BCrypt hashed passwords and secrets have 72 character limit

BCrypt hashed passwords and secrets have a 72 character limit. This is a limitation of the BCrypt algorithm and the Golang BCrypt library.

OAuth 2.0 Client Secret BCrypt Length

When using BCrypt as the OAuth 2.0 Client Secrets hashing algorithm, the length of the secret is limited to 72 characters. BCrypt has, by design, a maximum password length. The Golang BCrypt library has a maximum password length of 73 bytes. Any password longer will be "truncated":

ory create oauth2-client \
  --secret 525348e77144a9cee9a7471a8b67c50ea85b9e3eb377a3c1a3a23db88f9150eefe76e6a339fdbc62b817595f53d72549d9ebe36438f8c2619846b963e9f43a94 \
  --endpoint http://localhost:4445 \
  --token-endpoint-auth-method client_secret_post \
  --grant-type client_credentials

ory perform client-credentials --client-id <the-client-id> \
  --client-secret 525348e77144a9cee9a7471a8b67c50ea85b9e3eb377a3c1a3a23db88f9150eefe76e6a3 \
  --endpoint http://localhost:4444

For more information on this topic we recommend reading:

• Does bcrypt have a maximum password length?
• Pre-hash password before applying bcrypt to avoid restricting password length

Ory Identities

Ory Identities uses BCrypt to hash user passwords. Therefore, the same limitation applies to Ory Identities.