search

bshaffer / oauth2-server-php

A library for implementing an OAuth2 Server in php
http://bshaffer.github.io/oauth2-server-php-docs
MIT License
3.26k stars 953 forks source link

client_secret with password_hash #440

Open ckmaresca opened 10 years ago

ckmaresca commented 10 years ago

I'm trying to understand how to combine password_hash (and password_verify) with client_secret.

I read the discussion about password_hash & user credentials needing to be handle by the application, but the workflow for the client credentials grant type is different and I was wondering what the best way to handle this might be. I don't really want to store client_secret in plain text - in some ways that's worse than storing a password in plaintext....

bshaffer commented 10 years ago

This is a valid concern. However, not storing the client credentials in plaintext means you can never display the client secret to the user after they've created their client.

The client credentials are considered less valuable than a password because 1. They only get sent on calls to retrieve a token, so they are a little more difficult to grab, and 2. They are locked down to a single scope/purpose ideally, so the threat vector is minimized.

However, I agree that it is high time this library supports better out-of-the-box security for user passwords, and at least supports the ability to do the same with the client secret.

In the meantime, you can accomplish the same (or even better) level of security by using JWT bearer instead of client credentials. Only the public key is stored, and the client secret is left empty or never used, so no sensitive credentials exist at all in the database.

ckmaresca commented 10 years ago

Well, my use case is that the client secret is stored in a mobile app, so it's not like we'd ever display it since the only way to 'loose' it is to delete the app.

I don't really want to go down the path of JWT tokens as our workflow is around client secret. What I was asking is that, if you were to implement hashing, where would it be done? Right now, I'm looking at modifying the storage class that we're using, is that a good way to do it?

I would suggest breaking out a class that implements password_hash et al as part of the storage workflow. Then it would be easier to modify the password storage instead of modifying the whole storage class.