feat(oauth2) optionally hash client secret

kong-2.0.2-0.rockspec

@@ -228,6 +228,7 @@ build = {
     ["kong.plugins.oauth2.migrations.003_130_to_140"] = "kong/plugins/oauth2/migrations/003_130_to_140.lua",
     ["kong.plugins.oauth2.migrations.004_200_to_210"] = "kong/plugins/oauth2/migrations/004_200_to_210.lua",
     ["kong.plugins.oauth2.handler"] = "kong/plugins/oauth2/handler.lua",
+    ["kong.plugins.oauth2.secret"] = "kong/plugins/oauth2/secret.lua",
     ["kong.plugins.oauth2.access"] = "kong/plugins/oauth2/access.lua",
     ["kong.plugins.oauth2.schema"] = "kong/plugins/oauth2/schema.lua",
     ["kong.plugins.oauth2.daos"] = "kong/plugins/oauth2/daos.lua",

kong/plugins/oauth2/access.lua

@@ -3,6 +3,7 @@ local utils = require "kong.tools.utils"
 local constants = require "kong.constants"
 local sha256 = require "resty.sha256"
 local timestamp = require "kong.tools.timestamp"
+local secret = require "kong.plugins.oauth2.secret"
 
 
 local kong = kong
@@ -566,17 +567,40 @@ local function issue_token(conf)
     end
 
     if client then
-      if client.client_type == CLIENT_TYPE_CONFIDENTIAL and client.client_secret ~= client_secret then
-        response_params = {
-          [ERROR] = "invalid_client",
-          error_description = "Invalid client authentication"
-        }
-        if from_authorization_header then
-          invalid_client_properties = {
-            status = 401,
-            www_authenticate = "Basic realm=\"OAuth2.0\""
+      if client.client_type == CLIENT_TYPE_CONFIDENTIAL then
+        local authenticated
+        if client.hash_secret then
+          authenticated = secret.verify(client_secret, client.client_secret)
+          if authenticated and secret.needs_rehash(client.client_secret) then
+            local pk = kong.db.oauth2_credentials.schema:extract_pk_values(client)
+            local ok, err = kong.db.oauth2_credentials:update(pk, {
+              client_secret = client_secret,
+              hash_secret   = true,
+            })
+
+            if not ok then
+              kong.log.warn(err)
+            end
+          end
+
+        else
+          authenticated = client.client_secret == client_secret
+        end
+
+        if not authenticated then
+          response_params = {
+            [ERROR] = "invalid_client",
+            error_description = "Invalid client authentication"
           }
+
+          if from_authorization_header then
+            invalid_client_properties = {
+              status = 401,
+              www_authenticate = "Basic realm=\"OAuth2.0\""
+            }
+          end
         end
+
       elseif client.client_type == CLIENT_TYPE_PUBLIC and strip(client_secret) ~= "" then
         response_params = {
           [ERROR] = "invalid_request",

kong/plugins/oauth2/daos.lua

@@ -1,5 +1,9 @@
 local url = require "socket.url"
 local typedefs = require "kong.db.schema.typedefs"
+local secret = require "kong.plugins.oauth2.secret"
+
+
+local assert = assert
 
 
 local function validate_uri(uri)
@@ -28,6 +32,7 @@ local oauth2_credentials = {
     { name = { type = "string", required = true }, },
     { client_id = { type = "string", required = false, unique = true, auto = true }, },
     { client_secret = { type = "string", required = false, auto = true }, },
+    { hash_secret = { type = "boolean", required = true, default = false }, },
     { redirect_uris = {
       type = "array",
       required = false,
@@ -38,6 +43,21 @@ local oauth2_credentials = {
     { tags = typedefs.tags },
     { client_type = { type = "string", required = true, default = "confidential", one_of = { "confidential", "public" }, }, },
   },
+  transformations = {
+    {
+      input = { "hash_secret" },
+      needs = { "client_secret" },
+      on_write = function(hash_secret, client_secret)
+        if not hash_secret then
+          return {}
+        end
+        local hash = assert(secret.hash(client_secret))
+        return {
+          client_secret = hash,
+        }
+      end,
+    },
+  },
 }
 
 

kong/plugins/oauth2/migrations/004_200_to_210.lua

@@ -21,6 +21,13 @@ return {
       EXCEPTION WHEN DUPLICATE_COLUMN THEN
         -- Do nothing, accept existing state
       END$$;
+
+      DO $$
+      BEGIN
+        ALTER TABLE IF EXISTS ONLY oauth2_credentials ADD hash_secret BOOLEAN;
+      EXCEPTION WHEN DUPLICATE_COLUMN THEN
+        -- Do nothing, accept existing state
+      END$$;
     ]],
   },
 
@@ -29,6 +36,7 @@ return {
       ALTER TABLE oauth2_authorization_codes ADD challenge text;
       ALTER TABLE oauth2_authorization_codes ADD challenge_method text;
       ALTER TABLE oauth2_credentials ADD client_type text;
+      ALTER TABLE oauth2_credentials ADD hash_secret boolean;
     ]],
   },
 }