client secret hashing allows use of the hash value of a hashed secret.

[n2ygk]

Describe the bug

You can use the hashed value of a client secret as the secret. This eliminates the protection supposedly afforded by #1020 storing client secrets as hashes.

To Reproduce

1. Set up a simple DOT provider as described in the tutorial
2. Add 'CLIENT_SECRET_HASHER': 'pbkdf2_sha256' to settings.OAUTH2_SETTINGS.
3. ./manage.py runserver
4. Go to http://127.0.0.1:8000/admin/oauth2_provider/application/add/ and add a client: with:
   • client_id: "hash1"
   • client_secret: "hashed"
   • client_type: public
   • authorization grant type: client credentials
     This will generate a hash like: pbkdf2_sha256$320000$hash2$k1C/17bZRVQGuqpiAF5lR5E9XXt7+/0i5l4QQxdq2uQ=
5. Use Postman to request a new client credentials token using client_id and secret as above. Confirm it works.
6. Use Postman with an incorrect secret. Confirm it fails.
7. Use Postman with the hash string as the client secret. Confirm it works.

Expected behavior

Final step above should fail.

Version

Master at #1020

• I have tested with the latest published release and it's still a problem.
• I have tested with the master branch and it's still a problem.

Additional context

[n2ygk]

@pkarman See ^

[karpet]

thanks for the thorough report. yes definitely a bug. The security is no worse than it was before, but I can fix.

[n2ygk]

#1020 was reverted.