Whilst testing OAuth authentication with MB in a Rails app I encountered an issue with PKCE when the verification method is set to "S256". I believe this is due to an implementation detail in the MusicBrainz server which means it is not compliant with the RFC.
The RFC states the the client should derive a code challenge from the code verifier as follows:
Later on in the process the server should verify the code_verifier using the following logic:
However the MB server code performs the verification as follows (operands reordered for clarity):
Note the call to decode_base64. I believe this may have been added due to a misunderstanding of the following recommendation from the RFC:
The base64 encoding is recommended here purely as a means of generating a 43 octet URL safe string with sufficient entropy, not so that the underlying value can be subsequently decoded during the PKCE verification.
The following is example of S256 PKCE verification code from another OAuth implementation that I believe is RFC compliant:
I'd be happy to submit a simple PR to fix this if confirmed.