Developers
  1. /Authentication
  2. /Proof Key for Code Exchange (PKCE)
Authentication

Proof Key for Code Exchange (PKCE)

Proof Key for Code Exchange as known as PKCE, is a key for preventing malicious attacks and adds an extra security layer on the Open ID Connect authentication flows. It is described in detail in RFC 7636. By using a randomly generated public/private key-pair that we call code_challenge and code_verifier the Navigraph Identity Server can verify that your requests originates from the same client and therefore mitigate MITM and brute-force attacks.

The Authorization Flow With PKCE and Device Authorization Flow With PKCE pages explain how to apply PKCE to respective flow.

Create the code verifier and challengeRead the “Create the code verifier and challenge” section

Before each authentication request your app should generate a code_verifier and a code_challenge pair.

The code_verifier is a high-entropy cryptographic random string, 43 characters in length. It can contain letters, digits, underscores, periods, hyphens, or tildes. It is created by base64url encoding 32 random bytes.

const crypto = require("crypto");

function base64URLEncode(str) {
  return str
    .toString("base64")
    .replace(/\+/g, "-")
    .replace(/\//g, "_")
    .replace(/=/g, "");
}
const code_verifier = base64URLEncode(crypto.randomBytes(32));

In order to generate the code_challenge, your app should hash the code_verifier using the SHA256 algorithm. Then base64url encode the hash that you generated:

function sha256(buffer) {
  return crypto.createHash("sha256").update(buffer).digest();
}
var code_challenge = base64URLEncode(sha256(code_verifier));

Microsoft Flight Simulator 2020Read the “Microsoft Flight Simulator 2020” section

The Javascript environment in Microsoft Flight Simulator 2020 is based on the Coherent GT runtime which uses the coui:// context for referencing assets. The underlying WebKit-engine does not treat this scheme as a secure context and therefore disables the SubtleCrypto interface which is typically used for generating SHA256 hashes in browser-environments.

To simplify for developers we have created a small npm package which generates the PKCE challenge pair which is compatible with Coherent GT.

InstallationRead the “Installation” section

npm install @navigraph/pkce

UsageRead the “Usage” section

const pkce = require("@navigraph/pkce");
pkce();

Returns an object with code_verifier and code_challenge like this:

{
    code_verifier: 'YnV4cVnTBbubIHcn-zOuTvi26G9bI0cSb-28loIj27g',
    code_challenge: 'XniLYb3i4x_gmyTcl8fvklzHagRKIIO4dSX-ZZl-cP4'
}