diff --git a/core/src/main/java/org/keycloak/jose/jws/crypto/HMACProvider.java b/core/src/main/java/org/keycloak/jose/jws/crypto/HMACProvider.java
index c2ebc26dbf..4a97d7343a 100755
--- a/core/src/main/java/org/keycloak/jose/jws/crypto/HMACProvider.java
+++ b/core/src/main/java/org/keycloak/jose/jws/crypto/HMACProvider.java
@@ -25,6 +25,7 @@ import org.keycloak.jose.jws.JWSInput;
 import javax.crypto.Mac;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
+import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 
 /**
@@ -81,8 +82,7 @@ public class HMACProvider implements SignatureProvider {
     public static boolean verify(JWSInput input, SecretKey key) {
         try {
             byte[] signature = sign(input.getEncodedSignatureInput().getBytes("UTF-8"), input.getHeader().getAlgorithm(), key);
-            String x = Base64Url.encode(signature);
-            return x.equals(input.getEncodedSignature());
+            return MessageDigest.isEqual(signature, Base64Url.decode(input.getEncodedSignature()));
         } catch (Exception e) {
             throw new RuntimeException(e);
         }
@@ -92,8 +92,7 @@ public class HMACProvider implements SignatureProvider {
     public static boolean verify(JWSInput input, byte[] sharedSecret) {
         try {
             byte[] signature = sign(input.getEncodedSignatureInput().getBytes("UTF-8"), input.getHeader().getAlgorithm(), sharedSecret);
-            String x = Base64Url.encode(signature);
-            return x.equals(input.getEncodedSignature());
+            return MessageDigest.isEqual(signature, Base64Url.decode(input.getEncodedSignature()));
         } catch (Exception e) {
             throw new RuntimeException(e);
         }
diff --git a/server-spi-private/src/main/java/org/keycloak/services/managers/ClientSessionCode.java b/server-spi-private/src/main/java/org/keycloak/services/managers/ClientSessionCode.java
index e343823f6a..ef11479e5e 100755
--- a/server-spi-private/src/main/java/org/keycloak/services/managers/ClientSessionCode.java
+++ b/server-spi-private/src/main/java/org/keycloak/services/managers/ClientSessionCode.java
@@ -28,6 +28,7 @@ import org.keycloak.models.RealmModel;
 import org.keycloak.models.RoleModel;
 import org.keycloak.models.utils.KeycloakModelUtils;
 
+import java.security.MessageDigest;
 import java.util.HashSet;
 import java.util.Set;
 
@@ -252,7 +253,7 @@ public class ClientSessionCode {
 
             clientSession.removeNote(ACTIVE_CODE);
 
-            return code.equals(activeCode);
+            return MessageDigest.isEqual(code.getBytes(), activeCode.getBytes());
         } catch (Exception e) {
             throw new RuntimeException(e);
         }