diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
index 39e6c79cfb5..6331b732003 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
@@ -183,7 +183,7 @@ private boolean compareCodeVerifierWithChallenge(Client c, String clientCodeVeri
                 codeVerifierTransformer = defaultCodeVerifierTransformer;
             }
             String transformedCodeVerifier = codeVerifierTransformer.transformCodeVerifier(clientCodeVerifier);
-            return clientCodeChallenge.equals(transformedCodeVerifier);
+            return OAuthUtils.compareTokens(clientCodeChallenge, transformedCodeVerifier);
         }
     }
 
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/ClientSecretHashVerifier.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/ClientSecretHashVerifier.java
index f37cbed6501..9c8cd76aeb0 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/ClientSecretHashVerifier.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/ClientSecretHashVerifier.java
@@ -21,6 +21,7 @@
 
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
 import org.apache.cxf.rt.security.crypto.MessageDigestUtils;
 
 /**
@@ -31,7 +32,7 @@ public class ClientSecretHashVerifier implements ClientSecretVerifier {
     public boolean validateClientSecret(Client client, String clientSecret) {
         String hash = MessageDigestUtils.generate(StringUtils.toBytesUTF8(clientSecret),
                                                   hashAlgorithm);
-        return hash.equals(client.getClientSecret());
+        return OAuthUtils.compareTokens(hash, client.getClientSecret());
     }
     public void setHashAlgorithm(String hashAlgorithm) {
         this.hashAlgorithm = hashAlgorithm;