From ecea593ddde60e313d904dcf603282f36f63b7f3 Mon Sep 17 00:00:00 2001
From: Rui Yang <ruiya@vmware.com>
Date: Fri, 14 May 2021 13:32:27 -0400
Subject: [PATCH] fix a bug in hash comparison function

the client secret coming in should be hashed and the one in storage
is the one in plaintext

Signed-off-by: Rui Yang <ruiya@vmware.com>
---
 server/handlers.go    | 2 +-
 server/server_test.go | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/server/handlers.go b/server/handlers.go
index 494af232..6d3f9e7e 100644
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -683,7 +683,7 @@ func (s *Server) handleToken(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if s.hashClientSecret {
-		if err := bcrypt.CompareHashAndPassword([]byte(client.Secret), []byte(clientSecret)); err != nil {
+		if err := bcrypt.CompareHashAndPassword([]byte(clientSecret), []byte(client.Secret)); err != nil {
 			s.tokenErrHelper(w, errInvalidClient, "Invalid client credentials.", http.StatusUnauthorized)
 			return
 		}
diff --git a/server/server_test.go b/server/server_test.go
index cbb298e5..76abbab9 100644
--- a/server/server_test.go
+++ b/server/server_test.go
@@ -1681,7 +1681,7 @@ func TestClientSecretEncryption(t *testing.T) {
 	// Create the OAuth2 config.
 	oauth2Config = &oauth2.Config{
 		ClientID:     clientID,
-		ClientSecret: clientSecret,
+		ClientSecret: string(hash),
 		Endpoint:     p.Endpoint(),
 		Scopes:       requestedScopes,
 	}
@@ -1728,7 +1728,7 @@ func TestClientSecretEncryption(t *testing.T) {
 	// Regester the client above with dex.
 	client := storage.Client{
 		ID:           clientID,
-		Secret:       string(hash),
+		Secret:       clientSecret,
 		RedirectURIs: []string{oauth2Client.URL + "/callback"},
 	}
 	if err := s.storage.CreateClient(client); err != nil {