RFC Errata
RFC 7636, "Proof Key for Code Exchange by OAuth Public Clients", September 2015
Source of RFC: oauth (sec)
Errata ID: 8457
Status: Rejected
Type: Editorial
Publication Format(s) : TEXT
Reported By: Jeff Walden
Date Reported: 2025-06-13
Rejected by: Deb Cooley
Date Rejected: 2025-10-28
Section 4.1 says:
code-verifier = 43*128unreserved
It should say:
code_verifier = 43*128unreserved
Notes:
The ABNF accidentally uses a hyphen/dash rather than an underscore in the code_verifier name in its rule.
--VERIFIER NOTES--
This is not an error and the errata should be rejected. As per the ABNF definition in https://www.rfc-editor.org/rfc/rfc5234.html#section-21 the name contains "alphabetics, digits, and hyphens (dashes)", and not underscores. The commenter may be expecting the ABNF rule name of code-verifier to match the parameter name of code_verifier, but they do not need to be the same. While this is confusing, the text is correct as it stands.