From ec6f3a2f19aefa2a6ad5d1b10ab29ca5bc037789 Mon Sep 17 00:00:00 2001
From: Josh Winters <jwinters@pivotal.io>
Date: Fri, 17 Apr 2020 16:27:02 -0400
Subject: [PATCH] use bcrypt when comparing client secrets

- this assumes that the client is already bcrytped
when passed to dex. Similar to user passwords.

Signed-off-by: Josh Winters <jwinters@pivotal.io>
Co-authored-by: Vikram Yadav <vyadav@pivotal.io>
---
 server/handlers.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/server/handlers.go b/server/handlers.go
index eb65f490..db835997 100644
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -16,6 +16,7 @@ import (
 
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/gorilla/mux"
+	"golang.org/x/crypto/bcrypt"
 	jose "gopkg.in/square/go-jose.v2"
 
 	"github.com/dexidp/dex/connector"
@@ -679,12 +680,21 @@ func (s *Server) handleToken(w http.ResponseWriter, r *http.Request) {
 		}
 		return
 	}
+
 	if client.Secret != clientSecret {
 		if clientSecret == "" {
 			s.logger.Infof("missing client_secret on token request for client: %s", client.ID)
 		} else {
 			s.logger.Infof("invalid client_secret on token request for client: %s", client.ID)
 		}
+	}
+
+	if err := checkCost([]byte(client.Secret)); err != nil {
+		s.logger.Errorf("failed to check cost of client secret: %v", err)
+		s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)
+		return
+	}
+	if err := bcrypt.CompareHashAndPassword([]byte(client.Secret), []byte(clientSecret)); err != nil {
 		s.tokenErrHelper(w, errInvalidClient, "Invalid client credentials.", http.StatusUnauthorized)
 		return
 	}