Comments (3)
I'm also wondering the same thing. If I'm not mistaken Spring Boot security also stores these as plain text (CMIIW). Not sure why. Is it by design? But as you said in RFC6819, it says these credentials needs to be hashed or encrypted..
This is the current check
func (m *Manager) GenerateAccessToken(gt oauth2.GrantType, tgr *oauth2.TokenGenerateRequest) (accessToken oauth2.TokenInfo, err error) {
cli, err := m.GetClient(tgr.ClientID)
.....
} else if tgr.ClientSecret != cli.GetSecret() { //here it is
err = errors.ErrInvalidClient
return
}
.....
And I have an idea for adding a custom secretHandler to the manager:
type ValidateClientSecretHandler func(rawSecret, hashedSecret string) (isValid bool)
So, we can use it by:
func (m *Manager) GenerateAccessToken(gt oauth2.GrantType, tgr *oauth2.TokenGenerateRequest) (accessToken oauth2.TokenInfo, err error) {
cli, err := m.GetClient(tgr.ClientID)
.....
} else if m.ValidateClientSecretHandler(tgr.ClientSecret, cli.GetSecret()) {
err = errors.ErrInvalidClient
return
}
.....
from oauth2.
You can already do this:
Server already has a method called SetClientInfoHandler
ClientInfoHandler is this:
ClientInfoHandler func(r *http.Request) (clientID, clientSecret string, err error)
You can implement your own ClientInfoHandler
that would return the encrypted secret from the request.
The default handler is this:
func ClientBasicHandler(r *http.Request) (string, string, error) {
username, password, ok := r.BasicAuth()
if !ok {
return "", "", errors.ErrInvalidClient
}
return username, password, nil
}
so you can implement your own
func MyClientBasicHandler(r *http.Request) (string, string, error) {
username, password, ok := r.BasicAuth()
if !ok {
return "", "", errors.ErrInvalidClient
}
return username, MyEncrypter(password), nil
}
// ....
server.SetClientInfoHandler(MyClientBasicHandler)
Good luck
from oauth2.
That doesn't cover everything, unfortunately. For example, bcrypt, which is a good and common choice for hashing passwords, is generally implemented so it doesn't produce a deterministic output; it generates a random salt as part of the algorithm. So you can't reproduce the same hash given the same password (short of trying many times, of course), but have to instead check a password by passing it and the original hash directly to a comparison function.
from oauth2.
Related Issues (20)
- server support for device code auth flow
- [Question] ed25519 sign method support ?
- use base64.RawURLEncoding instead of trimming the padding
- [bug]failed to refresh token
- Does this library support authentication via google and facebook? HOT 3
- When obtaining the token through auth2 concurrently, only the scope value is different, but the returned token is the same HOT 1
- Redirect URI is not compared to configured value HOT 2
- 我在go-zero中集成go-oauth2后,如何跨服务验证token HOT 1
- Is it possible to put the client id and client secret in headers instead of query params?
- how to handle concurrency/unique sessions
- Feature Request: use a local time.Now implementation through module to support testing
- GetRedirectURI return sso code url err HOT 2
- There is no method provided to clean up the specified clientid in the clientstore.
- configuring multiple domains for redirect_uri
- AllowedCodeChallengeMethods is forced to include plain.
- Why must set UserAuthorizationHandler? HOT 1
- Retrieve the clientID using the token?
- Missing refresh_token in response for client_credentials HOT 1
- Example doesn't work - access_denied HOT 2
- Validating redirect_uri via ValidateURIHandler is a bit weird
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauth2.