Merge pull request #1861 from concourse/pr/bcrypt-for-client-secret-sync

Use constant time comparison for client secret verification
dexidp · May 17, 2021 · 18d1f70 · 18d1f70
2 parents 283dd89 + fe8085b
commit 18d1f70
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/server/handlers.go b/server/handlers.go
@@ -2,6 +2,7 @@ package server
 
 import (
 	"crypto/sha256"
+	"crypto/subtle"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
@@ -678,7 +679,8 @@ func (s *Server) withClientFromStorage(w http.ResponseWriter, r *http.Request, h
 		}
 		return
 	}
-	if client.Secret != clientSecret {
+
+	if subtle.ConstantTimeCompare([]byte(client.Secret), []byte(clientSecret)) != 1 {
 		if clientSecret == "" {
 			s.logger.Infof("missing client_secret on token request for client: %s", client.ID)
 		} else {

diff --git a/server/server.go b/server/server.go
@@ -204,6 +204,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
 	if c.Storage == nil {
 		return nil, errors.New("server: storage cannot be nil")
 	}
+
 	if len(c.SupportedResponseTypes) == 0 {
 		c.SupportedResponseTypes = []string{responseTypeCode}
 	}