Add Argon2PasswordEncoder

[rwinch]

Summary

It would be nice to have an Argon2PasswordEncoder implementation.

We looked into using https://github.com/phxql/argon2-jvm but it is LGPL v3 which is not compatible with Apache 2.0. Instead we are going to look into using https://github.com/kosprov/jargon2-api

[WtfJoke]

Any news on that?

[rwinch]

@WtfJoke Thanks for the bump.

I am hesitant to add a dependency on something that uses native code as I think it will be quite challenging for us to support.

Note that this is something that would be pretty easy for users to extend on their own as well.

[WtfJoke]

Thanks for your answer, I can understand your reasoning. So this issue is just a reminder for a future library which comes up without native code or whats the reason?

[simmac]

BouncyCastle has ported Argon2 to native Java: https://github.com/bcgit/bc-java/blob/master/core/src/main/java/org/bouncycastle/crypto/generators/Argon2BytesGenerator.java

BouncyCastle is licensed under a MIT-like license, so this should be compatible

[simmac]

I'm currently working on wrapping the BouncyCastle-Generator into a Spring Security-PasswordEncoder.

If my employer gives me the right to publish this via a PR, I will do so soon (within the next few weeks) :)

[simmac]

Well, this took longer than expected, but we finally managed to tackle all the organisational stuff (in future, contributions by my colleagues and me should be approved much faster)