Bulk User Import Customer Hash - Does Auth0 Change to bCrypt

Hi All,

I’m searched docs, blogs and here in community for an answer to this, but have had no luck. I’d like to know which hash Auth0 uses after bulk import of users with the “custom_password_hash” field used.

Does Auth0 authenticate the user using our custom hash the first time, and then create a new hash using bCrypt and use that for all future logins?

Thanks in advance.

Dave

Hello @info38,

Welcome to the Community! That is correct. On first login Auth0 will rehash the password using bcrypt.

Thanks for replying @markd

I’m curious, when we import the users, on first login they are prompted to change password. If that is the correct UX, what is the purpose of the custom password hash?

I’m not sure if we’ve done something wrong, but I can’t see where the login authenticates against the old hash before converting. For us it’s simply forcing a password change.

Sounds like something has gone wrong with the import, or there’s something else in your login flow. If the password hashes were imported correctly, you should not get getting prompted to reset your password.

Hi @markd thanks for taking the time to help.

We tried a demo import from the Auth0 docs and have the same issue. We appear to be using a very vanilla/standard login flow. Is there somewhere in settings specifically I should check with this in mind?

1 Like

I don’t recall having to change any settings. I think when I did this it may have been a beta feature and I needed to get my TAM to enable it for me but I believe password import is in GA now.

If it helps, here’s a faked example of the data file format I used for my user import with passwords. In my case they were SSHA hashed passwords from an old LDAP directory server.

[
    {
        "email": "shepard@sr2.ca",
        "email_verified": true,
        "user_id": "shepard@sr2.ca",
        "username": "shepard",
        "custom_password_hash": {
            "algorithm": "ldap",
            "hash": {
                "value": "{SSHA}ABC+123==",
                "encoding": "utf8"
            }
        },
        "user_metadata": {
            "language_preference": "en"
        },
        "app_metadata": {
            "roles": [
                "commander"
            ],
            "onboarded": "2183-05-16T17:41:22.028Z"
        }
    },
    {
        "email": "garrus@sr2.ca",
        "email_verified": true,
        "user_id": "garrus@sr2.ca",
        "username": "garrus",
        "custom_password_hash": {
            "algorithm": "ldap",
            "hash": {
                "value": "{SSHA}DEF+456==",
                "encoding": "utf8"
            }
        },
        "user_metadata": {
            "language_preference": "tu"
        },
        "app_metadata": {
            "roles": [
                "callibrator"
            ],
            "onboarded": "2083-05-25T12:23:22.178Z"
        }
    }
]

Previous message deleted due to SPAM reasons.

Ok so good news is, we worked it out. Bad news is, it implies I’m not as clever as I thought. Haha.

We had the wrong encoding set. Sooo trap for new players, if your users are forced to change password after import, check your encoding variable…and probably all variables which clearly I had failed to do.

Sorry for wasting your time guys with something so silly, but I really appreciate the help and hope this thread helps others who might get stuck.

2 Likes

No worries! Glad you have figured it out and thanks for sharing with the rest of community!