Topics tagged with password

MFA with the password grant

admin b — Invalid Date

Thanks for addressing this use case. Your proposal, however, runs counter to any standardization effort: Long live OAuth! 🙂

A better approach would be to switch from a password grant to the use of authorization codes (instead of passwords) to obtain the access token. This is fully within the OAuth framework and does not introduce fusionauth-specific hacks into the solution.

We have created as simple html page that redirects to the fusionauth authorize endpoint with grant_type=authorization_code. The browser handles MFA as usual. Upon redirecting to this page, the page can harvest the authorization code for the user to copy. From there proceed with into authorization code in place of a password.

PS: Long live OAuth!

Password constraints below tenant level

dan — Invalid Date

Nope, at this time it is all configured at the tenant, via the UI or API.

If you have specific needs, please file a github issue outlining your use case: https://github.com/fusionauth/fusionauth-issues/issues

Issue with bcrypt on import of users

dan — Invalid Date

You'll need to separate out the hash and the salt on the Import API.

For example, the hash $2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy would be split out to the fields:

factor: 10
salt: N9qo8uLOickgx2ZMRZoMye
password: IjZAgcfl7p92ldGxad68LJZdL17lhWy

The Import API does not parse this value and separate it out for you. You need to do so.

Here is an example import script (in Ruby): https://github.com/FusionAuth/fusionauth-import-scripts/blob/master/auth0/import.rb#L47

What password rule options does FusionAuth have?

dan — Invalid Date

A duplicate of https://fusionauth.io/community/forum/topic/438/password-complexity-rules

But the easiest way to see this is in the tenant API, since that is where they are configured.

At time of writing, here are the options.

Screen Shot 2021-05-12 at 1.50.12 PM.png

Password encryption scheme data?

dan — Invalid Date

This data is exposed in version 1.20.1.

Updating a user's password and salt

dan — Invalid Date

If you’re looking to update the password, you can use the Update User API, or the Change Password API.

Neither of these APIs accept a hashed password and salt however, it accepts a plain text password that it will in turn salt, hash and then persist.

Check out both these APIs here: https://fusionauth.io/docs/v1/tech/apis/users

I've written a password encryption plugin I want to share. Where can I share it?

pclark — Invalid Date

In case it helps anyone, a version of the ASP.NET Core Identity PasswordHasher HashPasswordV3

package com.mycompany.fusionauth.plugins; import javax.crypto.SecretKey; import javax.crypto.SecretKeyFactory; import javax.crypto.spec.PBEKeySpec; import java.nio.charset.StandardCharsets; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.security.spec.InvalidKeySpecException; import java.security.spec.KeySpec; import java.util.Base64; import io.fusionauth.plugin.spi.security.PasswordEncryptor; /** * Example password hashing based on Asp.Net Core Identity PasswordHasher HashPasswordV3. */ public class ExampleDotNetPBDKF2HMACSHA256PasswordEncryptor implements PasswordEncryptor { @Override public int defaultFactor() { return 10_000; } @Override public String encrypt(String password, String salt, int factor) { if (factor <= 0) { throw new IllegalArgumentException("Invalid factor value [" + factor + "]"); } SecretKeyFactory keyFactory; try { keyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256"); } catch (NoSuchAlgorithmException e) { throw new IllegalStateException("No such algorithm [PBKDF2WithHmacSHA256]"); } int keyLength = 32; // numBytesRequested byte[] saltBytes = Base64.getDecoder().decode(salt); // assumes Base64 encoded salt. saltSize: 16 bytes KeySpec keySpec = new PBEKeySpec(password.toCharArray(), saltBytes, factor, keyLength * 8); SecretKey secret; try { secret = keyFactory.generateSecret(keySpec); // subkey } catch (InvalidKeySpecException e) { throw new IllegalArgumentException("Could not generate secret key for algorithm [PBKDF2WithHmacSHA256]"); } byte[] outputBytes = new byte[13 + saltBytes.length + secret.getEncoded().length]; outputBytes[0] = 0x01; // format marker WriteNetworkByteOrder(outputBytes, 1, 1); WriteNetworkByteOrder(outputBytes, 5, factor); WriteNetworkByteOrder(outputBytes, 9, saltBytes.length); System.arraycopy(saltBytes, 0, outputBytes, 13, saltBytes.length); System.arraycopy(secret.getEncoded(), 0, outputBytes, 13 + saltBytes.length, secret.getEncoded().length); return new String(Base64.getEncoder().encode(outputBytes)); } private static void WriteNetworkByteOrder(byte[] buffer, int offset, int value) { buffer[offset + 0] = (byte)(value >> 24); buffer[offset + 1] = (byte)(value >> 16); buffer[offset + 2] = (byte)(value >> 8); buffer[offset + 3] = (byte)(value >> 0); } } package com.mycompany.fusionauth.plugins; import org.testng.annotations.DataProvider; import org.testng.annotations.Test; import static org.testng.Assert.assertEquals; public class ExampleDotNetPBDKF2HMACSHA256PasswordEncryptorTest { @Test(dataProvider = "hashes") public void encrypt(String password, String salt, String hash) { ExampleDotNetPBDKF2HMACSHA256PasswordEncryptor encryptor = new ExampleDotNetPBDKF2HMACSHA256PasswordEncryptor(); assertEquals(encryptor.encrypt(password, salt, 10_000), hash); } @DataProvider(name = "hashes") public Object[][] hashes() { return new Object[][]{ {"MyExamplePassword", "CVsv6SwPJr7WDrVvAb+7aw==", "AQAAAAEAACcQAAAAEAlbL+ksDya+1g61bwG/u2ssOcnQU6Q2xo9tmijJv0zM2GsxeOl04NSpXRsAveBBag=="}, }; } }