use bcrypt when comparing client secrets

- this assumes that the client is already bcrytped when passed to dex. Similar to user passwords. Signed-off-by: Josh Winters <jwinters@pivotal.io> Co-authored-by: Vikram Yadav <vyadav@pivotal.io>
2020-04-17 16:27:02 -04:00 · 2020-04-17 16:27:02 -04:00 · ec6f3a2f19
parent a1adf86e53
commit ec6f3a2f19
1 changed files with 10 additions and 0 deletions
--- a/server/handlers.go
+++ b/server/handlers.go
@ -16,6 +16,7 @@ import (

 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/gorilla/mux"
+	"golang.org/x/crypto/bcrypt"
 	jose "gopkg.in/square/go-jose.v2"

 	"github.com/dexidp/dex/connector"
@ -679,12 +680,21 @@ func (s *Server) handleToken(w http.ResponseWriter, r *http.Request) {
 		}
 		return
 	}
+
 	if client.Secret != clientSecret {
 		if clientSecret == "" {
 			s.logger.Infof("missing client_secret on token request for client: %s", client.ID)
 		} else {
 			s.logger.Infof("invalid client_secret on token request for client: %s", client.ID)
 		}
+	}
+
+	if err := checkCost([]byte(client.Secret)); err != nil {
+		s.logger.Errorf("failed to check cost of client secret: %v", err)
+		s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)
+		return
+	}
+	if err := bcrypt.CompareHashAndPassword([]byte(client.Secret), []byte(clientSecret)); err != nil {
 		s.tokenErrHelper(w, errInvalidClient, "Invalid client credentials.", http.StatusUnauthorized)
 		return
 	}