client_secret_basic fails when client_secret is auto-generated

[leovingi]

Describe the bug
I have 2 clients - one with a client_secret I passed to the registration endpoint and one without. Hydra gives the latter an automatically generated client_secret.
I've gone through the OAuth2 flow with the 2nd client, received a code but when trying to exchange it for a token, it fails with the message
"crypto/bcrypt: hashedPassword is not the hash of the given password"

If I repeat the same process with the 1st client I set up, it all works fine. client id and secret are both percent-encoded, then base64'ed, nothing else changes in the process.

I suspect it might have something to do with the characters in the secret, but not sure.

To Reproduce
Steps to reproduce the behavior:

1. Create a client without a client_secret, get it generated automatically. Set the auth method to client_secret_basic
2. Go through the authentication flow - /oauth2/auth?client_id=12345&response_type=code&state=.....
3. Get the code
4. Try and exchange the code for a token, setting the appropriate Authorization header

Expected behavior
Should receive an access_token, but instead it fails with an error.

Version:

• Environment: Hydra Binary, Linux 64-bit
• Version v1.0.0-rc.10

[aeneasr]

Please add steps to reproduce this (e.g. CURL, hydra ...). The most likely issue is a wrong secret.

[leovingi]

Correct me if I'm wrong, but is the secret in the DB encrypted? Because if so, that is definitely the issue.

[aeneasr]

It's hashed

[leovingi]

Is it mentioned anywhere how it's hashed or how to decrypt it?

[aeneasr]

You can not un-hash something. The generated secret is returned in the payload when you create the client.