fix a bug in hash comparison function

the client secret coming in should be hashed and the one in storage
is the one in plaintext

Signed-off-by: Rui Yang <ruiya@vmware.com>
This commit is contained in:
Rui Yang 2021-05-14 13:32:27 -04:00
parent d658c24e8f
commit ecea593ddd
2 changed files with 3 additions and 3 deletions

View file

@ -683,7 +683,7 @@ func (s *Server) handleToken(w http.ResponseWriter, r *http.Request) {
}
if s.hashClientSecret {
if err := bcrypt.CompareHashAndPassword([]byte(client.Secret), []byte(clientSecret)); err != nil {
if err := bcrypt.CompareHashAndPassword([]byte(clientSecret), []byte(client.Secret)); err != nil {
s.tokenErrHelper(w, errInvalidClient, "Invalid client credentials.", http.StatusUnauthorized)
return
}

View file

@ -1681,7 +1681,7 @@ func TestClientSecretEncryption(t *testing.T) {
// Create the OAuth2 config.
oauth2Config = &oauth2.Config{
ClientID: clientID,
ClientSecret: clientSecret,
ClientSecret: string(hash),
Endpoint: p.Endpoint(),
Scopes: requestedScopes,
}
@ -1728,7 +1728,7 @@ func TestClientSecretEncryption(t *testing.T) {
// Regester the client above with dex.
client := storage.Client{
ID: clientID,
Secret: string(hash),
Secret: clientSecret,
RedirectURIs: []string{oauth2Client.URL + "/callback"},
}
if err := s.storage.CreateClient(client); err != nil {