Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

  1. Fotoware Alto
    • 11.14 Schreckhorn
    • Terminology
    • Solutions
    • User Guide - Deutsch
    • User Guide - English
    • API Changelog
  2. Fotoware Veloz
    • Managing users and groups
    • Configuring archives
    • Configuring workflows
    • Configuring site behavior
    • Navigating and searching to find your assets
    • Working with your assets
    • Editing asset metadata
    • Uploading files
    • Version Control in Fotoware
    • Albums - Creating and sharing collections
    • Placing assets in a CMS
    • Working with the Fotoware Pro interface
    • Using the Fotoware plugins
    • Consent management
    • User guide to FotoWeb for iPad (Legacy)
    • Picture conferencing with FotoWeb Screens (Legacy)
    • What's what in Fotoware
    • GDPR
    • Fotoware Veloz releases
    • Activity Exports
    • Fotoware Example Workflows
  3. Fotostation
    • Getting started with Fotostation
    • Viewing, selecting and sorting files
    • Managing your assets with archives
    • Adding metadata to assets
    • Searching for assets
    • Working with your assets
    • Version Control in Fotostation
    • Automating tasks with Actions
    • Configuring metadata fields and editors
    • Configuring Fotostation
    • Configuring Fotostation for multi-user environments
    • Troubleshooting Fotostation
  4. Fotoware Flow
    • What is Flow?
    • Getting started
    • Flow dictionary
  5. Fotoware On-Premises
    • Getting started
    • Index Manager
    • FotoWeb
    • Color Factory
    • Connect
    • Operations Center Guide
  6. Integrations and APIs
    • The Fotoware API
    • Creating integrations using embeddable widgets
    • Authorizing applications using OAuth
    • Auto-tagging
    • FotoWeb Drag and Drop export
    • Integration using webhooks
    • Optimizely and Episerver plugin documentation
    • User Interface Integrations
  7. Fotoware Mobile
    • User guide for Fotoware Mobile for iPhone and Android
    • User guide to FotoWeb for iPad (Legacy)
    • User guide to FotoWeb for iPhone and Android (Legacy)

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

  • Support
  • Home
  • Integrations and APIs
  • Authorizing applications using OAuth

Proof Key for Code Exchange (PKCE) reference

01. April 2025

Elaine Foley

The OAuth 2.0 PKCE (Proof Key for Code Exchange) extension (RFC 7636) is used by applications to prove possession of the authorization code when redeeming the authorization code to request an access token. This prevents interception of the authorization code by malicious applications or websites listening on the redirection endpoint.

PKCE is currently optional for confidential clients (with a client secret). This behavior is deprecated. To conform with OAuth 2.1 or later versions of the standard, and for enhanced security, all integrations should use PKCE. 

PKCE is used by sending the following parameters in the authorization request:

The code_challenge_method parameter must always be "S256". Plain text PKCE is not supported by FotoWeb.

The code_challenge parameter must be as follows:

code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))

i.e., the SHA256 hash of a code_verifier string, encoded as URL-friendly Base64 (using the character '-' for '+' and '_' for '/'):

static string EncodeBase64URL(byte[] arg)
{
 string s = Convert.ToBase64String(arg); // Regular base64 encoder
 s = s.Split('=')[0]; // Remove any trailing '='s
 s = s.Replace('+', '-'); // 62nd char of encoding
 s = s.Replace('/', '_'); // 63rd char of encoding
 return s;
}
// Compute the code_challenge parameter from the code_verifyer
private static string MakeCodeChallenge(string codeVerifier)
{
 using (var sha256 = new SHA256CryptoServiceProvider())
 {
 return EncodeBase64URL(sha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes(codeVerifier)));
 }
}

The code_verifier string MUST be a random string of minimum 43 characters and maximum 128 characters. Each character MUST be one of the following:

  • an uppercase or lowercase character
  • a digit
  • the characters '-', '.', '_', '~'.

The code verifier SHOULD have enough entropy to make it impractical to guess the value. This can usually be achieved using a cryptographically-safe random generator, such as

  • RNGCryptoServiceProvider in .NET.
  • random.systemRandom in Python.
  • /dev/urandom on Linux

It is RECOMMENDED that the output of a suitable random number generator be used to create a 32-byte sequence. The octet sequence is then BASE64URL-encoded to produce a 43-byte URL safe string to use as the code verifier:

private static string MakeCodeVerifier(int numBytes = 32)
{
 using (var rng = new RNGCryptoServiceProvider())
 {
 byte[] bytes = new byte[numBytes];
 rng.GetBytes(bytes);
 return EncodeBase64URL(bytes);
 }
}

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Application registration using OAuth 2.0
  • Authorizing a client using OAuth 2.0
  • Using application access tokens for OAuth 2.0 authorization
eco-lighthouse-miljøfyrtårn

Company

  • About us
  • Resellers
  • Careers
  • Contact us

Help & support

  • Support center
  • Consultancy
  • Tech partners
  • Fotostation
  • System status

Trust Center

  • Legal
  • Security
  • Sustainability & ESG

Locations

Fotoware AS (HQ)
Tollbugata 35
0157 OSLO
Norway
FotoWare Switzerland AG
Industriestrasse 25
5033 Buchs (AG)
Switzerland

Copyright 2025 Fotoware All rights reserved.

  • Terms of service
  • Privacy policy
  • Cookie policy

Knowledge Base Software powered by Helpjuice

Expand