Skip to content

Fix dynamic client registration returning hashed secret when hash_application_secrets is enabled#237

Merged
nbulaj merged 1 commit into
masterfrom
copilot/fix-dynamic-client-registration
Mar 16, 2026
Merged

Fix dynamic client registration returning hashed secret when hash_application_secrets is enabled#237
nbulaj merged 1 commit into
masterfrom
copilot/fix-dynamic-client-registration

Conversation

Copilot AI commented Mar 16, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

When Doorkeeper's hash_application_secrets is enabled, the dynamic client registration endpoint was returning the BCrypt hash instead of the plaintext secret, making the registered client unusable.

Changes

  • Controller: Use plaintext_secret || secret in registration_responseplaintext_secret is populated by Doorkeeper on the in-memory object immediately after create!, before the secret is hashed and persisted. Falls back to secret when hashing is disabled.
  • Spec: Updated assertion to match.
# Before
client_secret: doorkeeper_application.secret,

# After
client_secret: doorkeeper_application.plaintext_secret || doorkeeper_application.secret,

This mirrors the fix Doorkeeper applied to its own UI flow in #1246.

Original prompt

This section details on the original issue you should resolve

<issue_title>Dynamic client registration broken with hash_application_secrets</issue_title>
<issue_description>Hey! I ran into an issue where dynamic client registration returns the hashed secret instead of the plaintext when hash_application_secrets is enabled in Doorkeeper.

doorkeeper-openid_connect/app/controllers/doorkeeper/openid_connect/dynamic_client_registration_controller.rb

Line 31 in 9927111

client_secret: doorkeeper_application.secret,

This should probably be:

client_secret: doorkeeper_application.plaintext_secret || doorkeeper_application.secret,

Same issue was fixed for the UI flow back in 2019: doorkeeper-gem/doorkeeper#1246

Happy to submit a PR if this looks right to you!
</issue_description>

<agent_instructions>Can you analyze the issue and prepare a fix? </agent_instructions>

Comments on the Issue (you are @copilot in this section)

@nbulaj Hello @lionelvoser . True! PR is very welcome, thanks! 🙇

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.

Copilot AI changed the title [WIP] Fix dynamic client registration to return plaintext secret Fix dynamic client registration returning hashed secret when hash_application_secrets is enabled Mar 16, 2026
Copilot AI requested a review from nbulaj March 16, 2026 09:05
@nbulaj nbulaj marked this pull request as ready for review March 16, 2026 09:07
nbulaj
nbulaj approved these changes Mar 16, 2026
View reviewed changes

@nbulaj nbulaj left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nbulaj nbulaj force-pushed the copilot/fix-dynamic-client-registration branch from 6bde945 to 0799451 Compare March 16, 2026 09:10
@nbulaj nbulaj merged commit 4fb99ad into master Mar 16, 2026
44 checks passed
@nbulaj nbulaj deleted the copilot/fix-dynamic-client-registration branch March 16, 2026 09:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@nbulaj nbulaj nbulaj approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@nbulaj nbulaj

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Dynamic client registration broken with hash_application_secrets

2 participants

@nbulaj