Import Auth0 bcrypt password hashes to Okta tenant

Problem statement

We want to import Auth0 bcrypt password hashes into their Okta tenant.

Solution

The base64 encoding used in bcrypt is different from the standard base64 encoding defined in RFC4648.

bcyrpt_description

To be specific, the bcrypt base64 uses the character table [./A-Za-z0-9], while the standard base64 uses the character table[A-Za-z0-9+/] (Base64 - Wikipedia).

Here is an example of a bcrypt hash exported from Auth0. As you can see, it complies with the format defined in #1

password: 42
bcrypt hash: $2b$10$yobOT8CyiI3Ls6BM/.MNWu.O6UcaOinlpRnEkPJttZn2dQZ5uZC42

This Okta document mentions that the hash value and salt should be radix64 encoded.

Image_2023-03-01_22-50-18.png

The radix64 is a variant of the standard base64 (Base64 - Wikipedia), which seems to suggest that the Auth0 exported password hash need to be converted prior to being imported to an Okta tenant.
However, without encoding conversion, after importing a user with the following payload to the Okta tenant(version 2023.02.1.E), we can log in with password “42” successfully.

{
    "profile": {
        "firstName": "Isaac",
        "lastName": "Brock",
        "email": "isaac@example.com",
        "login": "isaac@example.com"
    },
    "credentials": {
        "password": {
            "hash": {
                "algorithm": "BCRYPT",
                "workFactor": 10,
                "salt": "yobOT8CyiI3Ls6BM/.MNWu",
                "value": ".O6UcaOinlpRnEkPJttZn2dQZ5uZC42"
            }
        }
    }
}
1 Like