Problem statement
There is a need to migrate users from Gigya to Auth0. This article offers assistance with transforming the password hash exported from Gigya to those compatible with Auth0 so they can be imported via bulk import.
Solution
The output password hash from Gigya will look like this:
"password": {
"created": "2024-01-28T17:20:31.188Z",
"hashSettings": {
"salt": "YWJjc29tZXRoaW5n==",
"rounds": 10000,
"algorithm": "pbkdf2_sha512"
},
"hash": "89v2METlSkX2LKWSQGHCdE4iUkE="
}
These are usually hashed with the PBKF2 algorithm with a SHA512 digest, 10000 rounds (iterations), and a key length of 20.
To import to Auth0, the password needs to be converted to the PHC format, which goes like this:
$pbkdf2-DIGEST$i=ITERATIONS,l=KEYLEN$SALT$HASH
So, in the example above, the conversion looks like this:
$pbkdf2-sha512$i=10000,l=20$YWJjc29tZXRoaW5n$89v2METlSkX2LKWSQGHCdE4iUkE
Note that we have truncated the equal (=) signs at the end of the salt and password hash. This is required. Also, note that there is a dollar ($) sign between the salt and the hash.
To import a bunch of users, create a script to replace the salt and hash for each user, as the other part of the hash will remain the same.