Open mooreds opened 3 years ago
Hi @mooreds,
I'm needing to create a plugin for this so we can migrate to FusionAuth (we have been using argon2id for the past few years).
Do you currently have this on your internal roadmap, and if not, is there a 'best-practise' way in which I could help in coding/developing a plugin which would help move this into core that can work with FA's licensing? Or would the Open Source plugin be helpful in and of itself?
@matthewhartstonge This is not on our current roadmap. I really appreciate the offer to contribute it to the core, but I'm not sure whether we'd want to incorporate that. That's a question for @robotdan and team.
If you'd like to develop it and contribute it, we have an example plugin repo that might help you get started: https://github.com/FusionAuth/fusionauth-example-password-encryptor
For where it should land, we have a repo with community code that we'd welcome a PR for. Currently it is reverse proxy configurations, primarily. If apache2 licensing works for you, that'd probably be simplest: https://github.com/FusionAuth/fusionauth-contrib
Thanks for offering to contribute!
@mooreds is correct, you can add this support by using this plugin for the purposes of your migration.
https://github.com/FusionAuth/fusionauth-example-password-encryptor
If you want to submit a PR to that repo, that would be a good start. From there we can review merging it into the core product so we can support it.
Awesome! Cheers team 👍
@robotdan to be clear, do you want a PR to FusionAuth/fusionauth-example-password-encryptor
or the FusionAuth/fusionauth-contrib
repo?
A PR to https://github.com/FusionAuth/fusionauth-example-password-encryptor would be great.
Thanks @matthewhartstonge! For anyone looking for Argon on this thread: https://github.com/FusionAuth/fusionauth-example-password-encryptor/blob/master/src/main/java/com/mycompany/fusionauth/plugins/ExampleArgon2idPasswordEncryptor.java
Here's the updated link to the Argon2 hasher: https://github.com/FusionAuth/fusionauth-contrib/blob/master/Password%20Hashing%20Plugins/src/main/java/com/mycompany/fusionauth/plugins/ExampleArgon2idPasswordEncryptor.java
Support Argon2 hashing
Problem
Argon2 won the 2015 password hashing competition ( https://en.wikipedia.org/wiki/Argon2 ). Would be great to offer this as one of the options for password hashing. Argon2id is the recommended implementation unless you have special needs.
Solution
Offer Argon2 as a scheme in the tenant cryptographic hash settings section.
Alternatives/workarounds
Write a custom password hashing plugin using this algorithm.
Additional context
Came up here: https://news.ycombinator.com/item?id=25133061
Here's the reference implementation (in c): https://github.com/p-h-c/phc-winner-argon2
Here's the first google result when you search for "argon2 java": https://mkyong.com/java/java-password-hashing-with-argon2/
Here's an RFC about it: https://www.rfc-editor.org/rfc/rfc9106.html
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.