doorkeeper 4.4.3 → 5.0.0.rc1

data/app/views/doorkeeper/applications/_form.html.erb

@@ -1,58 +1,59 @@
-<%= form_for application, url: doorkeeper_submit_path(application), html: {class: 'form-horizontal', role: 'form'} do |f| %>
+<%= form_for application, url: doorkeeper_submit_path(application), html: { role: 'form' } do |f| %>
   <% if application.errors.any? %>
     <div class="alert alert-danger" data-alert><p><%= t('doorkeeper.applications.form.error') %></p></div>
   <% end %>
 
-  <%= content_tag :div, class: "form-group#{' has-error' if application.errors[:name].present?}" do %>
-    <%= f.label :name, class: 'col-sm-2 control-label' %>
+  <div class="form-group row">
+    <%= f.label :name, class: 'col-sm-2 col-form-label font-weight-bold' %>
     <div class="col-sm-10">
-      <%= f.text_field :name, class: 'form-control' %>
+      <%= f.text_field :name, class: "form-control #{ 'is-invalid' if application.errors[:name].present? }", required: true %>
       <%= doorkeeper_errors_for application, :name %>
     </div>
-  <% end %>
+  </div>
 
-  <%= content_tag :div, class: "form-group#{' has-error' if application.errors[:redirect_uri].present?}" do %>
-    <%= f.label :redirect_uri, class: 'col-sm-2 control-label' %>
+  <div class="form-group row">
+    <%= f.label :redirect_uri, class: 'col-sm-2 col-form-label font-weight-bold' %>
     <div class="col-sm-10">
-      <%= f.text_area :redirect_uri, class: 'form-control' %>
+      <%= f.text_area :redirect_uri, class: "form-control #{ 'is-invalid' if application.errors[:redirect_uri].present? }" %>
       <%= doorkeeper_errors_for application, :redirect_uri %>
-      <span class="help-block">
+      <span class="form-text text-secondary">
         <%= t('doorkeeper.applications.help.redirect_uri') %>
       </span>
+
       <% if Doorkeeper.configuration.native_redirect_uri %>
-          <span class="help-block">
-            <%= raw t('doorkeeper.applications.help.native_redirect_uri', native_redirect_uri: content_tag(:code) { Doorkeeper.configuration.native_redirect_uri }) %>
+          <span class="form-text text-secondary">
+            <%= raw t('doorkeeper.applications.help.native_redirect_uri', native_redirect_uri: content_tag(:code, class: 'bg-light') { Doorkeeper.configuration.native_redirect_uri }) %>
           </span>
       <% end %>
     </div>
-  <% end %>
+  </div>
 
-  <%= content_tag :div, class: "form-group#{' has-error' if application.errors[:confidential].present?}" do %>
-    <%= f.label :confidential, class: 'col-sm-2 control-label' %>
+  <div class="form-group row">
+    <%= f.label :confidential, class: 'col-sm-2 form-check-label font-weight-bold' %>
     <div class="col-sm-10">
-      <%= f.check_box :confidential, class: 'form-control', disabled: !Doorkeeper::Application.supports_confidentiality? %>
+      <%= f.check_box :confidential, class: "checkbox #{ 'is-invalid' if application.errors[:confidential].present? }" %>
       <%= doorkeeper_errors_for application, :confidential %>
-      <span class="help-block">
+      <span class="form-text text-secondary">
         <%= t('doorkeeper.applications.help.confidential') %>
       </span>
     </div>
-  <% end %>
+  </div>
 
-  <%= content_tag :div, class: "form-group#{' has-error' if application.errors[:scopes].present?}" do %>
-    <%= f.label :scopes, class: 'col-sm-2 control-label' %>
+  <div class="form-group row">
+    <%= f.label :scopes, class: 'col-sm-2 col-form-label font-weight-bold' %>
     <div class="col-sm-10">
-      <%= f.text_field :scopes, class: 'form-control' %>
+      <%= f.text_field :scopes, class: "form-control #{ 'has-error' if application.errors[:scopes].present? }" %>
       <%= doorkeeper_errors_for application, :scopes %>
-      <span class="help-block">
+      <span class="form-text text-secondary">
         <%= t('doorkeeper.applications.help.scopes') %>
       </span>
     </div>
-  <% end %>
+  </div>
 
   <div class="form-group">
     <div class="col-sm-offset-2 col-sm-10">
-      <%= f.submit t('doorkeeper.applications.buttons.submit'), class: "btn btn-primary" %>
-      <%= link_to t('doorkeeper.applications.buttons.cancel'), oauth_applications_path, class: "btn btn-default" %>
+      <%= f.submit t('doorkeeper.applications.buttons.submit'), class: 'btn btn-primary' %>
+      <%= link_to t('doorkeeper.applications.buttons.cancel'), oauth_applications_path, class: 'btn btn-secondary' %>
     </div>
   </div>
 <% end %>

data/app/views/doorkeeper/applications/edit.html.erb

@@ -1,4 +1,4 @@
-<div class="page-header">
+<div class="border-bottom mb-4">
   <h1><%= t('.title') %></h1>
 </div>
 

data/app/views/doorkeeper/applications/index.html.erb

@@ -1,4 +1,4 @@
-<div class="page-header">
+<div class="border-bottom mb-4">
   <h1><%= t('.title') %></h1>
 </div>
 
@@ -10,18 +10,28 @@
     <th><%= t('.name') %></th>
     <th><%= t('.callback_url') %></th>
     <th><%= t('.confidential') %></th>
-    <th></th>
+    <th><%= t('.actions') %></th>
     <th></th>
   </tr>
   </thead>
   <tbody>
   <% @applications.each do |application| %>
     <tr id="application_<%= application.id %>">
-      <td><%= link_to application.name, oauth_application_path(application) %></td>
-      <td><%= application.redirect_uri %></td>
-      <td><%= application.confidential? ? t('doorkeeper.applications.index.confidentiality.yes') : t('doorkeeper.applications.index.confidentiality.no') %></td>
-      <td><%= link_to t('doorkeeper.applications.buttons.edit'), edit_oauth_application_path(application), class: 'btn btn-link' %></td>
-      <td><%= render 'delete_form', application: application %></td>
+      <td class="align-middle">
+        <%= link_to application.name, oauth_application_path(application) %>
+      </td>
+      <td class="align-middle">
+        <%= application.redirect_uri %>
+      </td>
+      <td class="align-middle">
+        <%= application.confidential? ? t('doorkeeper.applications.index.confidentiality.yes') : t('doorkeeper.applications.index.confidentiality.no') %>
+      </td>
+      <td class="align-middle">
+        <%= link_to t('doorkeeper.applications.buttons.edit'), edit_oauth_application_path(application), class: 'btn btn-link' %>
+      </td>
+      <td class="align-middle">
+        <%= render 'delete_form', application: application %>
+      </td>
     </tr>
   <% end %>
   </tbody>

data/app/views/doorkeeper/applications/new.html.erb

@@ -1,4 +1,4 @@
-<div class="page-header">
+<div class="border-bottom mb-4">
   <h1><%= t('.title') %></h1>
 </div>
 

data/app/views/doorkeeper/applications/show.html.erb

@@ -1,20 +1,20 @@
-<div class="page-header">
+<div class="border-bottom mb-4">
   <h1><%= t('.title', name: @application.name) %></h1>
 </div>
 
 <div class="row">
   <div class="col-md-8">
     <h4><%= t('.application_id') %>:</h4>
-    <p><code id="application_id"><%= @application.uid %></code></p>
+    <p><code class="bg-light" id="application_id"><%= @application.uid %></code></p>
 
     <h4><%= t('.secret') %>:</h4>
-    <p><code id="secret"><%= @application.secret %></code></p>
+    <p><code class="bg-light" id="secret"><%= @application.secret %></code></p>
 
     <h4><%= t('.scopes') %>:</h4>
-    <p><code id="scopes"><%= @application.scopes %></code></p>
+    <p><code class="bg-light" id="scopes"><%= @application.scopes.presence || raw('&nbsp;') %></code></p>
 
     <h4><%= t('.confidential') %>:</h4>
-    <p><code id="confidential"><%= @application.confidential? %></code></p>
+    <p><code class="bg-light" id="confidential"><%= @application.confidential? %></code></p>
 
     <h4><%= t('.callback_urls') %>:</h4>
 
@@ -22,7 +22,7 @@
       <% @application.redirect_uri.split.each do |uri| %>
         <tr>
           <td>
-            <code><%= uri %></code>
+            <code class="bg-light"><%= uri %></code>
           </td>
           <td>
             <%= link_to t('doorkeeper.applications.buttons.authorize'), oauth_authorization_path(client_id: @application.uid, redirect_uri: uri, response_type: 'code', scope: @application.scopes), class: 'btn btn-success', target: '_blank' %>

data/app/views/doorkeeper/authorizations/error.html.erb

@@ -1,4 +1,4 @@
-<div class="page-header">
+<div class="border-bottom mb-4">
   <h1><%= t('doorkeeper.authorizations.error.title') %></h1>
 </div>
 

data/app/views/doorkeeper/authorizations/new.html.erb

@@ -26,6 +26,8 @@
       <%= hidden_field_tag :state, @pre_auth.state %>
       <%= hidden_field_tag :response_type, @pre_auth.response_type %>
       <%= hidden_field_tag :scope, @pre_auth.scope %>
+      <%= hidden_field_tag :code_challenge, @pre_auth.code_challenge %>
+      <%= hidden_field_tag :code_challenge_method, @pre_auth.code_challenge_method %>
       <%= submit_tag t('doorkeeper.authorizations.buttons.authorize'), class: "btn btn-success btn-lg btn-block" %>
     <% end %>
     <%= form_tag oauth_authorization_path, method: :delete do %>
@@ -34,6 +36,8 @@
       <%= hidden_field_tag :state, @pre_auth.state %>
       <%= hidden_field_tag :response_type, @pre_auth.response_type %>
       <%= hidden_field_tag :scope, @pre_auth.scope %>
+      <%= hidden_field_tag :code_challenge, @pre_auth.code_challenge %>
+      <%= hidden_field_tag :code_challenge_method, @pre_auth.code_challenge_method %>
       <%= submit_tag t('doorkeeper.authorizations.buttons.deny'), class: "btn btn-danger btn-lg btn-block" %>
     <% end %>
   </div>

data/app/views/layouts/doorkeeper/admin.html.erb

@@ -4,27 +4,27 @@
   <meta charset="utf-8">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>Doorkeeper</title>
+  <title><%= t('doorkeeper.layouts.admin.title') %></title>
   <%= stylesheet_link_tag "doorkeeper/admin/application" %>
   <%= csrf_meta_tags %>
 </head>
 <body>
-<div class="navbar navbar-inverse navbar-static-top" role="navigation">
-  <div class="container-fluid">
-    <div class="navbar-header">
-      <%= link_to t('doorkeeper.layouts.admin.nav.oauth2_provider'), oauth_applications_path, class: 'navbar-brand' %>
-    </div>
-    <ul class="nav navbar-nav">
-      <%= content_tag :li, class: "#{'active' if request.path == oauth_applications_path}" do %>
-        <%= link_to t('doorkeeper.layouts.admin.nav.applications'), oauth_applications_path %>
-      <% end %>
-      <%= content_tag :li do %>
-        <%= link_to t('doorkeeper.layouts.admin.nav.home'), root_path %>
-      <% end %>
+<nav class="navbar navbar-expand-lg navbar-dark bg-dark mb-5">
+  <%= link_to t('doorkeeper.layouts.admin.nav.oauth2_provider'), oauth_applications_path, class: 'navbar-brand' %>
+
+  <div class="collapse navbar-collapse">
+    <ul class="navbar-nav mr-auto">
+      <li class="nav-item <%= 'active' if request.path == oauth_applications_path %>">
+        <%= link_to t('doorkeeper.layouts.admin.nav.applications'), oauth_applications_path, class: 'nav-link' %>
+      </li>
+      <li class="nav-item">
+        <%= link_to t('doorkeeper.layouts.admin.nav.home'), root_path, class: 'nav-link' %>
+      </li>
     </ul>
   </div>
-</div>
-<div class="container">
+</nav>
+
+<div class="doorkeeper-admin container">
   <%- if flash[:notice].present? %>
     <div class="alert alert-info">
       <%= flash[:notice] %>

data/config/locales/en.yml

@@ -14,6 +14,8 @@ en:
               relative_uri: 'must be an absolute URI.'
               secured_uri: 'must be an HTTPS/SSL URI.'
               forbidden_uri: 'is forbidden by the server.'
+            scopes:
+              not_match_configured: "doesn't match configured on the server."
 
   doorkeeper:
     applications:
@@ -40,6 +42,7 @@ en:
         name: 'Name'
         callback_url: 'Callback URL'
         confidential: 'Confidential?'
+        actions: 'Actions'
         confidentiality:
           'yes': 'Yes'
           'no': 'No'
@@ -47,7 +50,7 @@ en:
         title: 'New Application'
       show:
         title: 'Application: %{name}'
-        application_id: 'Application Id'
+        application_id: 'Application UID'
         secret: 'Secret'
         scopes: 'Scopes'
         confidential: 'Confidential'
@@ -78,6 +81,9 @@ en:
         created_at: 'Created At'
         date_format: '%Y-%m-%d %H:%M:%S'
 
+    pre_authorization:
+      status: 'Pre-authorization'
+
     errors:
       messages:
         # Common error messages
@@ -86,6 +92,7 @@ en:
         unauthorized_client: 'The client is not authorized to perform this request using this method.'
         access_denied: 'The resource owner or authorization server denied the request.'
         invalid_scope: 'The requested scope is invalid, unknown, or malformed.'
+        invalid_code_challenge_method: 'The code challenge method must be plain or S256.'
         server_error: 'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.'
         temporarily_unavailable: 'The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.'
 
@@ -120,6 +127,7 @@ en:
 
     layouts:
       admin:
+        title: 'Doorkeeper'
         nav:
           oauth2_provider: 'OAuth2 Provider'
           applications: 'Applications'

data/doorkeeper.gemspec

@@ -27,6 +27,4 @@ Gem::Specification.new do |s|
   s.add_development_dependency "generator_spec", "~> 0.9.3"
   s.add_development_dependency "rake", ">= 11.3.0"
   s.add_development_dependency "rspec-rails"
-
-  s.post_install_message = Doorkeeper::CVE_2018_1000211_WARNING
 end

data/gemfiles/rails_5_2.gemfile

@@ -2,7 +2,7 @@
 
 source "https://rubygems.org"
 
-gem "rails", "5.2.0.rc1"
+gem "rails", "5.2.0"
 gem "appraisal"
 gem "activerecord-jdbcsqlite3-adapter", platforms: :jruby
 gem "sqlite3", platforms: [:ruby, :mswin, :mingw, :x64_mingw]

data/lib/doorkeeper/config.rb

@@ -15,19 +15,19 @@ module Doorkeeper
   end
 
   def self.configuration
-    @config || (fail MissingConfiguration)
+    @config || (raise MissingConfiguration)
   end
 
   def self.setup_orm_adapter
     @orm_adapter = "doorkeeper/orm/#{configuration.orm}".classify.constantize
-  rescue NameError => e
-    fail e, "ORM adapter not found (#{configuration.orm})", <<-ERROR_MSG.squish
-[doorkeeper] ORM adapter not found (#{configuration.orm}), or there was an error
-trying to load it.
-
-You probably need to add the related gem for this adapter to work with
-doorkeeper.
-      ERROR_MSG
+  rescue NameError => error
+    raise error, "ORM adapter not found (#{configuration.orm})", <<-ERROR_MSG.strip_heredoc
+      [doorkeeper] ORM adapter not found (#{configuration.orm}), or there was an error
+      trying to load it.
+
+      You probably need to add the related gem for this adapter to work with
+      doorkeeper.
+    ERROR_MSG
   end
 
   def self.setup_orm_models
@@ -90,7 +90,7 @@ doorkeeper.
       #
       # @param methods [Array] Define client credentials
       def client_credentials(*methods)
-        @config.instance_variable_set(:@client_credentials, methods)
+        @config.instance_variable_set(:@client_credentials_methods, methods)
       end
 
       # Change the way access token is authenticated from the request object.
@@ -115,13 +115,23 @@ doorkeeper.
         @config.instance_variable_set(:@reuse_access_token, true)
       end
 
-      # Opt out of breaking api change to the native authorization code flow.
-      # Opting out sets the authorization code response route for native
-      # redirect uris to oauth/authorize/<code>. The default is
-      # oauth/authorize/native?code=<code>.
-      # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/1143
-      def opt_out_native_route_change
-        @config.instance_variable_set(:@opt_out_native_route_change, true)
+      # Use an API mode for applications generated with --api argument
+      # It will skip applications controller, disable forgery protection
+      def api_only
+        @config.instance_variable_set(:@api_only, true)
+      end
+
+      # Forbids creating/updating applications with arbitrary scopes that are
+      # not in configuration, i.e. `default_scopes` or `optional_scopes`.
+      # (disabled by default)
+      def enforce_configured_scopes
+        @config.instance_variable_set(:@enforce_configured_scopes, true)
+      end
+
+      # Enforce request content type as the spec requires:
+      # disabled by default for backward compatibility.
+      def enforce_content_type
+        @config.instance_variable_set(:@enforce_content_type, true)
       end
     end
 
@@ -188,7 +198,10 @@ doorkeeper.
     option :resource_owner_authenticator,
            as: :authenticate_resource_owner,
            default: (lambda do |_routes|
-             ::Rails.logger.warn(I18n.t('doorkeeper.errors.messages.resource_owner_authenticator_not_configured'))
+             ::Rails.logger.warn(
+               I18n.t('doorkeeper.errors.messages.resource_owner_authenticator_not_configured')
+             )
+
              nil
            end)
 
@@ -198,15 +211,20 @@ doorkeeper.
 
     option :resource_owner_from_credentials,
            default: (lambda do |_routes|
-             ::Rails.logger.warn(I18n.t('doorkeeper.errors.messages.credential_flow_not_configured'))
+             ::Rails.logger.warn(
+               I18n.t('doorkeeper.errors.messages.credential_flow_not_configured')
+             )
+
              nil
            end)
+    option :before_successful_authorization, default: ->(_context) {}
+    option :after_successful_authorization, default: ->(_context) {}
     option :before_successful_strategy_response, default: ->(_request) {}
     option :after_successful_strategy_response,
            default: ->(_request, _response) {}
     option :skip_authorization,             default: ->(_routes) {}
     option :access_token_expires_in,        default: 7200
-    option :custom_access_token_expires_in, default: ->(_app) { nil }
+    option :custom_access_token_expires_in, default: ->(_context) { nil }
     option :authorization_code_expires_in,  default: 600
     option :orm,                            default: :active_record
     option :native_redirect_uri,            default: 'urn:ietf:wg:oauth:2.0:oob'
@@ -241,7 +259,6 @@ doorkeeper.
     #
     option :force_ssl_in_redirect_uri,      default: !Rails.env.development?
 
-
     # Use a custom class for generating the access token.
     # https://github.com/doorkeeper-gem/doorkeeper#custom-access-token-generator
     #
@@ -260,20 +277,31 @@ doorkeeper.
            default: 'ActionController::Base'
 
     attr_reader :reuse_access_token
+    attr_reader :api_only
+    attr_reader :enforce_content_type
+
+    def api_only
+      @api_only ||= false
+    end
+
+    def enforce_content_type
+      @enforce_content_type ||= false
+    end
 
     def refresh_token_enabled?
-      @refresh_token_enabled ||= false
-      !!@refresh_token_enabled
+      !!(defined?(@refresh_token_enabled) && @refresh_token_enabled)
+    end
+
+    def enforce_configured_scopes?
+      !!(defined?(@enforce_configured_scopes) && @enforce_configured_scopes)
     end
 
     def enable_application_owner?
-      @enable_application_owner ||= false
-      !!@enable_application_owner
+      !!(defined?(@enable_application_owner) && @enable_application_owner)
     end
 
     def confirm_application_owner?
-      @confirm_application_owner ||= false
-      !!@confirm_application_owner
+      !!(defined?(@confirm_application_owner) && @confirm_application_owner)
     end
 
     def default_scopes
@@ -289,7 +317,7 @@ doorkeeper.
     end
 
     def client_credentials_methods
-      @client_credentials ||= %i[from_basic from_params]
+      @client_credentials_methods ||= %i[from_basic from_params]
     end
 
     def access_token_methods
@@ -297,16 +325,11 @@ doorkeeper.
     end
 
     def authorization_response_types
-      @authorization_response_types ||= calculate_authorization_response_types
+      @authorization_response_types ||= calculate_authorization_response_types.freeze
     end
 
     def token_grant_types
-      @token_grant_types ||= calculate_token_grant_types
-    end
-
-    def native_authorization_code_route
-      @opt_out_native_route_change ||= false
-      @opt_out_native_route_change ? '/:code' : '/native'
+      @token_grant_types ||= calculate_token_grant_types.freeze
     end
 
     private

data/lib/doorkeeper/engine.rb

@@ -17,6 +17,10 @@ module Doorkeeper
 
     if defined?(Sprockets) && Sprockets::VERSION.chr.to_i >= 4
       initializer 'doorkeeper.assets.precompile' do |app|
+        # Force users to use:
+        #    //= link doorkeeper/admin/application.css
+        # in Doorkeeper 5 for Sprockets 4 instead of precompile.
+        # Add note to official docs & Wiki
         app.config.assets.precompile += %w[
           doorkeeper/application.css
           doorkeeper/admin/application.css

data/lib/doorkeeper/errors.rb

@@ -36,10 +36,7 @@ module Doorkeeper
       end
     end
 
-    class UnableToGenerateToken < DoorkeeperError
-    end
-
-    class TokenGeneratorNotFound < DoorkeeperError
-    end
+    UnableToGenerateToken = Class.new(DoorkeeperError)
+    TokenGeneratorNotFound = Class.new(DoorkeeperError)
   end
 end

data/lib/doorkeeper/grape/helpers.rb

@@ -31,7 +31,7 @@ module Doorkeeper
       end
 
       def doorkeeper_token
-        @_doorkeeper_token ||= OAuth::Token.authenticate(
+        @doorkeeper_token ||= OAuth::Token.authenticate(
           decorated_request,
           *Doorkeeper.configuration.access_token_methods
         )

data/lib/doorkeeper/helpers/controller.rb

@@ -30,11 +30,11 @@ module Doorkeeper
 
       # :doc:
       def doorkeeper_token
-        @token ||= OAuth::Token.authenticate request, *config_methods
+        @doorkeeper_token ||= OAuth::Token.authenticate request, *config_methods
       end
 
       def config_methods
-        @methods ||= Doorkeeper.configuration.access_token_methods
+        @config_methods ||= Doorkeeper.configuration.access_token_methods
       end
 
       def get_error_response_from_exception(exception)
@@ -51,6 +51,11 @@ module Doorkeeper
       def skip_authorization?
         !!instance_exec([@server.current_resource_owner, @pre_auth.client], &Doorkeeper.configuration.skip_authorization)
       end
+
+      def enforce_content_type
+        return if request.content_type == 'application/x-www-form-urlencoded'
+        render json: {}, status: :unsupported_media_type
+      end
     end
   end
 end

data/lib/doorkeeper/models/access_grant_mixin.rb

@@ -9,6 +9,15 @@ module Doorkeeper
     include Models::Orderable
     include Models::Scopes
 
+    # never uses pkce, if pkce migrations were not generated
+    def uses_pkce?
+      pkce_supported? && code_challenge.present?
+    end
+
+    def pkce_supported?
+      respond_to? :code_challenge
+    end
+
     module ClassMethods
       # Searches for Doorkeeper::AccessGrant record with the
       # specific token value.
@@ -21,6 +30,53 @@ module Doorkeeper
       def by_token(token)
         find_by(token: token.to_s)
       end
+
+      # Implements PKCE code_challenge encoding without base64 padding as described in the spec.
+      # https://tools.ietf.org/html/rfc7636#appendix-A
+      #   Appendix A.  Notes on Implementing Base64url Encoding without Padding
+      #
+      #   This appendix describes how to implement a base64url-encoding
+      #   function without padding, based upon the standard base64-encoding
+      #   function that uses padding.
+      #
+      #       To be concrete, example C# code implementing these functions is shown
+      #   below.  Similar code could be used in other languages.
+      #
+      #   static string base64urlencode(byte [] arg)
+      #   {
+      #       string s = Convert.ToBase64String(arg); // Regular base64 encoder
+      #       s = s.Split('=')[0]; // Remove any trailing '='s
+      #       s = s.Replace('+', '-'); // 62nd char of encoding
+      #       s = s.Replace('/', '_'); // 63rd char of encoding
+      #       return s;
+      #   }
+      #
+      #   An example correspondence between unencoded and encoded values
+      #   follows.  The octet sequence below encodes into the string below,
+      #   which when decoded, reproduces the octet sequence.
+      #
+      #   3 236 255 224 193
+      #
+      #   A-z_4ME
+      #
+      # https://ruby-doc.org/stdlib-2.1.3/libdoc/base64/rdoc/Base64.html#method-i-urlsafe_encode64
+      #
+      # urlsafe_encode64(bin)
+      # Returns the Base64-encoded version of bin. This method complies with
+      # “Base 64 Encoding with URL and Filename Safe Alphabet” in RFC 4648.
+      # The alphabet uses '-' instead of '+' and '_' instead of '/'.
+
+      # @param code_verifier [#to_s] a one time use value (any object that responds to `#to_s`)
+      #
+      # @return [#to_s] An encoded code challenge based on the provided verifier suitable for PKCE validation
+      def generate_code_challenge(code_verifier)
+        padded_result = Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier))
+        padded_result.split('=')[0] # Remove any trailing '='
+      end
+
+      def pkce_supported?
+        new.pkce_supported?
+      end
     end
   end
 end