forked from mystiq/dex
Merge pull request #1861 from concourse/pr/bcrypt-for-client-secret-sync
Use constant time comparison for client secret verification
This commit is contained in:
commit
18d1f70cee
2 changed files with 4 additions and 1 deletions
|
@ -2,6 +2,7 @@ package server
|
|||
|
||||
import (
|
||||
"crypto/sha256"
|
||||
"crypto/subtle"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
|
@ -678,7 +679,8 @@ func (s *Server) withClientFromStorage(w http.ResponseWriter, r *http.Request, h
|
|||
}
|
||||
return
|
||||
}
|
||||
if client.Secret != clientSecret {
|
||||
|
||||
if subtle.ConstantTimeCompare([]byte(client.Secret), []byte(clientSecret)) != 1 {
|
||||
if clientSecret == "" {
|
||||
s.logger.Infof("missing client_secret on token request for client: %s", client.ID)
|
||||
} else {
|
||||
|
|
|
@ -204,6 +204,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
|
|||
if c.Storage == nil {
|
||||
return nil, errors.New("server: storage cannot be nil")
|
||||
}
|
||||
|
||||
if len(c.SupportedResponseTypes) == 0 {
|
||||
c.SupportedResponseTypes = []string{responseTypeCode}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue