api: PasswordEncoder honours {noop} for OAuth client secrets#187
Merged
Conversation
EncoderConfig was returning a bare BCryptPasswordEncoder. Spring
Authorization Server uses whatever PasswordEncoder bean it finds in
the application context to verify the client_secret presented at
/oauth2/token; BCryptPasswordEncoder doesn't recognise prefix-id
strings, so a registered client whose secret is stored as
"{noop}<vault-secret>" fails to match against the plain string Vault
sends as Basic-auth password — SAS responds invalid_client and Vault's
UI surfaces "oauth2: invalid_client".
Personal-stack's auth-api uses
PasswordEncoderFactories.createDelegatingPasswordEncoder() with
setDefaultPasswordEncoderForMatches(BCryptPasswordEncoder()) — that's
the canonical pattern that lets {noop}/{bcrypt}/etc. prefixes work
for OAuth clients while still matching the project's existing raw
BCrypt user-password hashes (stored without an "{id}" prefix). Mirror
that here.
No data migration needed: new user passwords will encode with the
"{bcrypt}" prefix going forward; older prefix-less hashes still match
via the fallback encoder.
Fixes the regression that started failing once SAS landed in PR #129.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
EncoderConfigreturned a bareBCryptPasswordEncoder. Spring SAS picks up whateverPasswordEncoderbean exists in the context to validateclient_secretat/oauth2/token. BCrypt doesn't recognise{id}prefixes, so every registered client whose secret is stored as"{noop}<vault-secret>"fails to match against the plain password Vault sends in HTTP Basic. Net effect: SAS respondsinvalid_clientand the Vault UI showsoauth2: "invalid_client"after the OIDC redirect — broken since PR #129 landed SAS.Personal-stack-2 has the canonical fix in
services/auth-api/.../SecurityConfig.kt:120-126:This PR mirrors that.
DelegatingPasswordEncoderhonours{noop}/{bcrypt}/{argon2}/...prefixes for new encodings and prefixed matches;setDefaultPasswordEncoderForMatches(BCryptPasswordEncoder())keeps existing prefix-less bcrypt hashes in theusertable matching on login.Repro / verification
401 {"error":"invalid_client"}400 {"error":"invalid_grant"}(= client auth passes, fake code is rejected correctly).Test plan
/oauth2/tokenreturnsinvalid_grant(notinvalid_client) for a fake code with valid Basic credsv2.esa-blueshell.nl