Support for specifying client secret hasher

Author: Matej Spiller Muys

AUTHORS

@@ -86,6 +86,7 @@ Ludwig Hähne
 Łukasz Skarżyński
 Madison Swain-Bowden
 Marcus Sonestedt
+Matej Spiller Muys
 Matias Seniquiel
 Michael Howitz
 Owen Gong

CHANGELOG.md

@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 <!--
 ## [unreleased]
 ### Added
+* Support for specifying client secret hasher via CLIENT_SECRET_HASHER setting.
 ### Changed
 ### Deprecated
 ### Removed

docs/settings.rst

@@ -104,6 +104,10 @@ CLIENT_SECRET_GENERATOR_LENGTH
 The length of the generated secrets, in characters. If this value is too low,
 secrets may become subject to bruteforce guessing.
 
+CLIENT_SECRET_HASHER
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The hasher for storing generated secrets. By default library will use the first hasher in PASSWORD_HASHERS.
+
 EXTRA_SERVER_KWARGS
 ~~~~~~~~~~~~~~~~~~~
 A dictionary to be passed to oauthlib's Server class. Three options

oauth2_provider/models.py

@@ -40,7 +40,7 @@ def pre_save(self, model_instance, add):
             logger.debug(f"{model_instance}: {self.attname} is already hashed with {hasher}.")
         except ValueError:
             logger.debug(f"{model_instance}: {self.attname} is not hashed; hashing it now.")
-            hashed_secret = make_password(secret)
+            hashed_secret = make_password(secret, hasher=oauth2_settings.CLIENT_SECRET_HASHER)
             setattr(model_instance, self.attname, hashed_secret)
             return hashed_secret
         return super().pre_save(model_instance, add)

oauth2_provider/settings.py

@@ -37,6 +37,7 @@
     "CLIENT_ID_GENERATOR_CLASS": "oauth2_provider.generators.ClientIdGenerator",
     "CLIENT_SECRET_GENERATOR_CLASS": "oauth2_provider.generators.ClientSecretGenerator",
     "CLIENT_SECRET_GENERATOR_LENGTH": 128,
+    "CLIENT_SECRET_HASHER": "default",
     "ACCESS_TOKEN_GENERATOR": None,
     "REFRESH_TOKEN_GENERATOR": None,
     "EXTRA_SERVER_KWARGS": {},

pyproject.toml

@@ -62,6 +62,7 @@ omit = ["*/migrations/*"]
 show_missing = true
 
 [tool.pytest.ini_options]
+DJANGO_SETTINGS_MODULE = "tests.settings"
 django_find_project = false
 addopts = [
     "--cov=oauth2_provider",

tests/custom_hasher.py

@@ -0,0 +1,10 @@
+from django.contrib.auth.hashers import PBKDF2PasswordHasher
+
+
+class MyPBKDF2PasswordHasher(PBKDF2PasswordHasher):
+    """
+    A subclass of PBKDF2PasswordHasher that uses less iterations.
+    """
+
+    algorithm = "fast_pbkdf2"
+    iterations = 10000

tests/settings.py

@@ -89,6 +89,15 @@
     "tests",
 )
 
+PASSWORD_HASHERS = [
+    "django.contrib.auth.hashers.PBKDF2PasswordHasher",
+    "django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher",
+    "django.contrib.auth.hashers.Argon2PasswordHasher",
+    "django.contrib.auth.hashers.BCryptSHA256PasswordHasher",
+    "django.contrib.auth.hashers.ScryptPasswordHasher",
+    "tests.custom_hasher.MyPBKDF2PasswordHasher",
+]
+
 LOGGING = {
     "version": 1,
     "disable_existing_loggers": False,

tests/test_models.py

@@ -72,6 +72,24 @@ def test_hashed_secret(self):
         self.assertNotEqual(app.client_secret, CLEARTEXT_SECRET)
         self.assertTrue(check_password(CLEARTEXT_SECRET, app.client_secret))
 
+
+    @override_settings(OAUTH2_PROVIDER={"CLIENT_SECRET_HASHER": "fast_pbkdf2"})
+    def test_hashed_from_settings(self):
+        app = Application.objects.create(
+            name="test_app",
+            redirect_uris="http://localhost http://example.com http://example.org",
+            user=self.user,
+            client_type=Application.CLIENT_CONFIDENTIAL,
+            authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE,
+            client_secret=CLEARTEXT_SECRET,
+            hash_client_secret=True,
+        )
+
+        self.assertNotEqual(app.client_secret, CLEARTEXT_SECRET)
+        self.assertIn("fast_pbkdf2", app.client_secret)
+        self.assertTrue(check_password(CLEARTEXT_SECRET, app.client_secret))
+
+
     def test_unhashed_secret(self):
         app = Application.objects.create(
             name="test_app",