server/handlers.go · d658c24e8f2dbbf0bda333c88970d66242c13ade · hdacloud / dex

4 years ago

add dex config flag for enabling client secret encryption · d658c24e

Rui Yang authored 4 years ago


* if enabled, it will make sure client secret is bcrypted correctly
* if not, it falls back to old behaviour that allowing empty client
secret and comparing plain text, though now it will do
ConstantTimeCompare to avoid a timing attack.

So in either way it should provide more secure of client secret
verification.

Co-authored-by: Alex Surraci <suraci.alex@gmail.com>
Signed-off-by: Rui Yang <ruiya@vmware.com>

d658c24e

History

add dex config flag for enabling client secret encryption

Rui Yang authored 4 years ago


* if enabled, it will make sure client secret is bcrypted correctly
* if not, it falls back to old behaviour that allowing empty client
secret and comparing plain text, though now it will do
ConstantTimeCompare to avoid a timing attack.

So in either way it should provide more secure of client secret
verification.

Co-authored-by: Alex Surraci <suraci.alex@gmail.com>
Signed-off-by: Rui Yang <ruiya@vmware.com>

Code owners

Assign users and groups as approvers for specific file changes. Learn more.