How to migrate firebase authentication users to auth0 with same firebase password

dinezdk19 · February 17, 2024, 9:25am

I have export the users list from firebase and its returns hashed passwords. If obtaining the actual password is not feasible. i want migrate firebase authentication users to auth0 with same firebase password.
sample data from firebase user
{
“localId”: “oWsCEO2GadXd2hOtDyst23tPKfk2”,
“email”: “xocah27868@aaorsi.com”,
“emailVerified”: false,
“passwordHash”: “iVaYAy8qgtXZ/mvR2U/sXvwGnPP3YPxjw4lTgSrhuS2IbP9HThrfxjr4pFRfRkujjIZUgaHZ7WbRkKy2vulqcg==”,
“salt”: “drRka5fZiekYNA==”,
“displayName”: “Debi Prasad”,
“photoUrl”: “xxxxx”,
“lastSignedInAt”: “1687163285285”,
“createdAt”: “”,
“phoneNumber”: “”,
“disabled”: false,
“customAttributes”: “{"is2FACompleted":false}”,
“providerUserInfo”:
}

Latonyadodson · February 19, 2024, 9:42am

dinezdk19:

I have export the users list from firebase and its returns hashed passwords. If obtaining the actual password is not feasible. i want migrate firebase authentication users to auth0 with same firebase password.
sample data from firebase user
{
“localId”: “oWsCEO2GadXd2hOtDyst23tPKfk2”,
“email”: “[xocah27868@aaorsi.com](mailto:xocah27868@aaorsi.com Be Ball Players)”,
“emailVerified”: false,
“passwordHash”: “iVaYAy8qgtXZ/mvR2U/sXvwGnPP3YPxjw4lTgSrhuS2IbP9HThrfxjr4pFRfRkujjIZUgaHZ7WbRkKy2vulqcg==”,
“salt”: “drRka5fZiekYNA==”,
“displayName”: “Debi Prasad”,
“photoUrl”: “xxxxx”,
“lastSignedInAt”: “1687163285285”,
“createdAt”: “”,
“phoneNumber”: “”,
“disabled”: false,
“customAttributes”: “{“is2FACompleted”:false}”,
“providerUserInfo”:
}

Hello,

Migrating firebase authentication users to auth0 with the same firebase password is a challenging task, because firebase uses a custom version of the scrypt hashing algorithm that is not compatible with the standard scrypt algorithm used by auth0. Therefore, you cannot directly import the password hashes from firebase to auth0.

However, there are some possible workarounds that you can try, depending on your situation and preferences:

If you have access to the original plain-text passwords of your users, you can use the Firebase Admin SDK to export them and then use the auth0 CLI or API to import them with the standard scrypt algorithm.

If you do not have access to the original plain-text passwords, but you have access to the internal parameters of the firebase scrypt algorithm (such as the base64_signer_key and the base64_salt_separator), you can use them to convert the firebase password hashes to the standard scrypt format and then import them to auth0.

If you do not have access to either the original plain-text passwords or the internal parameters of the firebase scrypt algorithm, you can use a hybrid approach where you create a custom database connection in auth0 that connects to your firebase database and verifies the user credentials using the firebase scrypt algorithm. Then, you can use the auth0 migration feature to gradually migrate your users to auth0 as they log in.

Alternatively, you can ask your users to reset their passwords and create new ones in auth0. This is the simplest option, but it may cause some inconvenience and friction for your users.

I hope this helps you find a suitable solution for your migration problem.

Best regards,
Latonyadodson

marcelina.barycka · February 19, 2024, 11:40am

Hey there @dinezdk19 , welcome to the Auth0 Community!

To confirm, Auth0 doesn’t store plain user passwords.

Adding to what @Latonyadodson already shared, in case you have access to the Firebase internal algorithm details (like for example if the password has been first salt prefixed / postfixed), you should also be able to import users with a “custom_password_hash” property.

This doc shows what this property consists of and what’s supported by Auth0.

Later below, there are examples of user JASONs.

@Latonyadodson, we value your partnership!

Please let us know if there are any questions / error messages you get from importing your users to Auth0!

dinezdk19 · February 19, 2024, 11:55am

Hi @marcelina.barycka below obj for firebase auth hashed confg
//The information below can be used to migrate password users.
hash_config {
algorithm: SCRYPT,
base64_signer_key:

Sg6N7Vr2u5lT4/tgXdmYQiLko9JlpRjmdiMTRlVN6gamEkvkvSODhamZufKOUfU5NheZBOzsxBr6VPfwwOzDcw==,
base64_salt_separator: Bw==,
rounds: 8,
mem_cost: 14,
}

marcelina.barycka · February 21, 2024, 12:28pm

Hi @dinezdk19 ,

Looking at the hash config shared I can see that there is one unsupported for our custom_password_hash property: base64_salt_separator. Also you seem lack of the salt value itself.

You could try with the below JSON (and try make adjustments it that fail, but as mentioned above, I thing the hash config used in Firebase is not compatible wit ours):

{
#other user data,
"custom_password_hash": {
"algorithm": "scrypt",
"hash": {
"value": "value",
"encoding": "base64",
"key": {
"value": "key_value",
"encoding": "base64"}},
"salt": {
"value": "salt_value",
"encoding": "base64",
}}}

Please let us know if you were able to import your users with hashed passwords!
In case it’s technically not possible, you can still import them without passwords (users will have to reset their passwords during the next login) or you can implement the gradual user migration.

system · March 6, 2024, 12:28pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.