cxxmcp/api/openssl_2pkce_8hpp_source.html

// Copyright (c) 2025 [caomengxuan666]


#pragma once


#include <openssl/rand.h>


#include <array>

#include <cstddef>

#include <string>


#include "cxxmcp/auth/openssl/base64url.hpp"

#include "cxxmcp/auth/openssl/sha256.hpp"

#include "cxxmcp/auth/pkce.hpp"

#include "cxxmcp/auth/types.hpp"

#include "cxxmcp/core/result.hpp"


namespace mcp::auth::openssl {


inline constexpr std::size_t kPkceVerifierBytes = 32;


class OpenSslPkceGenerator final : public PkceGenerator {

 public:

  core::Result<PkceChallenge> create_s256() override {

    std::array<unsigned char, kPkceVerifierBytes> random_bytes{};

    if (RAND_bytes(random_bytes.data(),

                   static_cast<int>(random_bytes.size())) != 1) {

      return core::unexpected(

          core::Error{0,

                      "failed to generate PKCE code_verifier random bytes",

                      {},

                      std::string(AuthErrorCategory)});

    }


    PkceChallenge challenge;

    challenge.code_verifier =

        base64url_encode_bytes(random_bytes.data(), random_bytes.size());

    challenge.method = PkceCodeChallengeMethod::kS256;


    auto hashed = sha256_base64url(challenge.code_verifier);

    if (!hashed.has_value()) {

      return core::unexpected(hashed.error());

    }

    challenge.code_challenge = std::move(*hashed);


    return challenge;

  }


  core::Result<bool> verify(const PkceChallenge& challenge) override {

    if (challenge.method != PkceCodeChallengeMethod::kS256) {

      return core::unexpected(core::Error{

          0,

          "unsupported PKCE code_challenge_method; only S256 is supported",

          {},

          std::string(AuthErrorCategory)});

    }


    auto expected = sha256_base64url(challenge.code_verifier);

    if (!expected.has_value()) {

      return core::unexpected(expected.error());

    }


    return *expected == challenge.code_challenge;

  }

};


}  // namespace mcp::auth::openssl

types.hpp
Shared lightweight value types for cxxmcp auth contracts.

base64url.hpp
JOSE base64url helpers shared by optional OpenSSL auth code.

mcp::auth::PkceGenerator
Public wrapper around the SDK's private PKCE implementation.
Definition pkce.hpp:30

mcp::auth::openssl::OpenSslPkceGenerator
OpenSSL-backed implementation of the PkceGenerator contract.
Definition pkce.hpp:30

mcp::auth::openssl::kPkceVerifierBytes
constexpr std::size_t kPkceVerifierBytes
PKCE code_verifier length in bytes (43 characters when base64url encoded, satisfying RFC 7636 §4....
Definition pkce.hpp:24

pkce.hpp
PKCE contracts for OAuth authorization-code flows.

result.hpp
Shared result and error primitives used by the public cxxmcp SDK.

mcp::core::Result
tl::expected< T, Error > Result
Alias for the SDK result type.
Definition result.hpp:64

sha256.hpp
OpenSSL-backed SHA-256 helpers for optional auth crypto.

mcp::auth::openssl::sha256_base64url
core::Result< std::string > sha256_base64url(std::string_view data)
Compute base64url(SHA-256(data)).
Definition sha256.hpp:21

mcp::auth::PkceChallenge
PKCE verifier/challenge pair used by OAuth 2.1 authorization flows.
Definition pkce.hpp:19

mcp::core::Error
Structured error returned by fallible SDK operations.
Definition result.hpp:35