ory hydra token handler is failing as the client_secret is compared to a hashed value in Fosite

[ghost]

Describe the bug

While attempting to retrieve a token I get a 401 HTTP/1.1 401 Content-Type: application/json { "error": "invalid_client", "error_description": "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)", "status_code": 401 }

I hunted down the issue to a log entry
ERRO[267507] An error occurred debug="crypto/bcrypt: hashedPassword is not the hash of the given password" description="Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)" error=invalid_client

To Reproduce

Steps to reproduce the behavior:

1. set up in memory ory/Hydra
   `go get -d -u github.com/ory/hydra
   cd $GOPATH/src/github.com/ory/hydra
   make init
   export GO111MODULE=on

Without database

make quicktest

Then run it with in-memory database:

DSN=memory go run main.go serve all`

2. run curl to create a test client (fairly standard) using oidcdebugger.com
   curl -X POST \ https://localhost:4445/clients/ \ -d '{ "client_id": "test", "client_name": "test", "redirect_uris": [ "https://oidcdebugger.com/debug" ], "response_types": [ "code", "id_token" ], "grant_types": [ "authorization_code", "refresh_token" ], "scope": "openid offline", "secret": "123456789", "token_endpoint_auth_method":"client_secret_post" }'

3. run a curl to retrieve the token (I realize this is not Oauth flow but it triggers the issue)

curl -X POST \ https://localhost:4444/oauth2/token \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'client_id=test&client_secret=123456789&grant_type=authorization_code&code=WoIv8eHmvndht_r9LrX_Z90lV9Edc5sxMXxDl5tu_-8.6ka2froWG0BzDbvaO5gi71xrEADAYZvjWpZhMfIWqcw&redirect_uri=https%3A%2F%2Fopenidconnect.net%2Fcallback'

4. At line 203 of client_authentication.go
   // Enforce client authentication if err := f.Hasher.Compare(ctx, client.GetHashedSecret(), []byte(clientSecret)); err != nil { return nil, errors.WithStack(ErrInvalidClient.WithDebug(err.Error())) }

The hashed secret is retrieved and then compared to the clientSecret (which is not hashed and Hydra doesn't provide the hashed value back - which would defeat the purpose of a hashed password) - and of course this will never work.

Expected behavior

The client_secret passed should be hashed and then compared with the stored hashed password.

Unless I'm misconfigured something

Environment

• Version: fosite@v0.30.0
• Environment: tested in Docker (K8S, and OS X)

Additional context

Created as well on the fosite issue tracker as it is an issue in fosite ory/fosite#385

[aeneasr]

Your analysis is incorrect, the code behaves as designed, the behavior is extremely well tested and even certified.

The reason we see why a secret is wrong is most often:

• You're using a client id that has a different secret
• The secret was generated by hydra because you did not provide a secret
• You're using a different hydra instance than you think you do
• You are using special characters that are improperly encoded

I recommend retrying what you're trying to achieve. Also I'd recommend to follow the documentation on how to create clients and so on.