Spring-security: Add Argon2PasswordEncoder
Summary
It would be nice to have an Argon2PasswordEncoder implementation.
We looked into using https://github.com/phxql/argon2-jvm but it is LGPL v3 which is not compatible with Apache 2.0. Instead we are going to look into using https://github.com/kosprov/jargon2-api
rwinch
All 6 comments
Any news on that?
WtfJoke
on 27 Nov 2018
@WtfJoke Thanks for the bump.
I am hesitant to add a dependency on something that uses native code as I think it will be quite challenging for us to support.
Note that this is something that would be pretty easy for users to extend on their own as well.
rwinch
on 29 Nov 2018
Thanks for your answer, I can understand your reasoning. So this issue is just a reminder for a future library which comes up without native code or whats the reason?
WtfJoke
on 30 Nov 2018
BouncyCastle has ported Argon2 to native Java: https://github.com/bcgit/bc-java/blob/master/core/src/main/java/org/bouncycastle/crypto/generators/Argon2BytesGenerator.java
BouncyCastle is licensed under a MIT-like license, so this should be compatible
simmac
on 25 Mar 2019
I'm currently working on wrapping the BouncyCastle-Generator into a Spring Security-PasswordEncoder.
If my employer gives me the right to publish this via a PR, I will do so soon (within the next few weeks) :)
simmac
on 2 Apr 2019
Well, this took longer than expected, but we finally managed to tackle all the organisational stuff (in future, contributions by my colleagues and me should be approved much faster)
simmac
on 27 Jun 2019
Related issues
mraible
路
3Comments
spring-issuemaster
路
4Comments
berniegp
路
3Comments
joshlong
路
3Comments
qq494679975
路
3Comments
Most helpful comment
Well, this took longer than expected, but we finally managed to tackle all the organisational stuff (in future, contributions by my colleagues and me should be approved much faster)