Import user with custom password hash

cjones · March 27, 2023, 5:05pm

I’ve imported a user with a custom password hash. There are no errors, but when I attempt to log in to Auth0 with the user’s password, the login fails and this message appears in the Auth0 logs:

 {
  "date": "2023-03-27T15:50:56.200Z",
  "type": "fp",
  "description": "Password change required.",
  "connection": "Username-Password-Authentication",
  "connection_id": "con_AFgPRyO4FnWb3N5Y",
  "client_id": "UKPTkTvlq8B6tQRbtwRSTZrOCenqxwmE",
  "client_name": "All Applications",
  "ip": "2600:1702:3870:7140:6860:d079:da:6b",
  "user_agent": "Chrome 111.0.0 / Windows 10.0.0",
  "details": {
    "error": {
      "message": "Password change required.",
      "reason": "Verification failed for the provided custom_password_hash: {'algorithm':'sha1','hash':{'value':'c32c737848...','encoding':'hex'},'salt':{'value':'87c11281...','encoding':'hex','position':'suffix'}}"
    }
  },
  "user_id": "auth0|foo",
  "user_name": "foo@bar.com",
  "strategy": "auth0",
  "strategy_type": "database",
  "log_id": "90020230327155100400915000000000000001223372036991371193",
  "_id": "90020230327155100400915000000000000001223372036991371193",
  "isMobile": false,
  "id": "90020230327155100400915000000000000001223372036991371193"
}

The JSON file containing this user looks like this:

[
    {
        "email":"foo@bar.com",
        "email_verified":true,
        "user_id":"foo",
        "given_name": "foo given name",
        "family_name": "bar family name",
        "name": "foo j. bar",
        "nickname": "nick foo",
        "blocked": false,
        "custom_password_hash": {
            "algorithm": "sha1",
            "hash": {
                "value": "c32c7378....c47536f3a4",
                "encoding": "hex"
            },
            "salt": {
                "value": "87c112810....9b62611627813",
                "encoding": "hex",
                "position": "suffix"
            }
        }
    }
]

the Python code that generated the hash and salt is as follows:
pass_salt = uuid.uuid4().hex
pass_hashed = hashlib.sha1((new_pass + pass_salt).encode(‘utf-8’)).hexdigest()

Can anyone tell me if there’s something I can change in the way I import a user to make this salt and hash scheme to work?

Thanks, Chris

dan.woda · March 30, 2023, 4:32pm

Hi @cjones,

Welcome to the Auth0 Community!

Can you please provide an example password, salt, and matching hash for testing? I’d like to try and import a user and see if I can get it working.

Thanks,
Dan

cjones · March 31, 2023, 6:54pm

Thanks Dan, I just got this working based on a suggestion from Lihua Zhang. The solution was to remove the line “encoding”: “hex” from the HASH. it turns out that uuid4.hex doesn’t mean hex encoded.

system · May 1, 2023, 1:43pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Import user with custom password hash using pbkdf2 algorithm Help user-management , user-import-export	2	1175	July 17, 2023
Error importing users with custom password hash Help import , user-import , password-hash , bulk-user-import	4	5275	June 11, 2020
Password change is required after importing Help	2	1515	May 11, 2023
"ONE_OF_MISSING" with Custom Password Hash Help	6	4736	September 11, 2020
Issue when importing user with custom hash password Help auth0 , import , user-import , password-hash , bulk-user-import	0	3365	May 12, 2021

Import user with custom password hash

Related topics