From 950a493dc44c12624770729fb642767b2e751615 Mon Sep 17 00:00:00 2001
From: Simon Bihel <simon.bihel@spruceid.com>
Date: Sat, 19 Feb 2022 14:45:49 +0000
Subject: [PATCH] Use cryptographically secure client secrets

---
 src/oidc.rs | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/oidc.rs b/src/oidc.rs
index 664d738..44bc7d9 100644
--- a/src/oidc.rs
+++ b/src/oidc.rs
@@ -540,7 +540,11 @@ pub async fn register(
     db_client: &DBClientType,
 ) -> Result<CoreClientRegistrationResponse, CustomError> {
     let id = Uuid::new_v4();
-    let secret = Uuid::new_v4();
+    let secret: String = rand::thread_rng()
+        .sample_iter(&Alphanumeric)
+        .take(16)
+        .map(char::from)
+        .collect();
 
     let redirect_uris = payload.redirect_uris().to_vec();
     for uri in redirect_uris.iter() {
@@ -560,7 +564,7 @@ pub async fn register(
     );
 
     let entry = ClientEntry {
-        secret: secret.to_string(),
+        secret: secret.clone(),
         metadata: payload,
         access_token: Some(access_token.clone()),
     };
@@ -572,7 +576,7 @@ pub async fn register(
         EmptyAdditionalClientMetadata::default(),
         EmptyAdditionalClientRegistrationResponse::default(),
     )
-    .set_client_secret(Some(ClientSecret::new(secret.to_string())))
+    .set_client_secret(Some(ClientSecret::new(secret)))
     .set_registration_client_uri(Some(ClientConfigUrl::from_url(
         base_url
             .join(&format!("{}/{}", CLIENT_PATH, id))