dxbjavid opened a new pull request, #3170: URL: https://github.com/apache/cxf/pull/3170
Two token-endpoint checks still compare a client-supplied secret against a server-held value with String.equals. compareCodeVerifierWithChallenge matches the stored PKCE code_challenge against the transformed code_verifier, and with the plain transformer the challenge is the verifier itself, so the secret leaks byte by byte through timing. validateClientSecret in ClientSecretHashVerifier compares the secret hashes the same way. Route both through MessageDigest.isEqual, as the default client-secret check in AbstractTokenService and the OAuth2 token comparisons already do. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
