Shared utility functions for the OIDC provider.
Includes constant-time-eq? for timing-safe string comparison,
and hash-client-secret / verify-client-secret for PBKDF2-based
client secret hashing suitable for production deployments.
Shared utility functions for the OIDC provider. Includes [[constant-time-eq?]] for timing-safe string comparison, and [[hash-client-secret]] / [[verify-client-secret]] for PBKDF2-based client secret hashing suitable for production deployments.
(constant-time-eq? a b)Compares two strings in constant time using MessageDigest/isEqual
to prevent timing side-channel attacks.
Compares two strings in constant time using `MessageDigest/isEqual` to prevent timing side-channel attacks.
(generate-client-id)Generates a unique client identifier as a random UUID string.
Generates a unique client identifier as a random UUID string.
(generate-client-secret)Generates a cryptographically random client secret suitable for OAuth2 confidential clients.
Delegates to the Nimbus SDK Secret class, which produces a 256-bit SecureRandom
base64url-encoded value. Integrators building admin APIs can use this to create client
secrets that are consistent with those issued by
oidc-provider.registration/handle-registration-request.
Generates a cryptographically random client secret suitable for OAuth2 confidential clients. Delegates to the Nimbus SDK `Secret` class, which produces a 256-bit `SecureRandom` base64url-encoded value. Integrators building admin APIs can use this to create client secrets that are consistent with those issued by [[oidc-provider.registration/handle-registration-request]].
(hash-client-secret secret)Hashes a client secret using PBKDF2WithHmacSHA256 with a random 160-bit salt and 310,000 iterations per OWASP recommendations.
Returns an encoded string in the format algorithm:iterations:salt:hash where
binary values are base64-encoded. Use verify-client-secret to check a
plaintext secret against the returned hash.
Hashes a client secret using PBKDF2WithHmacSHA256 with a random 160-bit salt and 310,000 iterations per OWASP recommendations. Returns an encoded string in the format `algorithm:iterations:salt:hash` where binary values are base64-encoded. Use [[verify-client-secret]] to check a plaintext secret against the returned hash.
(verify-client-secret secret hashed)Verifies a plaintext secret against a hashed string produced by
hash-client-secret.
Parses the encoded algorithm:iterations:salt:hash format, re-derives the key
with the same parameters, and compares in constant time. Returns true if the
secret matches, false otherwise.
Verifies a plaintext `secret` against a `hashed` string produced by [[hash-client-secret]]. Parses the encoded `algorithm:iterations:salt:hash` format, re-derives the key with the same parameters, and compares in constant time. Returns `true` if the secret matches, `false` otherwise.
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |