Help

The Community will be undergoing maintenance from Friday February 21 - Friday, February 28 and will be "read only" during this time. To learn more, check out our Announcements blog post.

code_challenge in OAuth authorization request response

Topic Labels: API
359 0
cancel
Showing results for 
Search instead for 
Did you mean: 
dZYh
4 - Data Explorer
4 - Data Explorer

The Airtable OAuth specification says that authorization request responses will return the same code_challenge that was included in the original request.

These docs also say that this value must be verified: 

The code_challenge parameter you passed in the authorization request. You must verify the code_challenge variable is associated with a code_verifier you generated.

From what I understand of the PKCE flow, Airtable's backend (not the client integration) is responsible for validating the code_verifier included in the token creation request from the client. Why does the documentation call for the integration to check that authorization response returns the same code_challenge that included in the request?

Also, the official Airtable example implementation does not perform this check: https://github.com/Airtable/oauth-example/blob/a714e68c2610e3249063b3d92faf064bf4c15188/index.js#L94....

Any ideas? TYIA!

0 Replies 0