Adding support for hashed client_secrets #1360

markmeeus · 2025-09-29T13:37:22Z

markmeeus
Sep 29, 2025

We are currently migrating from an older oauth implementation to node-oidc-provider.
We have our current clients stored in our backend, but not their client_secrets. In our current implementation we validate the secret against a hashed secret we have in our db.

It looks like it is not supported, but I'm not sure it's by design or not.

I think it could interesting to add an extension point to the Client class where users can implement the hashing function on the client_secret.

   compareClientSecret(actual) {
      actual = instance(provider).configuration.hashClientSecret?.(this, actual) || actual
      return constantEquals(this.clientSecret, actual, 1000);    
    }

If this sounds viable, I'd be happy to provide a PR for it

panva · 2025-09-29T13:40:12Z

panva
Sep 29, 2025
Maintainer

It looks like it is not supported, but I'm not sure it's by design or not.

The compareClientSecret prototype method on a Client already exists and you can overload it. There's no need for more.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Adding support for hashed client_secrets #1360

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Uh oh!

Adding support for hashed client_secrets #1360

Uh oh!

markmeeus Sep 29, 2025

Replies: 1 comment

Uh oh!

Uh oh!

panva Sep 29, 2025 Maintainer

markmeeus
Sep 29, 2025

panva
Sep 29, 2025
Maintainer