Skip to main content
Documentation & User Guides | Fotoware

Proof Key for Code Exchange (PKCE) reference

The OAuth 2.0 PKCE (Proof Key for Code Exchange) extension (RFC 7636) is used by applications to prove possession of the authorization code when redeeming the authorization code to request an access token. This prevents interception of the authorization code by malicious applications or websites listening on the redirection endpoint.

PKCE is currently optional for confidential clients (with a client secret). This behavior is deprecated. To conform with OAuth 2.1 or later versions of the standard, and for enhanced security, all integrations should use PKCE. 

PKCE is used by sending the following parameters in the authorization request:

The code_challenge_method parameter must always be "S256". Plain text PKCE is not supported by FotoWeb.

The code_challenge parameter must be as follows:

code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))

i.e., the SHA256 hash of a code_verifier string, encoded as URL-friendly Base64 (using the character '-' for '+' and '_' for '/'):

static string EncodeBase64URL(byte[] arg)
    string s = Convert.ToBase64String(arg); // Regular base64 encoder
    s = s.Split('=')[0]; // Remove any trailing '='s
    s = s.Replace('+', '-'); // 62nd char of encoding
    s = s.Replace('/', '_'); // 63rd char of encoding
    return s;

// Compute the code_challenge parameter from the code_verifyer
private static string MakeCodeChallenge(string codeVerifier)
    using (var sha256 = new SHA256CryptoServiceProvider())
        return EncodeBase64URL(sha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes(codeVerifier)));

The code_verifier string MUST be a random string of minimum 43 characters and maximum 128 characters. Each character MUST be one of the following:

  • an uppercase or lowercase character
  • a digit
  • the characters '-', '.', '_', '~'.

The code verifier SHOULD have enough entropy to make it impractical to guess the value. This can usually be achieved using a cryptographically-safe random generator, such as

It is RECOMMENDED that the output of a suitable random number generator be used to create a 32-byte sequence. The octet sequence is then BASE64URL-encoded to produce a 43-byte URL safe string to use as the code verifier:

private static string MakeCodeVerifier(int numBytes = 32)
    using (var rng = new RNGCryptoServiceProvider())
        byte[] bytes = new byte[numBytes];
        return EncodeBase64URL(bytes);
  • Was this article helpful?