From d34e84149e1ad683ec7b0b4cd1cdb3cc8cf4cc55 Mon Sep 17 00:00:00 2001
From: rp8 <rp8>
Date: Mon, 5 Jul 2021 13:35:27 -0500
Subject: [PATCH] fixed the bug to compare client secrets when refreshing token

---
 .gitignore        | 2 ++
 manage/manager.go | 4 ++++
 server/server.go  | 2 +-
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 562f0b9..2a8538b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -23,6 +23,8 @@ _testmain.go
 *.test
 *.prof
 
+coverage.txt
+
 # OSX
 *.DS_Store
 *.db
diff --git a/manage/manager.go b/manage/manager.go
index 26ba2b0..8240c52 100755
--- a/manage/manager.go
+++ b/manage/manager.go
@@ -363,6 +363,10 @@ func (m *Manager) RefreshAccessToken(ctx context.Context, tgr *oauth2.TokenGener
 	cli, err := m.GetClient(ctx, tgr.ClientID)
 	if err != nil {
 		return nil, err
+	} else if cliPass, ok := cli.(oauth2.ClientPasswordVerifier); ok {
+		if !cliPass.VerifyPassword(tgr.ClientSecret) {
+			return nil, errors.ErrInvalidClient
+		}
 	} else if tgr.ClientSecret != cli.GetSecret() {
 		return nil, errors.ErrInvalidClient
 	}
diff --git a/server/server.go b/server/server.go
index ca5c861..e10efad 100755
--- a/server/server.go
+++ b/server/server.go
@@ -240,7 +240,7 @@ func (s *Server) GetAuthorizeToken(ctx context.Context, req *AuthorizeRequest) (
 		}
 	}
 
-	tgr := &oauth2.TokenGenerateRequest{
+	tgr = &oauth2.TokenGenerateRequest{
 		ClientID:            req.ClientID,
 		UserID:              req.UserID,
 		RedirectURI:         req.RedirectURI,