2020-12-28 UTC
# [dmitshur] Assuming I only support the S256 code_challenge_method, I wonder if there'd be any problem with doing the code_verifier check by base64-decoding the code_challenge to precompute the expected sha256 sum of the code_verifier, then doing a sha256(code_verifier) == wantsum check. (It relies on base64 encoding/decoding being 1:1.) https://tools.ietf.org/html/rfc7636#section-4.6 doesn't go into low-level details about how the comparison should be