Re: [OAUTH-WG] Google's OAuth endpoints now fully support PKCE (RFC7636)

John Bradley <> Tue, 19 January 2016 12:33 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C93AB1B2D77 for <>; Tue, 19 Jan 2016 04:33:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GQ6bc7XNcanQ for <>; Tue, 19 Jan 2016 04:33:04 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c04::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 74C061B2D76 for <>; Tue, 19 Jan 2016 04:33:04 -0800 (PST)
Received: by with SMTP id b35so447519691qge.0 for <>; Tue, 19 Jan 2016 04:33:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=ZLFQIqwl8TT+JBrWyuhfInWCnPEdofW2O89zQ2eNFVo=; b=FVjuvUgv3Xm8BxVLj+PlG/PrDZHjY1i6XRmRzF5xqSWkrCP7RzSqSv2t2lhtD9Jp86 rRwCIK+laXcCtC1c5ElFQM1uXtCmT/vIY/tt/AYyFbA865Aso0/vFWddXtXp4CKKpLS3 nTUlIZCTpw2GiZDSiw679MsRykMmLGaIg5M8LrEfdfrTHb1SRBzyAb+wB4s5i4iUO7sI GTZugqq6rN0oi54j6a/2S4fayVYomqSxj2cCHjkHBQWdJnPRwQsrghPMTORoafSnGrhO npE2fQ2Fvz4QGeu/qm/453RIyx+3tuAG3iCQdXef+/fl3n3pDlZrZjFtzFM+DDkOLDyh y7mg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=ZLFQIqwl8TT+JBrWyuhfInWCnPEdofW2O89zQ2eNFVo=; b=S566YogeIFSSlEgLtWR6OewpuwXdLjr1H50NFVmzzviIFKRJtDjZbZyNNH8wwcxHWF EInfIdMlzIlOIptMSOfd4VnFz3/rQgGDJBDYW7fhoRKM1Z/0MJdvaOGpKMW6Ho2FNyl+ Mn7THhOKzs6jeaM7ZrRxHsY3XiUECZu4WRihRPNjYTFNG4CQNSf4s19MNw3OHpzgi8EG GpTV/dr/U+vW7StokfvsY/rpkX0jt5EQAQUH2PMIElaDFsKjkzdWpLHiVgQ3Hw7x8B6X pMZhCKvUmA9UnYqVY9IN7tVbec8S4tsc0c8scgar4GnrWE2VyywqDtGttV67CFUbeNaU 1QwQ==
X-Gm-Message-State: ALoCoQlHy9gjcRxXx1eVBVQJ2U+++HF62I95KbgyYDVtkoASA1kG/Xnlb8/Jy+mcy+m1nUz4TTFw0GWnfNJKQsZB18D8rYGWtw==
X-Received: by with SMTP id e4mr39669437qhe.81.1453206783377; Tue, 19 Jan 2016 04:33:03 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id 138sm11970647qho.48.2016. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 19 Jan 2016 04:33:02 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_25B7AEDF-82C7-453A-AE42-596570A2C579"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <>
In-Reply-To: <>
Date: Tue, 19 Jan 2016 09:32:41 -0300
Message-Id: <>
References: <>
To: William Denniss <>
X-Mailer: Apple Mail (2.3112)
Archived-At: <>
Cc: "" <>
Subject: Re: [OAUTH-WG] Google's OAuth endpoints now fully support PKCE (RFC7636)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 Jan 2016 12:33:07 -0000

Great news.

If you have sent a PKCE challenge and no verifier that should be a authentication failure as if the value were wrong.

I don’t know if it needs a special error.

Thanks for bringing it up.

John B.

> On Jan 19, 2016, at 2:46 AM, William Denniss <> wrote:
> This month we rolled out full PKCE (RFC7636) support on our OAuth endpoints.
> We'd previously implemented an earlier draft but were not conformant to the final spec when it was published – now we are. Both "plain" and "S256" transforms are supported. As always, get the latest endpoints from our discovery document: <>
> If you give it a spin, let me know how you go! The team monitors the Stack Overflow google-oauth <> tag too, for any implementation questions.
> I'm keen to know what we should be putting in our discovery doc to declare PKCE support (see the thread "Advertise PKCE support in OAuth 2.0 Discovery"), hope we can agree on that soon.
> One implementation detail not covered in the spec: we error if you send code_verifier to the token endpoint when exchanging a code that was issued without a code_challenge being present. The assumption being that if you are sending code_verifier on the token exchange, you are using PKCE and should have sent code_challenge on the authorization request, so something is amiss.
> William
> _______________________________________________
> OAuth mailing list