search

FusionAuth / fusionauth-issues

FusionAuth issue submission project
https://fusionauth.io
90 stars 12 forks source link

User API to update a user password the same way as import users: Hashed Password + Encryption Scheme + Factor + Salt #348

Open manolofont opened 4 years ago

manolofont commented 4 years ago

User API to update a user password the same way as import users: Hashed Password + Encryption Scheme + Factor + Salt

Description

Is there any way to update de user password provinding an already hashed password and the encryption scheme used?

Our users come from different sources (LDAP and DBs), and they update their passwords with certain external apps. We only can read the hashed passwords (knowing how each password is hashed) and their salts (with any flavour: Without salt, with salt in the hashed password or with the salt in another field). We have developed a password encryptor plugin for FusionAuth to manage 3 types of password hashing and it works very well when we import new users to FusionAuth (indicating the hashed password, the encryption sheme, the factor and the salt). If I'm right, with the User API to update a user, if we indicate the password and the encryption scheme, FusionAuth encodes de new password with the scheme (FA interprets it as a plain password). So, how can we update the hashed passwords of each user in FusionAuth when we receive them from those external sources?

Thanks!

robotdan commented 4 years ago

Is this so you can synchronize the password hash between systems?

manolofont commented 4 years ago

Exactly.

We only need to synchronize the password hashes in one direction, ie: "From LDAP to FusionAuth".

We can read the hashed password from the user, the salt and we know the hashing method. When we «import» the users to FusionAuth it works perfectly: FA reads the hashed password (not the plain one), the salt and the hashing method (which we programmed as a FA plugin).

But when the password is modified, ie "in LDAP", we can not synchronize the new hash to FusionAuth.

Is there a way to accomplish it?

Thank you.

robotdan commented 4 years ago

This is not a use case we currently support. FusionAuth is intended to be the source of truth as it relates to passwords.

A couple of options:

  1. Authenticate against FusionAuth for your LDAP use cases using the Login API
  2. Manually update the database fields to synchronize the hash (not recommended, we can't guarantee this won't break in the future, but an option)
  3. We could also explore adding the ability to update the the password hash on the User Update API.

Support and services for our paid clients takes priority with dev resources. We can leave this feature here and as it gets upvoted by the community it will raise higher on the priority list.

If you'd like to look at pricing for support or pro-services to deliver you this capability in a more timely fashion feel free to use the Contact form on fusionauth.io.

Thanks!!

manolofont commented 4 years ago

We had thought about implementing the second option but, before doing that, we wanted to know if there was a more correct way to accomplish it.

Thank you!