diff --git a/server/handlers.go b/server/handlers.go
index eb65f490bd8b078517b6e48ebb8ce4d280cfecf3..db835997b10d94e957ba21770127f5134d6a2e7e 100644
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -16,6 +16,7 @@ import (
 
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/gorilla/mux"
+	"golang.org/x/crypto/bcrypt"
 	jose "gopkg.in/square/go-jose.v2"
 
 	"github.com/dexidp/dex/connector"
@@ -679,12 +680,21 @@ func (s *Server) handleToken(w http.ResponseWriter, r *http.Request) {
 		}
 		return
 	}
+
 	if client.Secret != clientSecret {
 		if clientSecret == "" {
 			s.logger.Infof("missing client_secret on token request for client: %s", client.ID)
 		} else {
 			s.logger.Infof("invalid client_secret on token request for client: %s", client.ID)
 		}
+	}
+
+	if err := checkCost([]byte(client.Secret)); err != nil {
+		s.logger.Errorf("failed to check cost of client secret: %v", err)
+		s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)
+		return
+	}
+	if err := bcrypt.CompareHashAndPassword([]byte(client.Secret), []byte(clientSecret)); err != nil {
 		s.tokenErrHelper(w, errInvalidClient, "Invalid client credentials.", http.StatusUnauthorized)
 		return
 	}