We would like to migrate our users from a ruby on rails platform using Devise, to auth0.
I’ve been looking at the user import scripts and found it supports bcrypt hashed passwords.
The problem we encounter is that our Devise setup is using a “pepper” to the passwords. This means that when a user password is handled, it will append the pepper to the password before verifying the hash.
I tried to find any actions in auth0 which would allow us to do this but found nothing that could help in the process before the password verification.
Any suggestions would be welcome
What makes this different from a salt? Do you have access this value?
So basically what happens is the following:
The user supplies its password, then the server takes that password and appends the pepper (which is a predefined constant on the server) to it, after which it will be hashed and compared to the stored value.
For example: given that the pepper is “s0m3r@nd0m57r1ng” and a users password is “MyP@55W0rd” then the final result would be “MyP@55W0rds0m3r@nd0m57r1ng” that is being passed to bcrypt to hash and compare to what is stored in the database. The database hash contains the password like “$2a$12$3Mgn0m6OatMx6bzC5w1kK.BogsA8CER6l7PTKsLiTqQZNwoAW.V7y” where the first 22 chars after the $a2$12$ represent the salt and the remainder the hash that needs to match up
Does this make sense?
Yes, that makes sense. Thanks for going in-depth.
The hash formats Auth0 accepts are fairly rigid. In this case, the bcrypt hash object won’t accept a
pepper param, and there isn’t a way to customize how the comparison hash is created.
The Auth0-y way of handling non-standard password hashes would be to use an Automatic Migration/Lazy Migration.