge.

This is used by authorization servers to validate that the client presenting the authorization code is the same client that initiated the authorization request.

Example

iex> {:ok, verifier, challenge} = ExMCP.Internal.Authorization.PKCE.generate_challenge()
iex> ExMCP.Internal.Authorization.PKCE.verify_challenge(verifier, challenge)
:ok