Store client secret hashed in persistent store

[legal-spot]

Hello, I have correctly implemented RedisStore for OAuth2 server implementation based on this library. However, checking Redis, I noticed the client_id and secrets are being stored in plain text. How can I force the library to store secrets securely (by hashing them with an algorithm such as SHA-1, SHA-256, Bcrypt, etc?

[om26er]

is there an interface that I could implement to check the secret that the client sends ? Right now it has to be saved as plain text and that's not ideal

[strowk]

Hey, I have added a library to make this a bit simpler - https://github.com/strowk/go-oauth2-hashed

It will use Bcrypt by default, but you can use any hashing so long as it can be implemented as:

type Hasher interface {
	Hash(password string) (string, error)
	Verify(hashedPassword, password string) error
}

There is an example of using this with Postgres store, but in principle it can work with any store that has something like Create(info oauth2.ClientInfo) error method.

[strowk]

After some thinking, I feel like it makes sense to have this directly in lib, then if stores support new interface, it would be a lot easier to use in general.

Made a PR: #284