use bcrypt when comparing client secrets
- this assumes that the client is already bcrytped when passed to dex. Similar to user passwords. Signed-off-by: Josh Winters <jwinters@pivotal.io> Co-authored-by: Vikram Yadav <vyadav@pivotal.io>
This commit is contained in:
parent
a1adf86e53
commit
ec6f3a2f19
@ -16,6 +16,7 @@ import (
|
|||||||
|
|
||||||
"github.com/coreos/go-oidc/v3/oidc"
|
"github.com/coreos/go-oidc/v3/oidc"
|
||||||
"github.com/gorilla/mux"
|
"github.com/gorilla/mux"
|
||||||
|
"golang.org/x/crypto/bcrypt"
|
||||||
jose "gopkg.in/square/go-jose.v2"
|
jose "gopkg.in/square/go-jose.v2"
|
||||||
|
|
||||||
"github.com/dexidp/dex/connector"
|
"github.com/dexidp/dex/connector"
|
||||||
@ -679,12 +680,21 @@ func (s *Server) handleToken(w http.ResponseWriter, r *http.Request) {
|
|||||||
}
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if client.Secret != clientSecret {
|
if client.Secret != clientSecret {
|
||||||
if clientSecret == "" {
|
if clientSecret == "" {
|
||||||
s.logger.Infof("missing client_secret on token request for client: %s", client.ID)
|
s.logger.Infof("missing client_secret on token request for client: %s", client.ID)
|
||||||
} else {
|
} else {
|
||||||
s.logger.Infof("invalid client_secret on token request for client: %s", client.ID)
|
s.logger.Infof("invalid client_secret on token request for client: %s", client.ID)
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := checkCost([]byte(client.Secret)); err != nil {
|
||||||
|
s.logger.Errorf("failed to check cost of client secret: %v", err)
|
||||||
|
s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if err := bcrypt.CompareHashAndPassword([]byte(client.Secret), []byte(clientSecret)); err != nil {
|
||||||
s.tokenErrHelper(w, errInvalidClient, "Invalid client credentials.", http.StatusUnauthorized)
|
s.tokenErrHelper(w, errInvalidClient, "Invalid client credentials.", http.StatusUnauthorized)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
Reference in New Issue
Block a user