-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Support Secure Hashed Client Secrets in OAuthRegisteredClientsStore #1124
Copy link
Copy link
Open
Labels
P3Nice to haves, rare edge casesNice to haves, rare edge casesauthIssues and PRs related to Authentication / OAuthIssues and PRs related to Authentication / OAuthenhancementRequest for a new feature that's not currently supportedRequest for a new feature that's not currently supportedhelp wantedContributions especially welcome if you have a good knowledge of the codebase and languageContributions especially welcome if you have a good knowledge of the codebase and languageneeds decisionIssue is actionable, needs maintainer decision on whether to implementIssue is actionable, needs maintainer decision on whether to implementv2Ideas, requests and plans for v2 of the SDK which will incorporate major changes and fixesIdeas, requests and plans for v2 of the SDK which will incorporate major changes and fixes
Description
Metadata
Metadata
Assignees
Labels
P3Nice to haves, rare edge casesNice to haves, rare edge casesauthIssues and PRs related to Authentication / OAuthIssues and PRs related to Authentication / OAuthenhancementRequest for a new feature that's not currently supportedRequest for a new feature that's not currently supportedhelp wantedContributions especially welcome if you have a good knowledge of the codebase and languageContributions especially welcome if you have a good knowledge of the codebase and languageneeds decisionIssue is actionable, needs maintainer decision on whether to implementIssue is actionable, needs maintainer decision on whether to implementv2Ideas, requests and plans for v2 of the SDK which will incorporate major changes and fixesIdeas, requests and plans for v2 of the SDK which will incorporate major changes and fixes
Type
Fields
Give feedbackNo fields configured for issues without a type.
Is your feature request related to a problem? Please describe.
Currently, the
OAuthRegisteredClientsStoreinterface does not support storing hashed client secrets or verifying them using standard password hashing algorithms. As a result, implementations often store client secrets in plaintext and compare them directly. This is not aligned with security best practices and creates a considerable risk if the storage backend is compromised.Describe the solution you'd like
Add a method such as
verifyClientSecret(clientId: string, clientSecret: string): Promise<OAuthClientInformationFull | undefined>to the store interface. This would allow secrets to be stored hashed and checked securely. The client authentication middleware should be refactored to use this method, supporting both new secure storage and legacy plaintext secrets where needed. Documentation or migration guidance should be provided for transitioning existing implementations.Describe alternatives you've considered
getClientand maintain direct string comparisons, but this does not mitigate the mentioned security risks.Additional context
src/server/auth/middleware/clientAuth.ts,src/server/auth/clients.ts