feat: password migration

#441
Aguafrommars · Nov 12, 2023 · acf59be · acf59be
1 parent 42b9352
commit acf59be
Show file tree

Hide file tree

Showing 24 changed files with 402 additions and 70 deletions.
diff --git a/src/Aguacongas.TheIdServer.Duende/Aguacongas.TheIdServer.Duende.csproj b/src/Aguacongas.TheIdServer.Duende/Aguacongas.TheIdServer.Duende.csproj
@@ -42,6 +42,10 @@
 		<ProjectReference Include="..\IdentityServer\Duende\Aguacongas.IdentityServer.RavenDb.Store.Duende\Aguacongas.IdentityServer.RavenDb.Store.Duende.csproj" />
 		<ProjectReference Include="..\IdentityServer\Duende\Aguacongas.IdentityServer.Saml2p.Duende\Aguacongas.IdentityServer.Saml2p.Duende.csproj" />
 		<ProjectReference Include="..\IdentityServer\Duende\Aguacongas.IdentityServer.WsFederation.Duende\Aguacongas.IdentityServer.WsFederation.Duende.csproj" />
+		<ProjectReference Include="..\Identity\Aguacongas.TheIdServer.Identity.Argon2PasswordHasher\Aguacongas.TheIdServer.Identity.Argon2PasswordHasher.csproj" />
+		<ProjectReference Include="..\Identity\Aguacongas.TheIdServer.Identity.BcryptPasswordHasher\Aguacongas.TheIdServer.Identity.BcryptPasswordHasher.csproj" />
+		<ProjectReference Include="..\Identity\Aguacongas.TheIdServer.Identity.ScryptPasswordHasher\Aguacongas.TheIdServer.Identity.ScryptPasswordHasher.csproj" />
+		<ProjectReference Include="..\Identity\Aguacongas.TheIdServer.Identity.UpgradePasswordHasher\Aguacongas.TheIdServer.Identity.UpgradePasswordHasher.csproj" />
 	</ItemGroup>
 
 	<ItemGroup>

diff --git a/src/Aguacongas.TheIdServer.Duende/Extensions/ServiceCollectionExtensions.cs b/src/Aguacongas.TheIdServer.Duende/Extensions/ServiceCollectionExtensions.cs
@@ -11,6 +11,10 @@
 using Aguacongas.TheIdServer.BlazorApp.Models;
 using Aguacongas.TheIdServer.BlazorApp.Services;
 using Aguacongas.TheIdServer.Data;
+using Aguacongas.TheIdServer.Identity.Argon2PasswordHasher;
+using Aguacongas.TheIdServer.Identity.BcryptPasswordHasher;
+using Aguacongas.TheIdServer.Identity.ScryptPasswordHasher;
+using Aguacongas.TheIdServer.Identity.UpgradePasswordHasher;
 using Aguacongas.TheIdServer.Models;
 using Aguacongas.TheIdServer.Services;
 using Aguacongas.TheIdServer.UI;
@@ -49,13 +53,18 @@ public static IServiceCollection AddTheIdServer(this IServiceCollection services
                 .AddConfigurationStores()
                 .AddOperationalStores()
                 .AddTokenExchange()
+                .Configure<PasswordHasherOptions>(configurationManager.GetSection(nameof(PasswordHasherOptions)))
                 .AddIdentity<ApplicationUser, IdentityRole>(
                     options =>
                     {
                         configurationManager.Bind(nameof(AspNetCore.Identity.IdentityOptions), options);
                     })
                 .AddTheIdServerStores()
-                .AddDefaultTokenProviders();
+                .AddDefaultTokenProviders()
+                .AddArgon2PasswordHasher<ApplicationUser>(configurationManager.GetSection(nameof(Argon2PasswordHasherOptions)))
+                .AddBcryptPasswordHasher<ApplicationUser>(configurationManager.GetSection(nameof(BcryptPasswordHasherOptions)))
+                .AddScryptPasswordHasher<ApplicationUser>(configurationManager.GetSection(nameof(ScryptPasswordHasherOptions)))
+                .AddUpgradePasswordHasher<ApplicationUser>(configurationManager.GetSection(nameof(UpgradePasswordHasherOptions)));
 
             if (isProxy)
             {

diff --git a/src/Aguacongas.TheIdServer.Duende/README.md b/src/Aguacongas.TheIdServer.Duende/README.md
@@ -150,7 +150,7 @@ The section *AccountOptions* is bound to [`AccountOptions`](../Aguacongas.TheIdS
 
 ## Configure ASP.Net Core Identity options
 
-The section **IdentityOptions** is binded to the class [`Microsoft.AspNetCore.Identity.IdentityOptions`](https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.identity.identityoptions).  
+The section **IdentityOptions** is bound to the class [`Microsoft.AspNetCore.Identity.IdentityOptions`](https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.identity.identityoptions).  
 So you can set any ASP.Net Core Identity options you want from configuration
 
 ```json
@@ -164,9 +164,93 @@ So you can set any ASP.Net Core Identity options you want from configuration
 }
 ```
 
+## Configure password hashers options
+
+Read [OWASP Password Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html) to choose and configure your password hasher.
+
+### PBKDF2 Password hasher
+
+`Microsoft.AspNetCore.Identity.PasswordHasher` is the default hasher used by ASP.Net Core Identity.
+You can hash password using PBKDF2 if the [upgrade password hasher](#upgrade-password-hasher) is configured to use `Microsoft.AspNetCore.Identity.PasswordHasher`.
+
+The section **PasswordHasherOptions** is bound to the class [`Microsoft.AspNetCore.Identity.PasswordHasherOptions`](https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.identity.passwordhasheroptions).  
+So you can set any [`Microsoft.AspNetCore.Identity.PasswordHasherOptions`](https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.identity.passwordhasheroptions) properties you want from configuration.
+
+```json
+"PasswordHasherOptions": {
+    "IterationCount": 600000
+}
+```
+
+### Argon2id password hasher
+
+You can hash password using Argon2id if the [upgrade password hasher](#upgrade-password-hasher) is configured to use `Aguacongas.TheIdServer.Identity.Argon2PasswordHasher.Argon2PasswordHasher`.
+
+The section **Argon2PasswordHasherOptions** is bound to the class [`Aguacongas.TheIdServer.Identity.Argon2PasswordHasher.Argon2PasswordHasherOptions`](https://github.com/Aguafrommars/TheIdServer/blob/master/src/Identity/Aguacongas.TheIdServer.Identity.Argon2PasswordHasher/Argon2PasswordHasherOptions.cs).  
+So you can set any [`Aguacongas.TheIdServer.Identity.Argon2PasswordHasher.Argon2PasswordHasherOptions`](https://github.com/Aguafrommars/TheIdServer/blob/master/src/Identity/Aguacongas.TheIdServer.Identity.Argon2PasswordHasher/Argon2PasswordHasherOptions.cs) properties you want from configuration.
+
+```json
+"Argon2PasswordHasherOptions": {
+    "Interations": 2,
+    "Memory": 67108864
+}
+```
+
+### scrypt password hasher
+
+You can hash password using scrypt if the [upgrade password hasher](#upgrade-password-hasher) is configured to use `Aguacongas.TheIdServer.Identity.ScryptPasswordHasher.ScryptPasswordHasher`.
+
+The section **ScryptPasswordHasherOptions** is bound to the class [`Aguacongas.TheIdServer.Identity.ScryptPasswordHasher.ScryptPasswordHasherOptions`](https://github.com/Aguafrommars/TheIdServer/blob/master/src/Identity/Aguacongas.TheIdServer.Identity.Argon2PasswordHasher/Argon2PasswordHasherOptions.cs).  
+So you can set any [`Aguacongas.TheIdServer.Identity.ScryptPasswordHasher.ScryptPasswordHasherOptions`](https://github.com/Aguafrommars/TheIdServer/blob/master/src/Identity/Aguacongas.TheIdServer.Identity.Argon2PasswordHasher/Argon2PasswordHasherOptions.cs) properties you want from configuration.
+
+```json
+"ScryptPasswordHasherOptions": {
+    "IterationCount": 131072,
+    "BlockSize": 8,
+    "ThreadCount": 1
+}
+```
+
+### bcrypt password hasher
+
+You can hash password using bcrypt if the [upgrade password hasher](#upgrade-password-hasher) is configured to use `Aguacongas.TheIdServer.Identity.BcryptPasswordHasher.BcryptPasswordHasher`.
+
+The section **BcryptPasswordHasherOptions** is bound to the class [`Aguacongas.TheIdServer.Identity.BcryptPasswordHasher.BcryptPasswordHasherOptions`](https://github.com/Aguafrommars/TheIdServer/blob/master/src/Identity/Aguacongas.TheIdServer.Identity.BcryptPasswordHasher/BcryptPasswordHasherOptions.cs).  
+So you can set any [`Aguacongas.TheIdServer.Identity.BcryptPasswordHasher.BcryptPasswordHasherOptions`](https://github.com/Aguafrommars/TheIdServer/blob/master/src/Identity/Aguacongas.TheIdServer.Identity.BcryptPasswordHasher/BcryptPasswordHasherOptions.cs) properties you want from configuration.
+
+```json
+"BcryptPasswordHasherOptions": {
+    "WorkFactor": 11
+}
+```
+
+### Upgrade password hasher
+
+Upgrade password hasher is used to manage hash migration between old password hashing algorithm to the new one to use.  
+In previous version of TheIdServer password was hashed with PBKDF2 by default ASP.Net Core Identity password hasher with its default configuration.  
+Now you can choose between Argon2id, scrypt, bcrypt and PBKDF2 by settings the hasher to use.
+
+Read [Password Hasher to rehash password to a new algorithm for ASP.NET Core Identity.](https://github.com/Aguafrommars/TheIdServer/blob/master/src/Identity/Aguacongas.TheIdServer.Identity.UpgradePasswordHasher/README.md#password-hasher-to-rehash-password-to-a-new-algorithm-for-aspnet-core-identity) for more information.
+
+The section **UpgradePasswordHasherOptions** is bound to the class [`Aguacongas.TheIdServer.Identity.UpgradePasswordHasher.UpgradePasswordHasherOptions`](https://github.com/Aguafrommars/TheIdServer/blob/master/src/Identity/Aguacongas.TheIdServer.Identity.UpgradePasswordHasher/UpgradePasswordHasherOptions.cs).  
+So you can set any [`Aguacongas.TheIdServer.Identity.UpgradePasswordHasher.UpgradePasswordHasherOptions`](https://github.com/Aguafrommars/TheIdServer/blob/master/src/Identity/Aguacongas.TheIdServer.Identity.UpgradePasswordHasher/UpgradePasswordHasherOptions.cs) properties you want from configuration.
+
+```json
+"UpgradePasswordHasherOptions": {
+    "HashPrefixMaps": {
+      "0": "Microsoft.AspNetCore.Identity.PasswordHasher",
+      "1": "Microsoft.AspNetCore.Identity.PasswordHasher",
+      "162": "Aguacongas.TheIdServer.Identity.Argon2PasswordHasher.Argon2PasswordHasher",
+      "12": "Aguacongas.TheIdServer.Identity.ScryptPasswordHasher.ScryptPasswordHasher",
+      "188": "Aguacongas.TheIdServer.Identity.BcryptPasswordHasher.BcryptPasswordHasher"
+    },
+    "UsePasswordHasherTypeName": "Aguacongas.TheIdServer.Identity.Argon2PasswordHasher.Argon2PasswordHasher"
+}
+```
+
 ## Configure Duende IdentityServer
 
-The section **IdentityServerOptions** is binded to the class [`Duende.IdentityServer.Configuration.IdentityServerOptions`](https://docs.duendesoftware.com/identityserver/v5/reference/options/).  
+The section **IdentityServerOptions** is bound to the class [`Duende.IdentityServer.Configuration.IdentityServerOptions`](https://docs.duendesoftware.com/identityserver/v5/reference/options/).  
 So you can set any Duende IdentityServer options you want from configuration (but key management options).
 
 ```json

diff --git a/src/Aguacongas.TheIdServer.Duende/appsettings.json b/src/Aguacongas.TheIdServer.Duende/appsettings.json
@@ -544,5 +544,30 @@
     "RevocationMode": "NoCheck",
     "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
     "ValidUntil": 365
+  },
+  "PasswordHasherOptions": {
+    "IterationCount": 600000
+  },
+  "Argon2PasswordHasherOptions": {
+    "Interations": 2,
+    "Memory": 67108864
+  },
+  "BcryptPasswordHasherOptions": {
+    "WorkFactor": 11
+  },
+  "ScryptPasswordHasherOptions": {
+    "IterationCount": 131072,
+    "BlockSize": 8,
+    "ThreadCount": 1
+  },
+  "UpgradePasswordHasherOptions": {
+    "HashPrefixMaps": {
+      "0": "Microsoft.AspNetCore.Identity.PasswordHasher",
+      "1": "Microsoft.AspNetCore.Identity.PasswordHasher",
+      "162": "Aguacongas.TheIdServer.Identity.Argon2PasswordHasher.Argon2PasswordHasher",
+      "12": "Aguacongas.TheIdServer.Identity.ScryptPasswordHasher.ScryptPasswordHasher",
+      "188": "Aguacongas.TheIdServer.Identity.BcryptPasswordHasher.BcryptPasswordHasher"
+    },
+    "UsePasswordHasherTypeName": "Aguacongas.TheIdServer.Identity.Argon2PasswordHasher.Argon2PasswordHasher"
   }
 }
diff --git a/src/Aguacongas.TheIdServer.Identity/Extensions/IdentityBuilderExtensions.cs b/src/Aguacongas.TheIdServer.Identity/Extensions/IdentityBuilderExtensions.cs
@@ -1,9 +1,6 @@
 // Project: Aguafrommars/TheIdServer
 // Copyright (c) 2023 @Olivier Lefebvre
 using Microsoft.AspNetCore.Identity;
-using System;
-using System.Net.Http;
-using System.Threading.Tasks;
 
 namespace Microsoft.Extensions.DependencyInjection
 {

diff --git a/src/Aguacongas.TheIdServer/.config/dotnet-tools.json b/src/Aguacongas.TheIdServer/.config/dotnet-tools.json
diff --git a/...ntity/Aguacongas.TheIdServer.Identity.Argon2PasswordHasher/Argon2PasswordHasherOptions.cs b/...ntity/Aguacongas.TheIdServer.Identity.Argon2PasswordHasher/Argon2PasswordHasherOptions.cs
@@ -11,13 +11,11 @@ public class Argon2PasswordHasherOptions
     /// <summary>
     /// Number of iteration to use. 2 by default.
     /// </summary>
-    [Range(Argon2id.MinIterations, int.MaxValue)]
     public int Interations { get; set; } = 2;
 
     /// <summary>
     /// Memory to use. 67108864 by default.
     /// </summary>
-    [Range(Argon2id.MinMemorySize, int.MaxValue)]
     public int Memory { get; set; } = 67108864;
 
     /// <summary>

diff --git a/...acongas.TheIdServer.Identity.Argon2PasswordHasher/Extensions/IdentityBuilderExtensions.cs b/...acongas.TheIdServer.Identity.Argon2PasswordHasher/Extensions/IdentityBuilderExtensions.cs
@@ -0,0 +1,37 @@
+using Aguacongas.TheIdServer.Identity.Argon2PasswordHasher;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Configuration;
+
+namespace Microsoft.Extensions.DependencyInjection;
+
+/// <summary>
+/// <see cref="IdentityBuilder"/> extensions
+/// </summary>
+public static class IdentityBuilderExtensions
+{
+    /// <summary>
+    /// Add argon2 password hasher services in DI
+    /// </summary>
+    /// <typeparam name="TUser"></typeparam>
+    /// <param name="builder"></param>
+    /// <param name="configure"></param>
+    /// <returns></returns>
+    public static IdentityBuilder AddArgon2PasswordHasher<TUser>(this IdentityBuilder builder, Action<Argon2PasswordHasherOptions>? configure = null) where TUser : class
+    {
+        builder.Services.AddArgon2PasswordHasher<TUser>(configure);
+        return builder;
+    }
+
+    /// <summary>
+    /// Add argon2 password hasher services in DI
+    /// </summary>
+    /// <typeparam name="TUser"></typeparam>
+    /// <param name="builder"></param>
+    /// <param name="configuration"></param>
+    /// <returns></returns>
+    public static IdentityBuilder AddArgon2PasswordHasher<TUser>(this IdentityBuilder builder, IConfiguration configuration) where TUser : class
+    {
+        builder.Services.AddArgon2PasswordHasher<TUser>(configuration);
+        return builder;
+    }
+}
diff --git a/src/Identity/Aguacongas.TheIdServer.Identity.Argon2PasswordHasher/README.md b/src/Identity/Aguacongas.TheIdServer.Identity.Argon2PasswordHasher/README.md
@@ -5,8 +5,8 @@ An implementation of IPasswordHasher<TUser> using [Geralt](https://www.geralt.xy
 ## Installation
 
 ```csharp
-services.AddIdentity<TUser, TRole>();
-services.AddArgon2PasswordHasher<TUser>();
+services.AddIdentity<TUser, TRole>()
+    .AddArgon2PasswordHasher<TUser>();
 ```
 
 ### Options

diff --git a/...acongas.TheIdServer.Identity.BcryptPasswordHasher/Extensions/IdentityBuilderExtensions.cs b/...acongas.TheIdServer.Identity.BcryptPasswordHasher/Extensions/IdentityBuilderExtensions.cs
@@ -0,0 +1,37 @@
+using Aguacongas.TheIdServer.Identity.BcryptPasswordHasher;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Configuration;
+
+namespace Microsoft.Extensions.DependencyInjection;
+
+/// <summary>
+/// <see cref="IdentityBuilder"/> extensions
+/// </summary>
+public static class IdentityBuilderExtensions
+{
+    /// <summary>
+    /// Add Bcrypt password hasher services in DI
+    /// </summary>
+    /// <typeparam name="TUser"></typeparam>
+    /// <param name="builder"></param>
+    /// <param name="configure"></param>
+    /// <returns></returns>
+    public static IdentityBuilder AddBcryptPasswordHasher<TUser>(this IdentityBuilder builder, Action<BcryptPasswordHasherOptions>? configure = null) where TUser : class
+    {
+        builder.Services.AddBcryptPasswordHasher<TUser>(configure);
+        return builder;
+    }
+
+    /// <summary>
+    /// Add Bcrypt password hasher services in DI
+    /// </summary>
+    /// <typeparam name="TUser"></typeparam>
+    /// <param name="builder"></param>
+    /// <param name="configuration"></param>
+    /// <returns></returns>
+    public static IdentityBuilder AddBcryptPasswordHasher<TUser>(this IdentityBuilder builder, IConfiguration configuration) where TUser : class
+    {
+        builder.Services.AddBcryptPasswordHasher<TUser>(configuration);
+        return builder;
+    }
+}
diff --git a/src/Identity/Aguacongas.TheIdServer.Identity.BcryptPasswordHasher/README.md b/src/Identity/Aguacongas.TheIdServer.Identity.BcryptPasswordHasher/README.md
@@ -5,8 +5,8 @@ An implementation of IPasswordHasher<TUser> using [BCrypt.Net-Next](https://gith
 ## Installation
 
 ```csharp
-services.AddIdentity<TUser, TRole>();
-services.AddBcryptPasswordHasher<TUser>();
+services.AddIdentity<TUser, TRole>()
+    .AddBcryptPasswordHasher<TUser>();
 ```
 
 ### Options

diff --git a/...acongas.TheIdServer.Identity.ScryptPasswordHasher/Extensions/IdentityBuilderExtensions.cs b/...acongas.TheIdServer.Identity.ScryptPasswordHasher/Extensions/IdentityBuilderExtensions.cs
@@ -0,0 +1,37 @@
+using Aguacongas.TheIdServer.Identity.ScryptPasswordHasher;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Configuration;
+
+namespace Microsoft.Extensions.DependencyInjection;
+
+/// <summary>
+/// <see cref="IdentityBuilder"/> extensions
+/// </summary>
+public static class IdentityBuilderExtensions
+{
+    /// <summary>
+    /// Add Scrypt password hasher services in DI
+    /// </summary>
+    /// <typeparam name="TUser"></typeparam>
+    /// <param name="builder"></param>
+    /// <param name="configure"></param>
+    /// <returns></returns>
+    public static IdentityBuilder AddScryptPasswordHasher<TUser>(this IdentityBuilder builder, Action<ScryptPasswordHasherOptions>? configure = null) where TUser : class
+    {
+        builder.Services.AddScryptPasswordHasher<TUser>(configure);
+        return builder;
+    }
+
+    /// <summary>
+    /// Add Scrypt password hasher services in DI
+    /// </summary>
+    /// <typeparam name="TUser"></typeparam>
+    /// <param name="builder"></param>
+    /// <param name="configuration"></param>
+    /// <returns></returns>
+    public static IdentityBuilder AddScryptPasswordHasher<TUser>(this IdentityBuilder builder, IConfiguration configuration) where TUser : class
+    {
+        builder.Services.AddScryptPasswordHasher<TUser>(configuration);
+        return builder;
+    }
+}
diff --git a/src/Identity/Aguacongas.TheIdServer.Identity.ScryptPasswordHasher/README.md b/src/Identity/Aguacongas.TheIdServer.Identity.ScryptPasswordHasher/README.md
@@ -5,8 +5,8 @@ An implementation of IPasswordHasher<TUser> using [Scrypt.Net](https://github.co
 ## Installation
 
 ```csharp
-services.AddIdentity<TUser, TRole>();
-services.AddScryptPasswordHasher<TUser>();
+services.AddIdentity<TUser, TRole>()
+    .AddScryptPasswordHasher<TUser>();
 ```
 
 ### Options