Client secret double encoding issue when updating an existing registered client

[ghost]

When an existing client is updated via save(), the client-secret is double encoded.

The client_secret should be checked if its already encoded or not. If its already encoded, it should not be encoded again.

[ghost]

hi @jgrandja . I was on PTO for the past 2 weeks. I am back now, ready for work.

I have one question: is the upgradeEncoding method from the PasswordEncoder enough to check if the presented password should be encoded or not?
As far as I am aware, there's no straightforward way to check if a value is already encoded or not.

[jgrandja]

Hey @ovidiupopa91. I'll get back to you later this week. I'm just in the middle of preparing for our SpringOne presentation. Thanks.

[ghost]

Good luck with your presentation @jgrandja . I am sure it will be great 😃

[jgrandja]

@ovidiupopa91

is the upgradeEncoding method from the PasswordEncoder enough to check if the presented password should be encoded or not?

No, this wouldn't be the method to call to determine if it's encoded.

Take a look at DelegatingPasswordEncoder.encode() as it formats the encoding with a prefix as such:

{bcrypt}$2a$10$x27xSzWVIdmj9bOTHk2STeQCGIiPZ0o2kOX1ewr.aFUOe2ohbnfxa

This indicates that it's bcrypt encoded.

I think we could simply check for { } to determine if it's already encoded.

FYI, I'm on PTO starting tomorrow and returning Sep 15.

Talk to you when I'm back.