Like a safe combination: you show the safe's lock pattern (challenge) upfront, but only you know how to open it (verifier).
Generate 96 random bytes (verifier), then SHA256-hash them (challenge). Send the challenge with the auth request; send the verifier during token exchange.
> crypto.randomBytes(96) → 96 bytes of randomness > verifier: "dBjftJeZ4CVP-mB92K27...kDs" (128 chars, base64url) > challenge: SHA256(verifier) → "E9Melhoa2OwvF...pRquEsg" (43 chars) > Both stored in sessionStorage temporarily
Like a safe combination: you show the safe's lock pattern (challenge) upfront, but only you know how to open it (verifier).
Generate 96 random bytes (verifier), then SHA256-hash them (challenge). Send the challenge with the auth request; send the verifier during token exchange.
> crypto.randomBytes(96) → 96 bytes of randomness > verifier: "dBjftJeZ4CVP-mB92K27...kDs" (128 chars, base64url) > challenge: SHA256(verifier) → "E9Melhoa2OwvF...pRquEsg" (43 chars) > Both stored in sessionStorage temporarily
Sign in to cast your vote
Sign in to share your feedback and join the discussion.