Custom password hashing

We have created a small prototype which uses Auth0’s APIs to create/update users. This prototype is sending plain-text passwords and letting Auth0 “do the hashing” (using bcrypt if I’m not mistaken) prior to storing this information in the database. We would like, however, to send already-hashed passwords so that Auth0 stores them as received. In other words, Auth0 should avoid re-hashing a hashed password.

  1. Is there a way we can “configure” Auth0 to behave this way? Maybe redefining the Login and GetUser scripts in some particular way?
  2. Must we use a custom database?
  3. Would we need to implement the same hashing-algorithm in Auth0 so that it can compare hashed-passwords when authenticating users?

(3.) Even if you implemented the same algorithm that is currently used, (1.) what you’re trying to do is not available for a regular database connection where the user credentials are kept in the Auth0 user store.

If you want to control the user credentials (2.) then you will need to use a custom database connection. With a custom database you could, in theory, then implement a Create script that could handle user creation with an already hashed password. However, have in mind that even with a custom database the assumption is that users are created/signup by providing a plain-text password that you would then hash in accordance to your requirements so creating users with already hashed passwords would be an hack that you would need to be sure to handle in the correct way.

For example, if public signups are allowed the signup endpoint could be called by users that would be providing a plain-text password so your custom database script would need to take this under consideration.

As a final personal note, you may want to take a step back and reconsider if this is something that you really need to be doing. More specifically, if you have an existing database containing user credentials and want to move users to Auth0 without them having to reset their password then consider using a custom database connection with import mode enabled. This would mean that users would be created at Auth0 when they login which would provide a transparent migration of the user credentials. For reference information, see: Configure Automatic Migration from Your Database