use bcrypt when comparing client secrets

- this assumes that the client is already bcrytped
when passed to dex. Similar to user passwords.

Signed-off-by: Josh Winters <jwinters@pivotal.io>
Co-authored-by: Vikram Yadav <vyadav@pivotal.io>
This commit is contained in:
Josh Winters 2020-04-17 16:27:02 -04:00 committed by CI Bot
parent a1adf86e53
commit ec6f3a2f19

View file

@ -16,6 +16,7 @@ import (
"github.com/coreos/go-oidc/v3/oidc"
"github.com/gorilla/mux"
"golang.org/x/crypto/bcrypt"
jose "gopkg.in/square/go-jose.v2"
"github.com/dexidp/dex/connector"
@ -679,12 +680,21 @@ func (s *Server) handleToken(w http.ResponseWriter, r *http.Request) {
}
return
}
if client.Secret != clientSecret {
if clientSecret == "" {
s.logger.Infof("missing client_secret on token request for client: %s", client.ID)
} else {
s.logger.Infof("invalid client_secret on token request for client: %s", client.ID)
}
}
if err := checkCost([]byte(client.Secret)); err != nil {
s.logger.Errorf("failed to check cost of client secret: %v", err)
s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)
return
}
if err := bcrypt.CompareHashAndPassword([]byte(client.Secret), []byte(clientSecret)); err != nil {
s.tokenErrHelper(w, errInvalidClient, "Invalid client credentials.", http.StatusUnauthorized)
return
}