Auth0 Bulk User Import Fails With Custom Hashes Using Prefixed and Suffixed Salts

Overview

This article explains a limitation of the Auth0 Bulk User Import feature when migrating users with a custom password hashing algorithm. The import process does not support hashes constructed with a salt value that is concatenated to both the beginning and end of the password.

Applies To

  • Bulk User Import
  • Custom Password Hashing

Cause

The Auth0 Bulk User Import tool’s salt.position property only accepts prefix or suffix as values. The system is not designed to process a hash where the salt is used in both positions. An algorithm that computes a hash where the salt is both prepended and appended to the password, such as in the following example, is not supported.

sha256(salt + password + salt)

Solution

The current implementation of the Auth0 Bulk User Import feature does not support custom hash algorithms where the salt is both prefixed and suffixed. This configuration is a known product limitation. A feature named ‘Universal Password Hash Support for User Import’ is in development to address this and other advanced hashing scenarios.