Skip to content

JdbcRegisteredClientRepository hashes client secret on save #381

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

JdbcRegisteredClientRepository hashes client secret on save #381

wants to merge 1 commit into from

Conversation

@ghost
Copy link

@ghost ghost commented Jul 29, 2021

Closes gh-378

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jul 29, 2021
@ghost
Copy link
Author

ghost commented Jul 29, 2021
edited by ghost
Loading

still in draft as I will rebase it on top of main after the changes done in gh-356 are merged.

@ghost ghost force-pushed the gh-378 branch from f536111 to 3455249 Compare July 30, 2021 06:28
@ghost ghost force-pushed the gh-378 branch from 3455249 to f2fc0dc Compare July 30, 2021 09:53
@ghost ghost marked this pull request as ready for review July 30, 2021 10:01
@jgrandja jgrandja self-assigned this Jul 30, 2021
@jgrandja jgrandja added type: enhancement A general enhancement status: duplicate A duplicate of another issue and removed status: waiting-for-triage An issue we've not yet triaged labels Jul 30, 2021
@jgrandja jgrandja added this to the 0.2.0 milestone Jul 30, 2021
@jgrandja jgrandja changed the title Set PasswordEncoder in RegisteredClientParameters mapper and hash client secret before saving it JdbcRegisteredClientRepository hashes client secret on save Jul 30, 2021
@jgrandja
Copy link
Collaborator

jgrandja commented Jul 30, 2021

Thanks for the PR @ovidiupopa91 ! This is now in main.

@jgrandja jgrandja closed this Jul 30, 2021
@jgrandja
Copy link
Collaborator

jgrandja commented Jul 30, 2021

@ovidiupopa91 I think there may be a double-encoding bug with this update. I decided to merge anyway but can you confirm if there is a bug or not.

In the scenario where an existing client is updated via save(), the client-secret might be double encoded depending on how the backing PasswordEncoder is implemented. This would result in a failed client authentication on a subsequent grant flow. Can you please confirm if this is an issue?

FYI, I'm on PTO all of next week and returning Aug 9 so I'll follow up with you then.

Thanks again for all your help !

@ghost
Copy link
Author

ghost commented Jul 30, 2021
edited by ghost
Loading

Hi @jgrandja . I was thinking about this as well. I will let you know when I have a definitive answer.
Enjoy your time off 😀

@ghost
Copy link
Author

ghost commented Aug 4, 2021
edited by ghost
Loading

Hi @jgrandja . I can confirm that bug is reproducible. I wrote a test

RegisteredClient originalRegisteredClient = TestRegisteredClients.registeredClient().build();
this.registeredClientRepository.save(originalRegisteredClient);
RegisteredClient registeredClient = this.registeredClientRepository.findById(originalRegisteredClient.getId());
assertThat(delegatingPasswordEncoder.matches(originalRegisteredClient.getClientSecret(), registeredClient.getClientSecret())).isTrue();
this.registeredClientRepository.save(registeredClient);
registeredClient = this.registeredClientRepository.findById(originalRegisteredClient.getId());
assertThat(delegatingPasswordEncoder.matches(originalRegisteredClient.getClientSecret(), registeredClient.getClientSecret())).isTrue();

The first assert is passing but the second one is not -> because of the double encoding issue.

The good news is that in the framework, the save method it's only called from OidcClientRegistrationAuthenticationProvider . It is also used in tests and the sample project.

In the OidcClientRegistrationAuthenticationProvider the code looks like this

RegisteredClient registeredClient = create(clientRegistrationAuthentication.getClientRegistration());
this.registeredClientRepository.save(registeredClient);

and the create method is all the time generating a new id -> we will never end up in this particular scenario until the update flow is implemented.

@jgrandja
Copy link
Collaborator

jgrandja commented Aug 9, 2021

Thanks for confirming @ovidiupopa91.

Would you mind creating a new issue for this with the details?

We'll need to have this fixed before we implement gh-355.

@ghost
Copy link
Author

ghost commented Aug 9, 2021

welcome back @jgrandja . Issue created: gh-389

@jgrandja
Copy link
Collaborator

jgrandja commented Aug 9, 2021

Thanks @ovidiupopa91 ! I assigned it to you but this can wait until 0.2.1.

jgrandja added a commit that referenced this pull request Aug 9, 2021
@jgrandja
Polish gh-381
ea7c689
doba16 pushed a commit to doba16/spring-authorization-server that referenced this pull request Apr 21, 2023
@jgrandja
Polish spring-projectsgh-381
c7bd8db
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jgrandja jgrandja

Labels

status: duplicate A duplicate of another issue type: enhancement A general enhancement

Projects

None yet

Milestone

0.2.0

Development

Successfully merging this pull request may close these issues.

Hash RegisteredClient client_secret on save

3 participants

@jgrandja @spring-projects-issues @ovidiupopa07