providers/oauth2: use compare_digest for client_secret comparison#19979
Merged
BeryJu merged 2 commits intogoauthentik:mainfrom Feb 3, 2026
Merged
providers/oauth2: use compare_digest for client_secret comparison#19979BeryJu merged 2 commits intogoauthentik:mainfrom
BeryJu merged 2 commits intogoauthentik:mainfrom
Conversation
Replace insecure '!=' comparisons with hmac.compare_digest() to prevent timing attacks on client secret validation. This matches the existing security pattern used elsewhere in the codebase.
✅ Deploy Preview for authentik-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
BeryJu
approved these changes
Feb 3, 2026
Contributor
Author
|
@BeryJu Apologies for the excessive open and closing of PRs! These should have still been in our fork but I fumbled the config! |
Member
no worries, I'll re-open them one by one and update/test them before merging @kolega-ai-dev |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #19979 +/- ##
==========================================
- Coverage 93.26% 93.21% -0.06%
==========================================
Files 968 968
Lines 53389 53391 +2
==========================================
- Hits 49794 49767 -27
- Misses 3595 3624 +29
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
authentik-automation bot
pushed a commit
that referenced
this pull request
Feb 3, 2026
…9979) * security: use constant-time comparison for client secrets Replace insecure '!=' comparisons with hmac.compare_digest() to prevent timing attacks on client secret validation. This matches the existing security pattern used elsewhere in the codebase. * format Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: kolega.dev <faizan@kolega.ai> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
BeryJu
added a commit
that referenced
this pull request
Feb 3, 2026
…erry-pick #19979 to version-2025.10) (#19982) providers/oauth2: use compare_digest for client_secret comparison (#19979) * security: use constant-time comparison for client secrets Replace insecure '!=' comparisons with hmac.compare_digest() to prevent timing attacks on client secret validation. This matches the existing security pattern used elsewhere in the codebase. * format --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Kolega.dev <security@kolega.ai> Co-authored-by: kolega.dev <faizan@kolega.ai> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
authentik-automation bot
pushed a commit
that referenced
this pull request
Feb 3, 2026
…9979) * security: use constant-time comparison for client secrets Replace insecure '!=' comparisons with hmac.compare_digest() to prevent timing attacks on client secret validation. This matches the existing security pattern used elsewhere in the codebase. * format Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: kolega.dev <faizan@kolega.ai> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
Contributor
|
🍒 Cherry-pick to |
BeryJu
added a commit
that referenced
this pull request
Feb 3, 2026
…erry-pick #19979 to version-2025.12) (#19987) providers/oauth2: use compare_digest for client_secret comparison (#19979) * security: use constant-time comparison for client secrets Replace insecure '!=' comparisons with hmac.compare_digest() to prevent timing attacks on client secret validation. This matches the existing security pattern used elsewhere in the codebase. * format --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Kolega.dev <security@kolega.ai> Co-authored-by: kolega.dev <faizan@kolega.ai> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
kensternberg-authentik
added a commit
that referenced
this pull request
Feb 4, 2026
* main: (26 commits) providers/saml: auto pull signature algorithm options (#17614) core, web: bump @isaacs/brace-expansion from 5.0.0 to 5.0.1 in /packages/prettier-config (#19990) web: bump @isaacs/brace-expansion from 5.0.0 to 5.0.1 in /web (#19989) stages/authenticator_webauthn: fix double JSON encoding of webauthn options (#19952) core: bump django from 5.2.10 to 5.2.11 (#19988) ci: allow setting assignee to fail (#19985) root: revert enterprise loading behaviour (#19485) web/flows: update flow background (#19974) providers/oauth2: use compare_digest for client_secret comparison (#19979) recovery: consume token in transaction (#19967) core: ask for token duration on recovery link/email by admin (#19875) core: bump aws-cdk-lib from 2.236.0 to 2.237.0 (#19958) web: bump the storybook group across 1 directory with 5 updates (#19960) core: bump library/nginx from `c881927` to `7fe5dda` in /website (#19961) core: bump gunicorn from 25.0.0 to 25.0.1 (#19959) core: bump goauthentik.io/api/v3 to 3.2026.2.0-rc1-1770129730 (#19973) lifecycle: bump shm size (#19369) crypto: Add ED25519 and ED448 support to the certificate builder (#19465) web/admin: Register stage elements. Fix linter warnings (#19948) web: bump knip from 5.82.1 to 5.83.0 in /web (#19962) ...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Vulnerability identified and fix provided by Kolega.dev
Location
authentik/providers/oauth2/views/token.py:166Vulnerability
Line 166 uses '!=' for client secret comparison: 'self.provider.client_secret != self.client_secret'. This is a timing-unsafe comparison that could theoretically leak information about the secret through timing analysis. The codebase correctly uses hmac.compare_digest() elsewhere (authentication.py lines 37, 141, 150) for similar sensitive comparisons, demonstrating awareness of this issue. Additionally, utils.py line 209 has the same problem in authenticate_provider(). While practical exploitation requires many requests and precise timing measurements (making it difficult over network), this is a confirmed vulnerability that violates security best practices. The fix is trivial: import compare_digest from hmac and use 'not compare_digest(self.provider.client_secret, self.client_secret)'. Client secrets are 128-character random strings, making timing attacks harder but not impossible.
Fix
Replaced insecure '!=' comparisons with hmac.compare_digest() in both token.py and utils.py to prevent timing attacks on client secret validation. This matches the existing secure pattern already used in authentication.py throughout the codebase.