search

FusionAuth / fusionauth-issues

FusionAuth issue submission project
https://fusionauth.io
90 stars 12 forks source link

Support Argon2 hashing #997

Open mooreds opened 3 years ago

mooreds commented 3 years ago

Support Argon2 hashing

Problem

Argon2 won the 2015 password hashing competition ( https://en.wikipedia.org/wiki/Argon2 ). Would be great to offer this as one of the options for password hashing. Argon2id is the recommended implementation unless you have special needs.

Solution

Offer Argon2 as a scheme in the tenant cryptographic hash settings section.

Alternatives/workarounds

Write a custom password hashing plugin using this algorithm.

Additional context

Came up here: https://news.ycombinator.com/item?id=25133061

Here's the reference implementation (in c): https://github.com/p-h-c/phc-winner-argon2

Here's the first google result when you search for "argon2 java": https://mkyong.com/java/java-password-hashing-with-argon2/

Here's an RFC about it: https://www.rfc-editor.org/rfc/rfc9106.html

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

matthewhartstonge commented 3 years ago

Hi @mooreds,

I'm needing to create a plugin for this so we can migrate to FusionAuth (we have been using argon2id for the past few years).

Do you currently have this on your internal roadmap, and if not, is there a 'best-practise' way in which I could help in coding/developing a plugin which would help move this into core that can work with FA's licensing? Or would the Open Source plugin be helpful in and of itself?

mooreds commented 3 years ago

@matthewhartstonge This is not on our current roadmap. I really appreciate the offer to contribute it to the core, but I'm not sure whether we'd want to incorporate that. That's a question for @robotdan and team.

If you'd like to develop it and contribute it, we have an example plugin repo that might help you get started: https://github.com/FusionAuth/fusionauth-example-password-encryptor

For where it should land, we have a repo with community code that we'd welcome a PR for. Currently it is reverse proxy configurations, primarily. If apache2 licensing works for you, that'd probably be simplest: https://github.com/FusionAuth/fusionauth-contrib

Thanks for offering to contribute!

robotdan commented 3 years ago

@mooreds is correct, you can add this support by using this plugin for the purposes of your migration.

https://github.com/FusionAuth/fusionauth-example-password-encryptor

If you want to submit a PR to that repo, that would be a good start. From there we can review merging it into the core product so we can support it.

matthewhartstonge commented 3 years ago

Awesome! Cheers team 👍

@robotdan to be clear, do you want a PR to FusionAuth/fusionauth-example-password-encryptor or the FusionAuth/fusionauth-contrib repo?

robotdan commented 3 years ago

A PR to https://github.com/FusionAuth/fusionauth-example-password-encryptor would be great.

robotdan commented 3 years ago

Thanks @matthewhartstonge! For anyone looking for Argon on this thread: https://github.com/FusionAuth/fusionauth-example-password-encryptor/blob/master/src/main/java/com/mycompany/fusionauth/plugins/ExampleArgon2idPasswordEncryptor.java

mooreds commented 1 year ago

Here's the updated link to the Argon2 hasher: https://github.com/FusionAuth/fusionauth-contrib/blob/master/Password%20Hashing%20Plugins/src/main/java/com/mycompany/fusionauth/plugins/ExampleArgon2idPasswordEncryptor.java