forked from mystiq/dex
d658c24e8f
* if enabled, it will make sure client secret is bcrypted correctly * if not, it falls back to old behaviour that allowing empty client secret and comparing plain text, though now it will do ConstantTimeCompare to avoid a timing attack. So in either way it should provide more secure of client secret verification. Co-authored-by: Alex Surraci <suraci.alex@gmail.com> Signed-off-by: Rui Yang <ruiya@vmware.com> |
||
---|---|---|
.. | ||
internal | ||
api.go | ||
api_test.go | ||
deviceflowhandlers.go | ||
deviceflowhandlers_test.go | ||
doc.go | ||
handlers.go | ||
handlers_test.go | ||
oauth2.go | ||
oauth2_test.go | ||
rotation.go | ||
rotation_test.go | ||
server.go | ||
server_test.go | ||
templates.go | ||
templates_test.go |