googleapis · tseaver · May 29, 2019 · May 23, 2019 · May 23, 2019 · May 23, 2019
diff --git a/google_auth_oauthlib/flow.py b/google_auth_oauthlib/flow.py
@@ -109,7 +109,8 @@ def __init__(
             redirect_uri (str): The OAuth 2.0 redirect URI if known at flow
                 creation time. Otherwise, it will need to be set using
                 :attr:`redirect_uri`.
-
+            code_verifier: random string of 43-128 chars used to verify the
+                key exchange.using PKCE. Auto-generated if not provided.
         .. _client secrets:
             https://developers.google.com/api-client-library/python/guide
             /aaa_client_secrets
@@ -222,9 +223,9 @@ def authorization_url(self, **kwargs):
             rnd = SystemRandom()
             random_verifier = [rnd.choice(chars) for _ in range(0, 128)]
             self.code_verifier = ''.join(random_verifier)
-        c = hashlib.sha256()
-        c.update(str.encode(self.code_verifier))
-        unencoded_challenge = c.digest()
+        code_hash = hashlib.sha256()
+        code_hash.update(str.encode(self.code_verifier))
+        unencoded_challenge = code_hash.digest()
         b64_challenge = urlsafe_b64encode(unencoded_challenge)
         code_challenge = b64_challenge.decode().split('=')[0]
         kwargs.setdefault('code_challenge', code_challenge)

diff --git a/tests/test_flow.py b/tests/test_flow.py
@@ -17,6 +17,7 @@
 from functools import partial
 import json
 import os
+import re
 
 import mock
 import pytest
@@ -123,6 +124,25 @@ def test_authorization_url_access_type(self, instance):
                 code_challenge='2yN0TOdl0gkGwFOmtfx3f913tgEaLM2d2S0WlmG1Z6Q',
                 code_challenge_method='S256')
 
+    def test_authorization_url_generated_verifier(self, instance):
+        scope = 'scope_one'
+        instance.oauth2session.scope = [scope]
+        authorization_url_path = mock.patch.object(
+                instance.oauth2session, 'authorization_url',
+                wraps=instance.oauth2session.authorization_url)
+
+        with authorization_url_path as authorization_url_spy:
+            url, _ = instance.authorization_url()
+
+            _, kwargs = authorization_url_spy.call_args_list[0]
+            assert kwargs['code_challenge_method'] == 'S256'
+            assert len(instance.code_verifier) == 128
+            assert len(kwargs['code_challenge']) == 43 # 128 char verifier
+            valid_verifier = r'^[A-Za-z0-9-._~]*$'
+            valid_challenge = r'^[A-Za-z0-9-_]*$'
+            assert re.match(valid_verifier, instance.code_verifier)
+            assert re.match(valid_challenge, kwargs['code_challenge'])
+
     def test_fetch_token(self, instance):
         instance.code_verifier = 'amanaplanacanalpanama'
         fetch_token_patch = mock.patch.object(