use bcrypt when comparing client secrets
- this assumes that the client is already bcrytped when passed to dex. Similar to user passwords. Signed-off-by: Josh Winters <jwinters@pivotal.io> Co-authored-by: Vikram Yadav <vyadav@pivotal.io>
This commit is contained in:
parent
a1adf86e53
commit
ec6f3a2f19
1 changed files with 10 additions and 0 deletions
|
@ -16,6 +16,7 @@ import (
|
|||
|
||||
"github.com/coreos/go-oidc/v3/oidc"
|
||||
"github.com/gorilla/mux"
|
||||
"golang.org/x/crypto/bcrypt"
|
||||
jose "gopkg.in/square/go-jose.v2"
|
||||
|
||||
"github.com/dexidp/dex/connector"
|
||||
|
@ -679,12 +680,21 @@ func (s *Server) handleToken(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
return
|
||||
}
|
||||
|
||||
if client.Secret != clientSecret {
|
||||
if clientSecret == "" {
|
||||
s.logger.Infof("missing client_secret on token request for client: %s", client.ID)
|
||||
} else {
|
||||
s.logger.Infof("invalid client_secret on token request for client: %s", client.ID)
|
||||
}
|
||||
}
|
||||
|
||||
if err := checkCost([]byte(client.Secret)); err != nil {
|
||||
s.logger.Errorf("failed to check cost of client secret: %v", err)
|
||||
s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
if err := bcrypt.CompareHashAndPassword([]byte(client.Secret), []byte(clientSecret)); err != nil {
|
||||
s.tokenErrHelper(w, errInvalidClient, "Invalid client credentials.", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
|
Reference in a new issue